Skip to content

Issue/search namespace fix#496

Merged
zxh326 merged 2 commits intokite-org:mainfrom
anupam42:issue/search-namespace-fix
Apr 19, 2026
Merged

Issue/search namespace fix#496
zxh326 merged 2 commits intokite-org:mainfrom
anupam42:issue/search-namespace-fix

Conversation

@anupam42
Copy link
Copy Markdown
Contributor

@anupam42 anupam42 commented Apr 19, 2026

fix: #316

Root cause: The namespace list API applies CanAccessNamespace RBAC filtering when listing namespaces, but the Search method had no such filtering. So users could find pods/deployments in namespaces (e.g., norish) via search, while those namespaces were absent from the dropdown — a confusing inconsistency.

Fix: The Search method now applies the same RBAC checks:

Namespace resources: filtered by CanAccessNamespace on the namespace name
Namespace-scoped resources (pods, deployments, etc.): filtered by CanAccessNamespace on obj.GetNamespace()
This makes search results consistent with what's accessible in the namespace dropdown. Users with admin roles (Namespaces: ["*"]) are unaffected all namespaces remain visible everywhere.

@zxh326
Copy link
Copy Markdown
Member

zxh326 commented Apr 19, 2026

need rebase

@anupam42 anupam42 force-pushed the issue/search-namespace-fix branch from 3cebbe8 to 8bd3f77 Compare April 19, 2026 13:25
@zxh326
Copy link
Copy Markdown
Member

zxh326 commented Apr 19, 2026

The search function has a simple cache. It might be necessary to include the user.key in the cache keys.

func (h *SearchHandler) createCacheKey(clusterName, query string, limit int) string {
return fmt.Sprintf("search:%s:%d:%s", clusterName, limit, normalizeSearchQuery(query))
}

@anupam42
Copy link
Copy Markdown
Contributor Author

anupam42 commented Apr 19, 2026

The search function has a simple cache. It might be necessary to include the user.key in the cache keys.

func (h *SearchHandler) createCacheKey(clusterName, query string, limit int) string {
return fmt.Sprintf("search:%s:%d:%s", clusterName, limit, normalizeSearchQuery(query))
}

Good catch! Thank you for seeing ! Since we now filter search results per user RBAC, the cache key must be user-scoped otherwise User A's cached results could be served to User B (who may have broader or narrower access).

Fixed by including user.Key() in the cache key:

func (h *SearchHandler) createCacheKey(clusterName, userKey, query string, limit int) string {
return fmt.Sprintf("search:%s:%s:%d:%s", clusterName, userKey, limit, normalizeSearchQuery(query))
}

Also updated the existing tests to set a "user" key on the test gin context (using model.AnonymousUser which has full access, so test behavior is unchanged). All tests pass.

anupam42 and others added 2 commits April 19, 2026 20:20
Previously the cache key only included cluster+query+limit, so two
users with different RBAC permissions could receive each other's cached
search results. Adding user.Key() scopes the cache per user.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@anupam42 anupam42 force-pushed the issue/search-namespace-fix branch from 4616163 to 419112a Compare April 19, 2026 14:51
@zxh326 zxh326 enabled auto-merge (squash) April 19, 2026 15:19
@zxh326 zxh326 merged commit 8582742 into kite-org:main Apr 19, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[BUG] Not all namespaces/pods visible in Pods view

2 participants