fix: common user can only access public app

Signed-off-by: Abirdcfly <[email protected]>
kubeagi · Apr 9, 2024 · c4a4e3b · c4a4e3b
1 parent 8e2af87
commit c4a4e3b
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 9 deletions.
diff --git a/apiserver/pkg/chat/chat_docs.go b/apiserver/pkg/chat/chat_docs.go
@@ -210,7 +210,7 @@ func (cs *ChatServer) BuildConversationKnowledgeBase(ctx context.Context, req Co
 		return err
 	}
 	// create or update the conversation knowledgebase
-	_, err = controllerutil.CreateOrUpdate(ctx, cs.cli, kb, func() error {
+	_, err = controllerutil.CreateOrUpdate(ctx, cs.systemCli, kb, func() error {
 		if err := controllerutil.SetControllerReference(app, kb, pkgclient.Scheme); err != nil {
 			return err
 		}

diff --git a/apiserver/pkg/chat/chat_server.go b/apiserver/pkg/chat/chat_server.go
@@ -54,16 +54,16 @@ import (
 )
 
 type ChatServer struct {
-	cli     runtimeclient.Client
-	storage storage.Storage
-	once    sync.Once
-	isGpts  bool
+	systemCli runtimeclient.Client
+	storage   storage.Storage
+	once      sync.Once
+	isGpts    bool
 }
 
 func NewChatServer(cli runtimeclient.Client, isGpts bool) *ChatServer {
 	return &ChatServer{
-		cli:    cli,
-		isGpts: isGpts,
+		systemCli: cli,
+		isGpts:    isGpts,
 	}
 }
 
@@ -81,7 +81,7 @@ func (cs *ChatServer) Storage() storage.Storage {
 				cs.storage = storage.NewMemoryStorage()
 				return
 			}
-			pg, err := datasource.GetPostgreSQLPool(ctx, cs.cli, ds)
+			pg, err := datasource.GetPostgreSQLPool(ctx, cs.systemCli, ds)
 			if err != nil {
 				klog.Errorf("get postgresql pool failed : %s", err.Error())
 				cs.storage = storage.NewMemoryStorage()
@@ -394,12 +394,15 @@ The question you asked is:`
 
 func (cs *ChatServer) GetApp(ctx context.Context, appName, appNamespace string) (*v1alpha1.Application, error) {
 	app := &v1alpha1.Application{}
-	if err := cs.cli.Get(ctx, types.NamespacedName{Namespace: appNamespace, Name: appName}, app); err != nil {
+	if err := cs.systemCli.Get(ctx, types.NamespacedName{Namespace: appNamespace, Name: appName}, app); err != nil {
 		return nil, fmt.Errorf("failed to get application: %w", err)
 	}
 	if !app.Status.IsReady() {
 		return nil, fmt.Errorf("application not ready: %s", app.Status.GetCondition(v1alpha1.TypeReady).Message)
 	}
+	if !cs.IsGPTUserHasPermissionForApp(ctx, app) {
+		return nil, fmt.Errorf("user don't have permission for app: %s", app.Name)
+	}
 	return app, nil
 }
 
@@ -446,3 +449,23 @@ func (cs *ChatServer) FillAppIconToConversations(ctx context.Context, conversati
 	}
 	return nil
 }
+
+func (cs *ChatServer) IsGPTUserHasPermissionForApp(ctx context.Context, app *v1alpha1.Application) (ok bool) {
+	if !cs.isGpts {
+		return true
+	}
+	// currentUser, _ := ctx.Value(auth.UserNameContextKey).(string)
+	if app.Spec.IsPublic {
+		return true
+	}
+	gptCofig, err := pkgconfig.GetGPTsConfig(ctx, cs.systemCli)
+	if err != nil {
+		klog.FromContext(ctx).Error(err, "failed to get gpt config")
+		return false
+	}
+	publicNs := gptCofig.PublicNamespace
+	if app.Namespace == publicNs {
+		return true
+	}
+	return false
+}