feat(settings): add setting to disable device mapping for regular users (#4099)

* feat(settings): add setting to disable device mapping for regular users * feat(settings): introduce device mapping service * feat(containers): hide devices field when setting is on * feat(containers): prevent passing of devices when not allowed * feat(stacks): prevent non admin from device mapping * feat(stacks): disallow swarm stack creation for user * refactor(settings): replace disableDeviceMapping with allow * fix(stacks): remove check for disable device mappings from swarm * feat(settings): rename field to disable * feat(settings): supply default value for disableDeviceMapping * feat(container): check for endpoint admin * style(server): sort imports
2025-07-23 07:19:41 +02:00 · 2020-07-27 00:31:14 +03:00 · 2020-07-27 00:31:14 +03:00 · 07efd4bdda
commit 07efd4bdda
parent 2bc6b2dff7
14 changed files with 71 additions and 11 deletions
--- a/app/docker/views/containers/create/createContainerController.js
+++ b/app/docker/views/containers/create/createContainerController.js
@ -30,6 +30,7 @@ angular.module('portainer.docker').controller('CreateContainerController', [
  'SettingsService',
  'PluginService',
  'HttpRequestHelper',
+  'ExtensionService',
  function (
    $q,
    $scope,
@ -55,7 +56,8 @@ angular.module('portainer.docker').controller('CreateContainerController', [
    SystemService,
    SettingsService,
    PluginService,
-    HttpRequestHelper
+    HttpRequestHelper,
+    ExtensionService
  ) {
    $scope.create = create;

@ -604,7 +606,7 @@ angular.module('portainer.docker').controller('CreateContainerController', [
      });
    }

-    function initView() {
+    async function initView() {
      var nodeName = $transition$.params().nodeName;
      $scope.formValues.NodeName = nodeName;
      HttpRequestHelper.setPortainerAgentTargetHeader(nodeName);
@ -685,6 +687,7 @@ angular.module('portainer.docker').controller('CreateContainerController', [
      });

      $scope.isAdmin = Authentication.isAdmin();
+      $scope.showDeviceMapping = await shouldShowDevices();
    }

    function validateForm(accessControlData, isAdmin) {
@ -897,6 +900,19 @@ angular.module('portainer.docker').controller('CreateContainerController', [
      }
    }

+    async function shouldShowDevices() {
+      const isAdmin = Authentication.isAdmin();
+      const { allowDeviceMappingForRegularUsers } = $scope.applicationState.application;
+
+      if (isAdmin || allowDeviceMappingForRegularUsers) {
+        return true;
+      }
+      const rbacEnabled = await ExtensionService.extensionEnabled(ExtensionService.EXTENSIONS.RBAC);
+      if (rbacEnabled) {
+        return Authentication.hasAuthorizations(['EndpointResourcesAccess']);
+      }
+    }
+
    initView();
  },
 ]);