From c0525fa4154f4396f276c1abab62ee838be48365 Mon Sep 17 00:00:00 2001
From: YuChen <yuchen.shen@mail.utoronto.ca>
Date: Fri, 15 Nov 2024 13:43:37 -0800
Subject: [PATCH] add cluster permission check for v3 resources

Signed-off-by: YuChen <yuchen.shen@mail.utoronto.ca>
---
 .../operandrequest/reconcile_operand.go       | 52 +++++++++++--------
 1 file changed, 29 insertions(+), 23 deletions(-)

diff --git a/controllers/operandrequest/reconcile_operand.go b/controllers/operandrequest/reconcile_operand.go
index f977bc6f..ed081821 100644
--- a/controllers/operandrequest/reconcile_operand.go
+++ b/controllers/operandrequest/reconcile_operand.go
@@ -669,29 +669,35 @@ func (r *Reconciler) deleteAllCustomResource(ctx context.Context, csv *olmv1alph
 
 			// Compare the name of OperandConfig and CRD name
 			if strings.EqualFold(kind, crdName) {
-				err := r.Client.Get(ctx, types.NamespacedName{
-					Name:      name,
-					Namespace: namespace,
-				}, &crTemplate)
-				if err != nil && !apierrors.IsNotFound(err) {
-					merr.Add(err)
-					continue
-				}
-				if apierrors.IsNotFound(err) {
-					klog.V(2).Info("Finish Deleting the CR: " + kind)
-					continue
-				}
-				if r.CheckLabel(crTemplate, map[string]string{constant.OpreqLabel: "true"}) {
-					wg.Add(1)
-					go func() {
-						defer wg.Done()
-						if err := r.deleteCustomResource(ctx, crTemplate, namespace); err != nil {
-							r.Mutex.Lock()
-							defer r.Mutex.Unlock()
-							merr.Add(err)
-							return
-						}
-					}()
+				if r.checkResAuth(ctx, []string{"get"}, crTemplate) {
+
+					err := r.Client.Get(ctx, types.NamespacedName{
+						Name:      name,
+						Namespace: namespace,
+					}, &crTemplate)
+					if err != nil && !apierrors.IsNotFound(err) {
+						merr.Add(err)
+						continue
+					}
+					if apierrors.IsNotFound(err) {
+						klog.V(2).Info("Finish Deleting the CR: " + kind)
+						continue
+					}
+					if r.CheckLabel(crTemplate, map[string]string{constant.OpreqLabel: "true"}) {
+						wg.Add(1)
+						go func() {
+							defer wg.Done()
+							if r.checkResAuth(ctx, []string{"delete"}, crTemplate) {
+								if err := r.deleteCustomResource(ctx, crTemplate, namespace); err != nil {
+									r.Mutex.Lock()
+									defer r.Mutex.Unlock()
+									merr.Add(err)
+									return
+								}
+							}
+						}()
+					}
+
 				}
 
 			}