@@ -29,7 +29,7 @@ use crate::handlers::http::rbac::RBACError;
2929use crate :: parseable:: PARSEABLE ;
3030use crate :: query:: { TableScanVisitor , QUERY_SESSION } ;
3131use crate :: rbac:: map:: SessionKey ;
32- use crate :: rbac:: role:: { Action , Permission } ;
32+ use crate :: rbac:: role:: { Action , ParseableResourceType , Permission } ;
3333use crate :: rbac:: Users ;
3434use actix:: extract_session_key_from_req;
3535use actix_web:: HttpRequest ;
@@ -114,22 +114,31 @@ pub fn user_auth_for_datasets(
114114 authorized = true ;
115115 break ;
116116 }
117- Permission :: Resource (
118- Action :: Query ,
119- crate :: rbac:: role:: ParseableResourceType :: Stream ( stream) ,
120- ) => {
121- let is_internal = PARSEABLE
122- . get_stream ( & table_name)
123- . is_ok_and ( |stream|stream. get_stream_type ( ) . eq ( & crate :: storage:: StreamType :: Internal ) ) ;
124-
125- if stream == table_name
126- || stream == "*"
127- || is_internal
128- {
117+ Permission :: Resource ( Action :: Query , ParseableResourceType :: Stream ( stream) ) => {
118+ let is_internal = PARSEABLE . get_stream ( table_name) . is_ok_and ( |stream| {
119+ stream
120+ . get_stream_type ( )
121+ . eq ( & crate :: storage:: StreamType :: Internal )
122+ } ) ;
123+
124+ if stream == table_name || stream == "*" || is_internal {
129125 authorized = true ;
130126 }
131127 }
132- Permission :: Resource ( _, crate :: rbac:: role:: ParseableResourceType :: All ) => {
128+ Permission :: Resource ( action, ParseableResourceType :: All )
129+ if ![
130+ Action :: All ,
131+ Action :: PutUser ,
132+ Action :: PutRole ,
133+ Action :: DeleteUser ,
134+ Action :: DeleteRole ,
135+ Action :: ModifyUserGroup ,
136+ Action :: CreateUserGroup ,
137+ Action :: DeleteUserGroup ,
138+ Action :: DeleteNode ,
139+ ]
140+ . contains ( action) =>
141+ {
133142 authorized = true ;
134143 }
135144 _ => ( ) ,
0 commit comments