feat(settings): add a setting to disable privileged mode for non-admins (#1239)

2025-08-03 04:45:21 +02:00 · 2017-09-27 09:26:04 +02:00 · 2017-09-27 09:26:04 +02:00 · 0bdcff09f8
commit 0bdcff09f8
parent ca9d9b9a77
10 changed files with 79 additions and 33 deletions
--- a/api/bolt/migrate_dbversion5.go
+++ b/api/bolt/migrate_dbversion5.go
@ -0,0 +1,16 @@
+package bolt
+
+func (m *Migrator) updateSettingsToVersion6() error {
+	legacySettings, err := m.SettingsService.Settings()
+	if err != nil {
+		return err
+	}
+	legacySettings.AllowPrivilegedModeForRegularUsers = true
+
+	err = m.SettingsService.StoreSettings(legacySettings)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
--- a/api/bolt/migrator.go
+++ b/api/bolt/migrator.go
@ -73,6 +73,14 @@ func (m *Migrator) Migrate() error {
 		}
 	}

+	// https://github.com/portainer/portainer/issues/1236
+	if m.CurrentDBVersion < 6 {
+		err := m.updateSettingsToVersion6()
+		if err != nil {
+			return err
+		}
+	}
+
 	err := m.VersionService.StoreDBVersion(portainer.DBVersion)
 	if err != nil {
 		return err
--- a/api/cmd/portainer/main.go
+++ b/api/cmd/portainer/main.go
@ -125,7 +125,8 @@ func initSettings(settingsService portainer.SettingsService, flags *portainer.CL
 					portainer.LDAPSearchSettings{},
 				},
 			},
-			AllowBindMountsForRegularUsers: true,
+			AllowBindMountsForRegularUsers:     true,
+			AllowPrivilegedModeForRegularUsers: true,
 		}

 		if *flags.Templates != "" {
--- a/api/http/handler/settings.go
+++ b/api/http/handler/settings.go
@ -45,20 +45,22 @@ func NewSettingsHandler(bouncer *security.RequestBouncer) *SettingsHandler {

 type (
 	publicSettingsResponse struct {
-		LogoURL                        string                         `json:"LogoURL"`
-		DisplayExternalContributors    bool                           `json:"DisplayExternalContributors"`
-		AuthenticationMethod           portainer.AuthenticationMethod `json:"AuthenticationMethod"`
-		AllowBindMountsForRegularUsers bool                           `json:"AllowBindMountsForRegularUsers"`
+		LogoURL                            string                         `json:"LogoURL"`
+		DisplayExternalContributors        bool                           `json:"DisplayExternalContributors"`
+		AuthenticationMethod               portainer.AuthenticationMethod `json:"AuthenticationMethod"`
+		AllowBindMountsForRegularUsers     bool                           `json:"AllowBindMountsForRegularUsers"`
+		AllowPrivilegedModeForRegularUsers bool                           `json:"AllowPrivilegedModeForRegularUsers"`
 	}

 	putSettingsRequest struct {
-		TemplatesURL                   string                 `valid:"required"`
-		LogoURL                        string                 `valid:""`
-		BlackListedLabels              []portainer.Pair       `valid:""`
-		DisplayExternalContributors    bool                   `valid:""`
-		AuthenticationMethod           int                    `valid:"required"`
-		LDAPSettings                   portainer.LDAPSettings `valid:""`
-		AllowBindMountsForRegularUsers bool                   `valid:""`
+		TemplatesURL                       string                 `valid:"required"`
+		LogoURL                            string                 `valid:""`
+		BlackListedLabels                  []portainer.Pair       `valid:""`
+		DisplayExternalContributors        bool                   `valid:""`
+		AuthenticationMethod               int                    `valid:"required"`
+		LDAPSettings                       portainer.LDAPSettings `valid:""`
+		AllowBindMountsForRegularUsers     bool                   `valid:""`
+		AllowPrivilegedModeForRegularUsers bool                   `valid:""`
 	}

 	putSettingsLDAPCheckRequest struct {
@ -87,10 +89,11 @@ func (handler *SettingsHandler) handleGetPublicSettings(w http.ResponseWriter, r
 	}

 	publicSettings := &publicSettingsResponse{
-		LogoURL:                        settings.LogoURL,
-		DisplayExternalContributors:    settings.DisplayExternalContributors,
-		AuthenticationMethod:           settings.AuthenticationMethod,
-		AllowBindMountsForRegularUsers: settings.AllowBindMountsForRegularUsers,
+		LogoURL:                            settings.LogoURL,
+		DisplayExternalContributors:        settings.DisplayExternalContributors,
+		AuthenticationMethod:               settings.AuthenticationMethod,
+		AllowBindMountsForRegularUsers:     settings.AllowBindMountsForRegularUsers,
+		AllowPrivilegedModeForRegularUsers: settings.AllowPrivilegedModeForRegularUsers,
 	}

 	encodeJSON(w, publicSettings, handler.Logger)
@ -112,12 +115,13 @@ func (handler *SettingsHandler) handlePutSettings(w http.ResponseWriter, r *http
 	}

 	settings := &portainer.Settings{
-		TemplatesURL:                   req.TemplatesURL,
-		LogoURL:                        req.LogoURL,
-		BlackListedLabels:              req.BlackListedLabels,
-		DisplayExternalContributors:    req.DisplayExternalContributors,
-		LDAPSettings:                   req.LDAPSettings,
-		AllowBindMountsForRegularUsers: req.AllowBindMountsForRegularUsers,
+		TemplatesURL:                       req.TemplatesURL,
+		LogoURL:                            req.LogoURL,
+		BlackListedLabels:                  req.BlackListedLabels,
+		DisplayExternalContributors:        req.DisplayExternalContributors,
+		LDAPSettings:                       req.LDAPSettings,
+		AllowBindMountsForRegularUsers:     req.AllowBindMountsForRegularUsers,
+		AllowPrivilegedModeForRegularUsers: req.AllowPrivilegedModeForRegularUsers,
 	}

 	if req.AuthenticationMethod == 1 {
--- a/api/portainer.go
+++ b/api/portainer.go
@ -70,13 +70,14 @@ type (

 	// Settings represents the application settings.
 	Settings struct {
-		TemplatesURL                   string               `json:"TemplatesURL"`
-		LogoURL                        string               `json:"LogoURL"`
-		BlackListedLabels              []Pair               `json:"BlackListedLabels"`
-		DisplayExternalContributors    bool                 `json:"DisplayExternalContributors"`
-		AuthenticationMethod           AuthenticationMethod `json:"AuthenticationMethod"`
-		LDAPSettings                   LDAPSettings         `json:"LDAPSettings"`
-		AllowBindMountsForRegularUsers bool                 `json:"AllowBindMountsForRegularUsers"`
+		TemplatesURL                       string               `json:"TemplatesURL"`
+		LogoURL                            string               `json:"LogoURL"`
+		BlackListedLabels                  []Pair               `json:"BlackListedLabels"`
+		DisplayExternalContributors        bool                 `json:"DisplayExternalContributors"`
+		AuthenticationMethod               AuthenticationMethod `json:"AuthenticationMethod"`
+		LDAPSettings                       LDAPSettings         `json:"LDAPSettings"`
+		AllowBindMountsForRegularUsers     bool                 `json:"AllowBindMountsForRegularUsers"`
+		AllowPrivilegedModeForRegularUsers bool                 `json:"AllowPrivilegedModeForRegularUsers"`
 	}

 	// User represents a user account.
@ -349,7 +350,7 @@ const (
 	// APIVersion is the version number of the Portainer API.
 	APIVersion = "1.14.2"
 	// DBVersion is the version number of the Portainer database.
-	DBVersion = 5
+	DBVersion = 6
 	// DefaultTemplatesURL represents the default URL for the templates definitions.
 	DefaultTemplatesURL = "https://raw.githubusercontent.com/portainer/templates/master/templates.json"
 )