feat(settings): introduce setting to disable container caps for non-admins (#4109)

* feat(settings): introduce settings to allow/disable * feat(settings): update the setting * feat(docker): prevent user from using caps if disabled * refactor(stacks): revert file * style(api): remove portainer ns
2025-08-02 20:35:25 +02:00 · 2020-07-28 10:08:15 +03:00 · 2020-07-28 10:08:15 +03:00 · 1a3f77137a
commit 1a3f77137a
parent fec85c77d6
14 changed files with 136 additions and 82 deletions
--- a/api/bolt/init.go
+++ b/api/bolt/init.go
@ -24,17 +24,18 @@ func (store *Store) Init() error {
 					portainer.LDAPGroupSearchSettings{},
 				},
 			},
-			OAuthSettings:                       portainer.OAuthSettings{},
-			AllowBindMountsForRegularUsers:      true,
-			AllowPrivilegedModeForRegularUsers:  true,
-			AllowVolumeBrowserForRegularUsers:   false,
-			AllowHostNamespaceForRegularUsers:   true,
-			AllowDeviceMappingForRegularUsers:   true,
-			AllowStackManagementForRegularUsers: true,
-			EnableHostManagementFeatures:        false,
-			EdgeAgentCheckinInterval:            portainer.DefaultEdgeAgentCheckinIntervalInSeconds,
-			TemplatesURL:                        portainer.DefaultTemplatesURL,
-			UserSessionTimeout:                  portainer.DefaultUserSessionTimeout,
+			OAuthSettings:                             portainer.OAuthSettings{},
+			AllowBindMountsForRegularUsers:            true,
+			AllowPrivilegedModeForRegularUsers:        true,
+			AllowVolumeBrowserForRegularUsers:         false,
+			AllowHostNamespaceForRegularUsers:         true,
+			AllowDeviceMappingForRegularUsers:         true,
+			AllowStackManagementForRegularUsers:       true,
+			AllowContainerCapabilitiesForRegularUsers: true,
+			EnableHostManagementFeatures:              false,
+			EdgeAgentCheckinInterval:                  portainer.DefaultEdgeAgentCheckinIntervalInSeconds,
+			TemplatesURL:                              portainer.DefaultTemplatesURL,
+			UserSessionTimeout:                        portainer.DefaultUserSessionTimeout,
 		}

 		err = store.SettingsService.UpdateSettings(defaultSettings)
--- a/api/bolt/migrator/migrate_dbversion24.go
+++ b/api/bolt/migrator/migrate_dbversion24.go
@ -16,5 +16,7 @@ func (m *Migrator) updateSettingsToDB25() error {

 	legacySettings.UserSessionTimeout = portainer.DefaultUserSessionTimeout

+	legacySettings.AllowContainerCapabilitiesForRegularUsers = true
+
 	return m.settingsService.UpdateSettings(legacySettings)
 }