diff --git a/internal/security/rbac.go b/internal/security/rbac.go index 845f297b..1c5b766f 100644 --- a/internal/security/rbac.go +++ b/internal/security/rbac.go @@ -31,6 +31,9 @@ var PermissionCatalog = map[string]string{ "vulnerability:read": "View vulnerabilities", "vulnerability:write": "Create and update vulnerabilities", "vulnerability:delete": "Delete vulnerabilities", + "asset:read": "View managed assets and asset summaries", + "asset:write": "Create, import, and update assets", + "asset:delete": "Delete managed assets", "webshell:read": "View WebShell connections", "webshell:write": "Manage and use WebShell connections", "webshell:delete": "Delete WebShell connections", diff --git a/internal/security/rbac_middleware.go b/internal/security/rbac_middleware.go index 6486476a..6ddd216a 100644 --- a/internal/security/rbac_middleware.go +++ b/internal/security/rbac_middleware.go @@ -151,6 +151,8 @@ func permissionForRequest(method, fullPath string) string { return crudPermission(method, "knowledge") case strings.HasPrefix(path, "/vulnerabilities"): return crudPermission(method, "vulnerability") + case strings.HasPrefix(path, "/assets"): + return crudPermission(method, "asset") case strings.HasPrefix(path, "/vulnerability-alerts"): // This endpoint only changes the authenticated user's own preference. return "vulnerability:read" @@ -232,6 +234,8 @@ func resourceAllowed(c *gin.Context, db *database.DB) bool { return db.UserCanAccessResource(session.UserID, session.Scope, "batch_task", c.Param("queueId")) case strings.HasPrefix(path, "/vulnerabilities/:id"): return db.UserCanAccessResource(session.UserID, session.Scope, "vulnerability", c.Param("id")) + case strings.HasPrefix(path, "/assets/:id"): + return db.UserCanAccessResource(session.UserID, session.Scope, "asset", c.Param("id")) case strings.HasPrefix(path, "/c2/listeners/:id"): return db.UserCanAccessResource(session.UserID, session.Scope, "c2_listener", c.Param("id")) case strings.HasPrefix(path, "/c2/sessions/:id"):