From e528cdd7aa6e3c8a5095687f590961fbea3a7fc2 Mon Sep 17 00:00:00 2001
From: Xiangjing Li <55890329+xiangjingli@users.noreply.github.com>
Date: Mon, 21 Mar 2022 15:28:43 -0400
Subject: [PATCH] =?UTF-8?q?return=20true=20if=20both=20allowed=20is=20fals?=
 =?UTF-8?q?e=20and=20denied=20is=20false=20in=20SubjectAc=E2=80=A6=20(#132?=
 =?UTF-8?q?)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* return true if both allowed is false and denied is false in SubjectAccessReviewSpec result

Signed-off-by: Xiangjing Li <xiangli@redhat.com>

* remain the default return value is true

Signed-off-by: Xiangjing Li <xiangli@redhat.com>
---
 pkg/placementrule/controller/placementrule/placement.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/pkg/placementrule/controller/placementrule/placement.go b/pkg/placementrule/controller/placementrule/placement.go
index e91db5c6..49ed1fa5 100644
--- a/pkg/placementrule/controller/placementrule/placement.go
+++ b/pkg/placementrule/controller/placementrule/placement.go
@@ -325,6 +325,13 @@ func (r *ReconcilePlacementRule) checkUserPermission(annotations map[string]stri
 		return false
 	}
 
+	// According to https://docs.openshift.com/container-platform/4.9/rest_api/authorization_apis/subjectaccessreview-authorization-k8s-io-v1.html
+	// If both allowed is false and denied is false, then the authorizer has no opinion on whether to authorize the action
+	// We should return true in this case
+	if !result.Status.Allowed && !result.Status.Denied {
+		return true
+	}
+
 	if !result.Status.Allowed {
 		return false
 	}