what can user do

Author: jhadvig

app/index.html

@@ -147,6 +147,7 @@ <h1>JavaScript Required</h1>
         <script src="scripts/services/userstore.js"></script>
         <script src="scripts/services/api.js"></script>
         <script src="scripts/services/auth.js"></script>
+        <script src="scripts/services/authorization.js"></script>
         <script src="scripts/services/data.js"></script>
         <script src="scripts/services/discovery.js"></script>
         <script src="scripts/services/projects.js"></script>

app/scripts/controllers/deployment.js

@@ -39,6 +39,7 @@ angular.module('openshiftConsole')
       }
     ];
 
+    $scope.isDeploymentConfig = ($routeParams.deploymentconfig) ? true : false;
     // if this is an RC it won't have deploymentconfig
     if ($routeParams.deploymentconfig){
       $scope.breadcrumbs.push({

app/scripts/controllers/otherResources.js

@@ -70,6 +70,7 @@ angular.module('openshiftConsole')
       if (!selected) {
         return;
       }
+      $scope.selectedResource = APIService.kindToResource(selected.kind);
       // TODO - We can't watch because some of these resources do not support it (roles and rolebindings)
       DataService.list({
           group: selected.group,

app/scripts/directives/replicas.js

@@ -8,7 +8,8 @@ angular.module('openshiftConsole')
         status: "=?",
         spec: "=",
         disableScaling: "=?",
-        scaleFn: "&?"
+        scaleFn: "&?",
+        isDc: "=?"
       },
       templateUrl: 'views/directives/replicas.html',
       link: function(scope) {

app/scripts/filters/resources.js

@@ -125,6 +125,57 @@ angular.module('openshiftConsole')
       return displayName;
     };
   })
+  .filter('canI', function(AuthorizationService) {
+    return function(resource, verb) {
+      return AuthorizationService.canI(resource, verb);
+    };
+  })
+  .filter('canIDoAny', function(canIFilter) {
+    var resourceRulesMap = {
+      "buildConfig": {"buildconfigs": ["delete", "update"], "buildconfigs/instantiate": ["create"]},
+      "build": {"builds/clone": ["create"], "builds": ["create", "update"]},
+      "deploymentConfig": {"horizontalpodautoscalers": ["create", "update"], "deploymentconfigs": ["create", "update"]},
+      "deployment": {"replicationcontrollers": ["update", "delete"]},
+      "imageStream": {"imagestreams": ["update", "delete"]},
+      "persistentVolumeClaim": {"persistentvolumeclaims": ["update", "delete"]},
+      "pod": {"pods": ["update", "delete"], "deploymentconfigs": ["update"]},
+      "replicationController": {"horizontalpodautoscalers": ["create", "update"], "replicationcontrollers": ["create", "update"]},
+      "route": {"routes": ["update", "delete"]},
+      "service": {"services": ["update", "create", "delete"]},
+      "project": {'projects': ['delete', 'update']},
+      "configmaps": {"configmaps": ['delete', 'update']},
+      "endpoints": {"endpoints": ['delete', 'update']},
+      "horizontalpodautoscalers": {"horizontalpodautoscalers": ['delete', 'update']},
+      "jobs": {"jobs": ['delete', 'update']}
+    }
+    return function(resource) {
+      var canIDoAny = false;
+      _.each(resourceRulesMap[resource], function(verbs, resource) {
+        _.each(verbs, function(verb) {
+          canIDoAny = canIFilter(resource,verb);
+        });
+      });
+      return canIDoAny;
+    };
+  })
+  .filter('canIScale', function(canIFilter) {
+    return function(deploymentConfig) {
+      var canIScale = false;
+      if (deploymentConfig) {
+        canIScale = canIFilter("deploymentconfigs/scale", "update");
+      } else {
+        canIScale = canIFilter("replicationcontrollers", "update");
+      }
+      return canIScale;
+    };
+  })
+  // .filter('canInamespaced', function(AuthorizationService) {
+  //   var canI = false;
+
+  //   return function(resource, verb, namespace) {
+  //     return AuthorizationService.canINamespaced(resource, verb, namespace);
+  //   };
+  // })
   .filter('tags', function(annotationFilter) {
     return function(resource, /* optional */ annotationKey) {
       annotationKey = annotationKey || "tags";

app/scripts/services/authorization.js

@@ -0,0 +1,94 @@
+'use strict';
+
+angular.module("openshiftConsole")
+  .factory("AuthorizationService", function($q, Logger, $interval, DataService, APIService){
+    function AuthorizationService() {
+      this.rules = null;
+      this.intervalTimer = null;
+      this.forceReload = false;
+      this.canICreateSomeResource = false;
+      this.projectNameRules = null;
+    }
+
+    var normalizeRules = function(rules) {
+      var normalizedRules = {};
+      _.each(rules, function(rule) {
+        _.each(rule.resources, function(resource) {
+          normalizedRules[resource] = rule.verbs;
+        });
+      });
+      return normalizedRules;
+    };
+
+    AuthorizationService.prototype.getProjectRules = function(projectName) {
+      var self = this;
+      if (!self.rules || projectName !== self.projectNameRules) {
+        // Making an API call to get the rules if:
+        // - no rules are cached
+        // - when need to force update the rules
+        // - when switching between projects
+        Logger.log("AuthorizationService, loading user rules");
+        console.log("AuthorizationService, loading user rules");
+        if (self.forceReload) {
+          self.setForceReload(false);
+        }
+        if (!self.intervalTimer) {
+          // Force rules reload every 3 minutes
+          self.intervalTimer = $interval(function () {
+            self.setForceReload(true);
+          }, 180000);
+        }
+        self.projectNameRules = projectName;
+        var object = {kind: "SelfSubjectRulesReview",
+                      apiVersion: "v1"
+                    };
+        DataService.create('selfsubjectrulesreviews', null, object, {namespace: projectName}).then(
+          function(data) {
+            self.rules = normalizeRules(data.status.rules);
+          }, function(data) {
+            self.rules = null;
+        });
+      } else {
+        // Using cached data.
+        Logger.log("AuthorizationService, using cached rules");
+        self.rules = self.getRules();
+      }
+    };
+
+    // Method to determine if user can perform specified action on a resource.
+    // If resource is not specified, all resources will be checked if the action
+    // can be performed.
+    AuthorizationService.prototype.canI = function(resource, verb) {
+      var rules = this.getRules();
+      if (rules) {
+        if (resource) {
+          if (_.contains(rules[resource], verb)) {
+            return true;
+          } else {
+            return false;
+          }
+        } else {
+          var canIDoAction = false
+          _.each(rules, function(verbs) {
+            if (_.contains(verbs, verb)) {
+              canIDoAction = true;
+              return false;
+            }
+          });
+          return canIDoAction;
+        }
+      } else {
+        return false;
+      }
+    };
+
+    AuthorizationService.prototype.setForceReload = function(bool) {
+      this.forceReload = bool;
+    };
+
+    AuthorizationService.prototype.getRules = function() {
+      return this.rules;
+    };
+
+    return new AuthorizationService();
+  });

app/scripts/services/projects.js

@@ -2,7 +2,7 @@
 
 angular.module('openshiftConsole')
   .factory('ProjectsService',
-    function($location, $q, $routeParams, AuthService, DataService, annotationNameFilter) {
+    function($location, $q, $routeParams, AuthService, DataService, annotationNameFilter, AuthorizationService) {
 
 
       var cleanEditableAnnotations = function(resource) {
@@ -23,6 +23,7 @@ angular.module('openshiftConsole')
           return  AuthService
                     .withUser()
                     .then(function() {
+                      AuthorizationService.getProjectRules(projectName);
                       var context = {
                         // TODO: swap $.Deferred() for $q.defer()
                         projectPromise: $.Deferred(),
@@ -34,6 +35,7 @@ angular.module('openshiftConsole')
                               .then(function(project) {
                                 context.project = project;
                                 context.projectPromise.resolve(project);
+                                
                                 // TODO: fix need to return context & projectPromise
                                 return [project, context];
                               }, function(e) {

app/views/browse/_deployment-details.html

@@ -16,7 +16,7 @@
         <status-icon status="deployment | deploymentStatus"></status-icon>
         {{deployment | deploymentStatus}}
         <span style="margin-left: 7px;">
-          <button ng-show="!rollBackCollapsed && (deployment | deploymentStatus) == 'Complete' && !(deployment | deploymentIsLatest : deploymentConfig) && !deployment.metadata.deletionTimestamp" ng-disabled="(deploymentConfigDeploymentsInProgress[deploymentConfigName] | hashSize) > 0" type="button" class="btn btn-default btn-xs" ng-click="rollBackCollapsed = !rollBackCollapsed">Roll Back</button>
+          <button ng-if="'deploymentconfigrollbacks' | canI : 'create'" ng-show="!rollBackCollapsed && (deployment | deploymentStatus) == 'Complete' && !(deployment | deploymentIsLatest : deploymentConfig) && !deployment.metadata.deletionTimestamp" ng-disabled="(deploymentConfigDeploymentsInProgress[deploymentConfigName] | hashSize) > 0" type="button" class="btn btn-default btn-xs" ng-click="rollBackCollapsed = !rollBackCollapsed">Roll Back</button>
           <div ng-show="rollBackCollapsed" class="well well-sm">
             Use the following settings from {{deployment.metadata.name}} when rolling back:
             <div class="checkbox">
@@ -39,7 +39,7 @@
           <!-- disabled until we have an api endpoint for retry
           <button ng-show="(deployment | deploymentStatus) == 'Failed'" type="button" ng-click="retryFailedDeployment(deployment)" ng-disabled="(deploymentConfigDeploymentsInProgress[deploymentConfigName] | hashSize) > 0" class="btn btn-default btn-xs" ng-if="(deployment | deploymentIsLatest : deploymentConfig) && !deployment.metadata.deletionTimestamp">Retry</button>
           -->
-          <button ng-show="(deployment | deploymentIsInProgress) && !deployment.metadata.deletionTimestamp" type="button" ng-click="cancelRunningDeployment(deployment)" class="btn btn-default btn-xs">Cancel</button>
+          <button ng-if="'replicationcontrollers' | canI : 'update'" ng-show="(deployment | deploymentIsInProgress) && !deployment.metadata.deletionTimestamp" type="button" ng-click="cancelRunningDeployment(deployment)" class="btn btn-default btn-xs">Cancel</button>
         </span>
       </dd>
       <dt ng-if-start="deployment | isDeployment">Deployment config:</dt>
@@ -86,11 +86,12 @@ <h3>Template</h3>
         images-by-docker-reference="imagesByDockerReference"
         builds="builds"
         detailed="true"
-        add-health-check-url="{{(!deploymentConfig || isActive) ? healthCheckURL : ''}}">
+        add-health-check-url="{{((!deploymentConfig || isActive) && ('deploymentconfigs' | canI : 'update')) ? healthCheckURL : ''}}">
       </pod-template>
       <h4>Volumes</h4>
       <p ng-if="!deployment.spec.template.spec.volumes.length">
-        <a ng-href="project/{{project.metadata.name}}/attach-pvc?deployment={{deployment.metadata.name}}">Attach storage</a>
+        <a ng-if="'replicationcontrollers' | canI : 'update'" ng-href="project/{{project.metadata.name}}/attach-pvc?deployment={{deployment.metadata.name}}">Attach storage</a>
+        <i ng-if="!('replicationcontrollers' | canI : 'update')">none</i>
       </p>
       <volumes volumes="deployment.spec.template.spec.volumes" namespace="project.metadata.name"></volumes>
     </div>

app/views/browse/_pod-details.html

@@ -62,7 +62,7 @@ <h4>Container {{containerStatus.name}}</h4>
           <dd>{{containerStatus.ready}}</dd>
           <dt>Restart Count:</dt>
           <dd>{{containerStatus.restartCount}}</dd>
-          <div ng-if="(!containerStatus.state.running || !containerStatus.ready) && !(pod | debugLabel)" class="debug-pod-action">
+          <div ng-if="(!containerStatus.state.running || !containerStatus.ready) && !(pod | debugLabel) && ('pods' | canI : 'create')" class="debug-pod-action">
             <a href="" ng-click="debugTerminal(containerStatus.name)" role="button">Debug in terminal</a>
           </div>
         </dl>

app/views/browse/build-config.html

@@ -16,10 +16,11 @@ <h1>
                     data-toggle="tooltip"
                     data-original-title="Building from build configuration {{buildConfig.metadata.name}} has been paused.">
               </span>
-              <div class="pull-right dropdown" ng-if="buildConfig">
+              <div class="pull-right dropdown" ng-if="buildConfig" ng-hide="!('buildConfig' | canIDoAny)">
                 <!-- Primary Actions -->
                 <button
                     class="btn btn-default hidden-xs"
+                    ng-if="'buildconfigs/instantiate' | canI : 'create'"
                     ng-click="startBuild()">
                   Start Build
                 </button>
@@ -33,22 +34,22 @@ <h1>
                    class="dropdown-toggle actions-dropdown-kebab visible-xs-inline"
                    data-toggle="dropdown"><i class="fa fa-ellipsis-v"></i><span class="sr-only">Actions</span></a>
                 <ul class="dropdown-menu actions action-button">
-                  <li class="visible-xs-inline">
+                  <li class="visible-xs-inline" ng-if="'buildconfigs/instantiate' | canI : 'create'">
                     <a href=""
                       role="button"
                       ng-click="startBuild()">Start Build</a>
                   </li>
-                  <li>
+                  <li ng-if="'buildconfigs' | canI : 'update'">
                     <a ng-href="{{buildConfig | editResourceURL}}" role="button">Edit</a>
                   </li>
-                  <li>
+                  <li ng-if="'buildconfigs' | canI : 'update'">
                     <edit-link
                       resource="buildConfig"
                       kind="BuildConfig"
                       alerts="alerts">
                     </edit-link>
                   </li>
-                  <li>
+                  <li ng-if="'buildconfigs' | canI : 'delete'">
                     <delete-link
                       kind="BuildConfig"
                       resource-name="{{buildConfig.metadata.name}}"

app/views/browse/build.html

@@ -20,14 +20,14 @@ <h1>
                       data-original-title="Building from build configuration {{buildConfig.metadata.name}} has been paused.">
                 </span>
                 <small class="meta">created <relative-timestamp timestamp="build.metadata.creationTimestamp"></relative-timestamp></small>
-                <div class="pull-right dropdown">
+                <div class="pull-right dropdown" ng-hide="!('build' | canIDoAny)">
                   <!-- Primary Actions -->
                   <button class="btn btn-default hidden-xs"
                           ng-click="cancelBuild()"
-                          ng-if="!build.metadata.deletionTimestamp && (build | isIncompleteBuild)">Cancel Build</button>
+                          ng-if="!build.metadata.deletionTimestamp && (build | isIncompleteBuild) && ('builds/clone' | canI : 'create')">Cancel Build</button>
                   <button class="btn btn-default hidden-xs"
                           ng-click="cloneBuild()"
-                          ng-hide="build.metadata.deletionTimestamp || (build | isIncompleteBuild)"
+                          ng-hide="build.metadata.deletionTimestamp || (build | isIncompleteBuild) || !('builds/clone' | canI : 'create')"
                           ng-disabled="!canBuild">Rebuild</button>
 
                   <!-- Secondary Actions -->
@@ -39,29 +39,29 @@ <h1>
                      class="dropdown-toggle actions-dropdown-kebab visible-xs-inline"
                      data-toggle="dropdown"><i class="fa fa-ellipsis-v"></i><span class="sr-only">Actions</span></a>
                   <ul class="dropdown-menu actions action-button">
-                    <li ng-if="!build.metadata.deletionTimestamp && (build | isIncompleteBuild)"
+                    <li ng-if="!build.metadata.deletionTimestamp && (build | isIncompleteBuild) && ('builds/clone' | canI : 'create')"
                         class="visible-xs-inline">
                       <a href=""
                          role="button"
                          ng-click="cancelBuild()">Cancel Build</a>
                     </li>
                     <li class="visible-xs-inline"
                         ng-class="{ disabled: !canBuild }"
-                        ng-hide="build.metadata.deletionTimestamp || (build | isIncompleteBuild)">
+                        ng-hide="build.metadata.deletionTimestamp || (build | isIncompleteBuild) || !('builds/clone' | canI : 'create')">
                       <a href=""
                          role="button"
                          ng-click="cloneBuild()"
                          ng-attr-aria-disabled="{{canBuild ? undefined : 'true'}}"
                          ng-class="{ 'disabled-link': !canBuild }">Rebuild</a>
                     </li>
-                    <li>
+                    <li ng-if="('builds' | canI : 'update')">
                       <edit-link
                         resource="build"
                         kind="Build"
                         alerts="alerts">
                       </edit-link>
                     </li>
-                    <li>
+                    <li ng-if="('builds' | canI : 'delete')">
                       <delete-link
                         kind="Build"
                         resource-name="{{build.metadata.name}}"
@@ -95,7 +95,7 @@ <h1>
                       <em ng-if="!(build | buildStrategy).env">The build strategy had no environment variables defined.</em>
                     </uib-tab>
 
-                    <uib-tab active="selectedTab.logs" ng-if="!(build | isJenkinsPipelineStrategy)">
+                    <uib-tab active="selectedTab.logs" ng-if="!(build | isJenkinsPipelineStrategy) && ('builds/log' | canI : 'get')">
                       <uib-tab-heading>Logs</uib-tab-heading>
                       <log-viewer
                         ng-if="selectedTab.logs"
@@ -121,7 +121,7 @@ <h1>
 
                       </log-viewer>
                     </uib-tab>
-                    <uib-tab active="selectedTab.events">
+                    <uib-tab active="selectedTab.events" ng-if="('events' | canI : 'watch')">
                       <uib-tab-heading>Events</uib-tab-heading>
                       <events resource-kind="Pod" resource-name="{{build | annotation : 'buildPod'}}" project-context="projectContext" ng-if="selectedTab.events"></events>
                     </uib-tab>