From 3c2379758d03e0ccf9e063c47f16555822e44a5f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=85=AC=E6=98=8E?= <83812544+Ed1s0nZ@users.noreply.github.com> Date: Thu, 16 Jul 2026 19:39:55 +0800 Subject: [PATCH] Add files via upload --- internal/security/rbac.go | 3 +++ internal/security/rbac_middleware.go | 4 ++++ 2 files changed, 7 insertions(+) diff --git a/internal/security/rbac.go b/internal/security/rbac.go index 845f297b..1c5b766f 100644 --- a/internal/security/rbac.go +++ b/internal/security/rbac.go @@ -31,6 +31,9 @@ var PermissionCatalog = map[string]string{ "vulnerability:read": "View vulnerabilities", "vulnerability:write": "Create and update vulnerabilities", "vulnerability:delete": "Delete vulnerabilities", + "asset:read": "View managed assets and asset summaries", + "asset:write": "Create, import, and update assets", + "asset:delete": "Delete managed assets", "webshell:read": "View WebShell connections", "webshell:write": "Manage and use WebShell connections", "webshell:delete": "Delete WebShell connections", diff --git a/internal/security/rbac_middleware.go b/internal/security/rbac_middleware.go index 6486476a..6ddd216a 100644 --- a/internal/security/rbac_middleware.go +++ b/internal/security/rbac_middleware.go @@ -151,6 +151,8 @@ func permissionForRequest(method, fullPath string) string { return crudPermission(method, "knowledge") case strings.HasPrefix(path, "/vulnerabilities"): return crudPermission(method, "vulnerability") + case strings.HasPrefix(path, "/assets"): + return crudPermission(method, "asset") case strings.HasPrefix(path, "/vulnerability-alerts"): // This endpoint only changes the authenticated user's own preference. return "vulnerability:read" @@ -232,6 +234,8 @@ func resourceAllowed(c *gin.Context, db *database.DB) bool { return db.UserCanAccessResource(session.UserID, session.Scope, "batch_task", c.Param("queueId")) case strings.HasPrefix(path, "/vulnerabilities/:id"): return db.UserCanAccessResource(session.UserID, session.Scope, "vulnerability", c.Param("id")) + case strings.HasPrefix(path, "/assets/:id"): + return db.UserCanAccessResource(session.UserID, session.Scope, "asset", c.Param("id")) case strings.HasPrefix(path, "/c2/listeners/:id"): return db.UserCanAccessResource(session.UserID, session.Scope, "c2_listener", c.Param("id")) case strings.HasPrefix(path, "/c2/sessions/:id"):