fix issue 19928

it needs to consider the user who is in any group that has been granted with the project admin role.

Signed-off-by: wang yan <wangyan@vmware.com>

src/controller/member/controller.go

@@ -19,6 +19,7 @@ import (
 	"fmt"
 
 	"github.com/goharbor/harbor/src/common"
+	commonmodels "github.com/goharbor/harbor/src/common/models"
 	"github.com/goharbor/harbor/src/core/auth"
 	"github.com/goharbor/harbor/src/lib/errors"
 	"github.com/goharbor/harbor/src/lib/q"
@@ -45,7 +46,7 @@ type Controller interface {
 	// Count get the total amount of project members
 	Count(ctx context.Context, projectNameOrID interface{}, query *q.Query) (int, error)
 	// IsProjectAdmin judges if the user is a project admin of any project
-	IsProjectAdmin(ctx context.Context, memberID int) (bool, error)
+	IsProjectAdmin(ctx context.Context, member commonmodels.User) (bool, error)
 }
 
 // Request - Project Member Request
@@ -261,8 +262,8 @@ func (c *controller) Delete(ctx context.Context, projectNameOrID interface{}, me
 	return c.mgr.Delete(ctx, p.ProjectID, memberID)
 }
 
-func (c *controller) IsProjectAdmin(ctx context.Context, memberID int) (bool, error) {
-	members, err := c.projectMgr.ListAdminRolesOfUser(ctx, memberID)
+func (c *controller) IsProjectAdmin(ctx context.Context, member commonmodels.User) (bool, error) {
+	members, err := c.projectMgr.ListAdminRolesOfUser(ctx, member)
 	if err != nil {
 		return false, err
 	}

src/controller/member/controller_test.go

@@ -98,7 +98,7 @@ func (suite *MemberControllerTestSuite) TestAddProjectMemberWithUserGroup() {
 
 func (suite *MemberControllerTestSuite) TestIsProjectAdmin() {
 	mock.OnAnything(suite.projectMgr, "ListAdminRolesOfUser").Return([]models.Member{models.Member{ID: 2, ProjectID: 2}}, nil)
-	ok, err := suite.controller.IsProjectAdmin(context.Background(), 2)
+	ok, err := suite.controller.IsProjectAdmin(context.Background(), comModels.User{UserID: 1})
 	suite.NoError(err)
 	suite.True(ok)
 }

src/pkg/cached/project/redis/manager.go

@@ -18,6 +18,7 @@ import (
 	"context"
 	"time"
 
+	commonmodels "github.com/goharbor/harbor/src/common/models"
 	"github.com/goharbor/harbor/src/common/utils"
 	"github.com/goharbor/harbor/src/lib/config"
 	"github.com/goharbor/harbor/src/lib/log"
@@ -75,8 +76,8 @@ func (m *Manager) ListRoles(ctx context.Context, projectID int64, userID int, gr
 	return m.delegator.ListRoles(ctx, projectID, userID, groupIDs...)
 }
 
-func (m *Manager) ListAdminRolesOfUser(ctx context.Context, userID int) ([]models.Member, error) {
-	return m.delegator.ListAdminRolesOfUser(ctx, userID)
+func (m *Manager) ListAdminRolesOfUser(ctx context.Context, user commonmodels.User) ([]models.Member, error) {
+	return m.delegator.ListAdminRolesOfUser(ctx, user)
 }
 
 func (m *Manager) Delete(ctx context.Context, id int64) error {

src/pkg/project/dao/dao.go

@@ -20,6 +20,7 @@ import (
 	"time"
 
 	"github.com/goharbor/harbor/src/common"
+	commonmodels "github.com/goharbor/harbor/src/common/models"
 	"github.com/goharbor/harbor/src/lib"
 	"github.com/goharbor/harbor/src/lib/orm"
 	"github.com/goharbor/harbor/src/lib/q"
@@ -43,7 +44,7 @@ type DAO interface {
 	// ListRoles the roles of user for the specific project
 	ListRoles(ctx context.Context, projectID int64, userID int, groupIDs ...int) ([]int, error)
 	// ListAdminRolesOfUser returns the roles of user for the all projects
-	ListAdminRolesOfUser(ctx context.Context, userID int) ([]models.Member, error)
+	ListAdminRolesOfUser(ctx context.Context, user commonmodels.User) ([]models.Member, error)
 }
 
 // New returns an instance of the default DAO
@@ -202,19 +203,39 @@ func (d *dao) ListRoles(ctx context.Context, projectID int64, userID int, groupI
 	return roles, nil
 }
 
-func (d *dao) ListAdminRolesOfUser(ctx context.Context, userID int) ([]models.Member, error) {
+func (d *dao) ListAdminRolesOfUser(ctx context.Context, user commonmodels.User) ([]models.Member, error) {
 	o, err := orm.FromContext(ctx)
 	if err != nil {
 		return nil, err
 	}
 
-	sql := `select b.* from project as a left join project_member as b on a.project_id = b.project_id where a.deleted = 'f' and b.entity_id = ? and b.entity_type = 'u' and b.role = 1;`
-
-	var members []models.Member
-	_, err = o.Raw(sql, userID).QueryRows(&members)
+	var membersU []models.Member
+	sqlU := `select b.* from project as a left join project_member as b on a.project_id = b.project_id where a.deleted = 'f' and b.entity_id = ? and b.entity_type = 'u' and b.role = 1;`
+	_, err = o.Raw(sqlU, user.UserID).QueryRows(&membersU)
 	if err != nil {
 		return nil, err
 	}
 
+	var membersG []models.Member
+	if len(user.GroupIDs) > 0 {
+		var params []interface{}
+		params = append(params, user.GroupIDs)
+		sqlG := fmt.Sprintf(`select b.* from project as a 
+    		left join project_member as b on a.project_id = b.project_id 
+           	where a.deleted = 'f' and b.entity_id in ( %s ) and b.entity_type = 'g' and b.role = 1;`, orm.ParamPlaceholderForIn(len(user.GroupIDs)))
+		_, err = o.Raw(sqlG, params).QueryRows(&membersG)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	var members []models.Member
+	if len(membersU) > 0 {
+		members = append(members, membersU...)
+	}
+	if len(membersG) > 0 {
+		members = append(members, membersG...)
+	}
+
 	return members, nil
 }

src/pkg/project/manager.go

@@ -19,6 +19,7 @@ import (
 	"regexp"
 	"strings"
 
+	commonmodels "github.com/goharbor/harbor/src/common/models"
 	"github.com/goharbor/harbor/src/common/utils"
 	"github.com/goharbor/harbor/src/lib/errors"
 	"github.com/goharbor/harbor/src/lib/q"
@@ -47,7 +48,7 @@ type Manager interface {
 	ListRoles(ctx context.Context, projectID int64, userID int, groupIDs ...int) ([]int, error)
 
 	// ListAdminRolesOfUser returns the roles of user for the all projects
-	ListAdminRolesOfUser(ctx context.Context, userID int) ([]models.Member, error)
+	ListAdminRolesOfUser(ctx context.Context, user commonmodels.User) ([]models.Member, error)
 }
 
 // New returns a default implementation of Manager
@@ -124,6 +125,6 @@ func (m *manager) ListRoles(ctx context.Context, projectID int64, userID int, gr
 }
 
 // ListAdminRolesOfUser returns the roles of user for the all projects
-func (m *manager) ListAdminRolesOfUser(ctx context.Context, userID int) ([]models.Member, error) {
-	return m.dao.ListAdminRolesOfUser(ctx, userID)
+func (m *manager) ListAdminRolesOfUser(ctx context.Context, user commonmodels.User) ([]models.Member, error) {
+	return m.dao.ListAdminRolesOfUser(ctx, user)
 }

src/server/v2.0/handler/permissions.go

@@ -61,7 +61,7 @@ func (p *permissionsAPI) GetPermissions(ctx context.Context, _ permissions.GetPe
 		if err != nil {
 			return p.SendError(ctx, err)
 		}
-		is, err := p.mc.IsProjectAdmin(ctx, user.UserID)
+		is, err := p.mc.IsProjectAdmin(ctx, *user)
 		if err != nil {
 			return p.SendError(ctx, err)
 		}