Add canI checks to editors

Check if the user can update or create resources in our editor pages
before trying to make the change. We remove the actions that take you to
these pages if you don't have authority, but someone could send you a
direct link or your authority might have changed since you loaded the
previous page.

Author: spadgett

app/scripts/controllers/addConfigVolume.js

@@ -15,6 +15,7 @@ angular.module('openshiftConsole')
                        $scope,
                        $window,
                        APIService,
+                       AuthorizationService,
                        BreadcrumbsService,
                        DataService,
                        Navigate,
@@ -95,6 +96,12 @@ angular.module('openshiftConsole')
       .then(_.spread(function(project, context) {
         $scope.project = project;
 
+        if (!AuthorizationService.canI(resourceGroupVersion, 'update', $routeParams.project)) {
+          Navigate.toErrorPage('You do not have authority to update ' +
+                               humanizeKind($routeParams.kind) + ' ' + $routeParams.name + '.', 'access_denied');
+          return;
+        }
+
         var orderByDisplayName = $filter('orderByDisplayName');
         var getErrorDetails = $filter('getErrorDetails');
         var generateName = $filter('generateName');
@@ -125,17 +132,18 @@ angular.module('openshiftConsole')
         DataService.list("configmaps", context, null, { errorNotification: false }).then(function(configMapData) {
           $scope.configMaps = orderByDisplayName(configMapData.by("metadata.name"));
         }, function(e) {
-          if (e.status === 403) {
+          if (e.code === 403) {
             $scope.configMaps = [];
             return;
           }
 
           displayError('Could not load config maps', getErrorDetails(e));
         });
+
         DataService.list("secrets", context, null, { errorNotification: false }).then(function(secretData) {
           $scope.secrets = orderByDisplayName(secretData.by("metadata.name"));
         }, function(e) {
-          if (e.status === 403) {
+          if (e.code === 403) {
             $scope.secrets = [];
             return;
           }

app/scripts/controllers/attachPVC.js

@@ -8,16 +8,18 @@
  * Controller of the openshiftConsole
  */
 angular.module('openshiftConsole')
-  .controller('AttachPVCController', function($filter,
-                                              $routeParams,
-                                              $scope,
-                                              $window,
-                                              APIService,
-                                              BreadcrumbsService,
-                                              DataService,
-                                              Navigate,
-                                              ProjectsService,
-                                              StorageService) {
+  .controller('AttachPVCController',
+              function($filter,
+                       $routeParams,
+                       $scope,
+                       $window,
+                       APIService,
+                       AuthorizationService,
+                       BreadcrumbsService,
+                       DataService,
+                       Navigate,
+                       ProjectsService,
+                       StorageService) {
     if (!$routeParams.kind || !$routeParams.name) {
       Navigate.toErrorPage("Kind or name parameter missing.");
       return;
@@ -73,6 +75,12 @@ angular.module('openshiftConsole')
         // Update project breadcrumb with display name.
         $scope.breadcrumbs[0].title = $filter('displayName')(project);
 
+        if (!AuthorizationService.canI(resourceGroupVersion, 'update', $routeParams.project)) {
+          Navigate.toErrorPage('You do not have authority to update ' +
+                               $filter('humanizeKind')($routeParams.kind) + ' ' + $routeParams.name + '.', 'access_denied');
+          return;
+        }
+
         var orderByDisplayName = $filter('orderByDisplayName');
         var getErrorDetails = $filter('getErrorDetails');
         var generateName = $filter('generateName');

app/scripts/controllers/createConfigMap.js

@@ -13,6 +13,7 @@ angular.module('openshiftConsole')
                         $routeParams,
                         $scope,
                         $window,
+                        AuthorizationService,
                         DataService,
                         Navigate,
                         ProjectsService) {
@@ -41,6 +42,11 @@ angular.module('openshiftConsole')
         // Update project breadcrumb with display name.
         $scope.breadcrumbs[0].title = $filter('displayName')(project);
 
+        if (!AuthorizationService.canI('configmaps', 'create', $routeParams.project)) {
+          Navigate.toErrorPage('You do not have authority to create config maps in project ' + $routeParams.project + '.', 'access_denied');
+          return;
+        }
+
         $scope.configMap = {
           apiVersion: 'v1',
           kind: 'ConfigMap',

app/scripts/controllers/createPersistentVolumeClaim.js

@@ -8,7 +8,17 @@
  * Controller of the openshiftConsole
  */
 angular.module('openshiftConsole')
-  .controller('CreatePersistentVolumeClaimController', function ($filter, $routeParams, $scope, $window, ApplicationGenerator, DataService, Navigate, ProjectsService,keyValueEditorUtils) {
+  .controller('CreatePersistentVolumeClaimController',
+              function($filter,
+                       $routeParams,
+                       $scope,
+                       $window,
+                       ApplicationGenerator,
+                       AuthorizationService,
+                       DataService,
+                       Navigate,
+                       ProjectsService,
+                       keyValueEditorUtils) {
     $scope.alerts = {};
     $scope.projectName = $routeParams.project;
     $scope.accessModes="ReadWriteOnce";
@@ -35,6 +45,11 @@ angular.module('openshiftConsole')
         // Update project breadcrumb with display name.
         $scope.breadcrumbs[0].title = $filter('displayName')(project);
 
+        if (!AuthorizationService.canI('persistentvolumeclaims', 'create', $routeParams.project)) {
+          Navigate.toErrorPage('You do not have authority to create persistent volume claims in project ' + $routeParams.project + '.', 'access_denied');
+          return;
+        }
+
         $scope.createPersistentVolumeClaim = function() {
           if ($scope.createPersistentVolumeClaimForm.$valid) {
             $scope.disableInputs = true;

app/scripts/controllers/createRoute.js

@@ -8,7 +8,16 @@
  * Controller of the openshiftConsole
  */
 angular.module('openshiftConsole')
-  .controller('CreateRouteController', function ($filter, $routeParams, $scope, $window, ApplicationGenerator, DataService, Navigate, ProjectsService) {
+  .controller('CreateRouteController',
+              function($filter,
+                       $routeParams,
+                       $scope,
+                       $window,
+                       ApplicationGenerator,
+                       AuthorizationService,
+                       DataService,
+                       Navigate,
+                       ProjectsService) {
     $scope.alerts = {};
     $scope.renderOptions = {
       hideFilterWidget: true
@@ -42,6 +51,11 @@ angular.module('openshiftConsole')
         // Update project breadcrumb with display name.
         $scope.breadcrumbs[0].title = $filter('displayName')(project);
 
+        if (!AuthorizationService.canI('routes', 'create', $routeParams.project)) {
+          Navigate.toErrorPage('You do not have authority to create routes in project ' + $routeParams.project + '.', 'access_denied');
+          return;
+        }
+
         var labels = {},
             orderByDisplayName = $filter('orderByDisplayName');
 

app/scripts/controllers/createSecret.js

@@ -8,7 +8,18 @@
  * Controller of the openshiftConsole
  */
 angular.module('openshiftConsole')
-  .controller('CreateSecretController', function ($filter, $location, $routeParams, $scope, $window, AlertMessageService, ApplicationGenerator, DataService, Navigate, ProjectsService) {
+  .controller('CreateSecretController',
+              function($filter,
+                       $location,
+                       $routeParams,
+                       $scope,
+                       $window,
+                       AlertMessageService,
+                       ApplicationGenerator,
+                       AuthorizationService,
+                       DataService,
+                       Navigate,
+                       ProjectsService) {
     $scope.alerts = {};
     $scope.projectName = $routeParams.project;
 
@@ -42,6 +53,11 @@ angular.module('openshiftConsole')
         $scope.context = context;
         $scope.breadcrumbs[0].title = $filter('displayName')(project);
 
+        if (!AuthorizationService.canI('secrets', 'create', $routeParams.project)) {
+          Navigate.toErrorPage('You do not have authority to create secrets in project ' + $routeParams.project + '.', 'access_denied');
+          return;
+        }
+
         $scope.postCreateAction = function(newSecret, creationAlerts) {
           _.each(creationAlerts, function(alert) {
             AlertMessageService.addAlert(alert);

app/scripts/controllers/edit/autoscaler.js

@@ -14,6 +14,7 @@ angular.module('openshiftConsole')
                         $routeParams,
                         $window,
                         APIService,
+                        AuthorizationService,
                         BreadcrumbsService,
                         DataService,
                         HPAService,
@@ -79,6 +80,12 @@ angular.module('openshiftConsole')
         // Update project breadcrumb with display name.
         $scope.project = project;
 
+        var verb = $routeParams.kind === 'HorizontalPodAutoscaler' ? 'update' : 'create';
+        if (!AuthorizationService.canI({ resource: 'horizontalpodautoscalers', group: 'extensions' }, verb, $routeParams.project)) {
+          Navigate.toErrorPage('You do not have authority to ' + verb + ' horizontal pod autoscalers in project ' + $routeParams.project + '.', 'access_denied');
+          return;
+        }
+
         var createHPA = function() {
           $scope.disableInputs = true;
           var hpa = {

app/scripts/controllers/edit/buildConfig.js

@@ -7,7 +7,20 @@
  * Controller of the openshiftConsole
  */
 angular.module('openshiftConsole')
-  .controller('EditBuildConfigController', function ($scope, $routeParams, DataService, SecretsService, ProjectsService, $filter, ApplicationGenerator, Navigate, $location, AlertMessageService, SOURCE_URL_PATTERN, keyValueEditorUtils) {
+  .controller('EditBuildConfigController',
+              function($scope,
+                       $filter,
+                       $location,
+                       $routeParams,
+                       AlertMessageService,
+                       ApplicationGenerator,
+                       AuthorizationService,
+                       DataService,
+                       Navigate,
+                       ProjectsService,
+                       SOURCE_URL_PATTERN,
+                       SecretsService,
+                       keyValueEditorUtils) {
 
     $scope.projectName = $routeParams.project;
     $scope.buildConfig = null;
@@ -120,6 +133,12 @@ angular.module('openshiftConsole')
         // Update project breadcrumb with display name.
         $scope.breadcrumbs[0].title = $filter('displayName')(project);
 
+        if (!AuthorizationService.canI('buildconfigs', 'update', $routeParams.project)) {
+          Navigate.toErrorPage('You do not have authority to update build config ' +
+                               $routeParams.buildconfig + '.', 'access_denied');
+          return;
+        }
+
         DataService.get("buildconfigs", $routeParams.buildconfig, context).then(
           // success
           function(buildConfig) {

app/scripts/controllers/edit/deploymentConfig.js

@@ -7,7 +7,21 @@
  * Controller of the openshiftConsole
  */
 angular.module('openshiftConsole')
-  .controller('EditDeploymentConfigController', function ($scope, $routeParams, $uibModal, DataService, BreadcrumbsService, SecretsService, ProjectsService, $filter, Navigate, $location, AlertMessageService, SOURCE_URL_PATTERN, keyValueEditorUtils) {
+  .controller('EditDeploymentConfigController',
+              function($scope,
+                       $filter,
+                       $location,
+                       $routeParams,
+                       $uibModal,
+                       AlertMessageService,
+                       AuthorizationService,
+                       BreadcrumbsService,
+                       DataService,
+                       Navigate,
+                       ProjectsService,
+                       SecretsService,
+                       SOURCE_URL_PATTERN,
+                       keyValueEditorUtils) {
     $scope.projectName = $routeParams.project;
     $scope.deploymentConfig = null;
     $scope.alerts = {};
@@ -55,6 +69,13 @@ angular.module('openshiftConsole')
       .then(_.spread(function(project, context) {
         $scope.project = project;
         $scope.context = context;
+
+        if (!AuthorizationService.canI('deploymentconfigs', 'update', $routeParams.project)) {
+          Navigate.toErrorPage('You do not have authority to update deployment config ' +
+                               $routeParams.deploymentconfig + '.', 'access_denied');
+          return;
+        }
+
         DataService.get("deploymentconfigs", $routeParams.deploymentconfig, context).then(
           // success
           function(deploymentConfig) {

app/scripts/controllers/edit/healthChecks.js

@@ -14,6 +14,7 @@ angular.module('openshiftConsole')
                         $routeParams,
                         $scope,
                         AlertMessageService,
+                        AuthorizationService,
                         BreadcrumbsService,
                         APIService,
                         DataService,
@@ -72,6 +73,12 @@ angular.module('openshiftConsole')
           resource: APIService.kindToResource($routeParams.kind),
           group: $routeParams.group
         };
+
+        if (!AuthorizationService.canI(resourceGroupVersion, 'update', $routeParams.project)) {
+          Navigate.toErrorPage('You do not have authority to update ' + displayName + '.', 'access_denied');
+          return;
+        }
+
         DataService.get(resourceGroupVersion, $scope.name, context).then(
           function(result) {
             // Modify a copy of the resource.

app/scripts/controllers/edit/route.js

@@ -8,15 +8,17 @@
  * Controller of the openshiftConsole
  */
 angular.module('openshiftConsole')
-  .controller('EditRouteController', function ($filter,
-                                               $location,
-                                               $routeParams,
-                                               $scope,
-                                               AlertMessageService,
-                                               DataService,
-                                               Navigate,
-                                               ProjectsService,
-                                               RoutesService) {
+  .controller('EditRouteController',
+              function($filter,
+                       $location,
+                       $routeParams,
+                       $scope,
+                       AlertMessageService,
+                       AuthorizationService,
+                       DataService,
+                       Navigate,
+                       ProjectsService,
+                       RoutesService) {
     $scope.alerts = {};
     $scope.renderOptions = {
       hideFilterWidget: true
@@ -46,6 +48,11 @@ angular.module('openshiftConsole')
         // Update project breadcrumb with display name.
         $scope.breadcrumbs[0].title = $filter('displayName')(project);
 
+        if (!AuthorizationService.canI('routes', 'update', $routeParams.project)) {
+          Navigate.toErrorPage('You do not have authority to update route ' + $routeParams.routeName + '.', 'access_denied');
+          return;
+        }
+
         var orderByDisplayName = $filter('orderByDisplayName');
 
         var route;

app/scripts/controllers/edit/yaml.js

@@ -15,6 +15,7 @@ angular.module('openshiftConsole')
                                               $window,
                                               AlertMessageService,
                                               APIService,
+                                              AuthorizationService,
                                               BreadcrumbsService,
                                               DataService,
                                               Navigate,
@@ -70,6 +71,12 @@ angular.module('openshiftConsole')
           group: $routeParams.group
         };
 
+        if (!AuthorizationService.canI(resourceGroupVersion, 'update', $routeParams.project)) {
+          Navigate.toErrorPage('You do not have authority to update ' +
+                               humanizeKind($routeParams.kind) + ' ' + $routeParams.name + '.', 'access_denied');
+          return;
+        }
+
         DataService.get(resourceGroupVersion, $scope.name, context).then(
           function(result) {
             // Modify a copy of the resource.