feat(settings): introduce setting to disable container caps for non-admins (#4109)

* feat(settings): introduce settings to allow/disable * feat(settings): update the setting * feat(docker): prevent user from using caps if disabled * refactor(stacks): revert file * style(api): remove portainer ns
2025-07-24 15:59:41 +02:00 · 2020-07-28 10:08:15 +03:00 · 2020-07-28 10:08:15 +03:00 · 1a3f77137a
commit 1a3f77137a
parent fec85c77d6
14 changed files with 136 additions and 82 deletions
--- a/api/http/handler/settings/settings_public.go
+++ b/api/http/handler/settings/settings_public.go
@ -10,17 +10,18 @@ import (
 )

 type publicSettingsResponse struct {
-	LogoURL                             string                         `json:"LogoURL"`
-	AuthenticationMethod                portainer.AuthenticationMethod `json:"AuthenticationMethod"`
-	AllowBindMountsForRegularUsers      bool                           `json:"AllowBindMountsForRegularUsers"`
-	AllowPrivilegedModeForRegularUsers  bool                           `json:"AllowPrivilegedModeForRegularUsers"`
-	AllowVolumeBrowserForRegularUsers   bool                           `json:"AllowVolumeBrowserForRegularUsers"`
-	AllowHostNamespaceForRegularUsers   bool                           `json:"AllowHostNamespaceForRegularUsers"`
-	AllowDeviceMappingForRegularUsers   bool                           `json:"AllowDeviceMappingForRegularUsers"`
-	AllowStackManagementForRegularUsers bool                           `json:"AllowStackManagementForRegularUsers"`
-	EnableHostManagementFeatures        bool                           `json:"EnableHostManagementFeatures"`
-	EnableEdgeComputeFeatures           bool                           `json:"EnableEdgeComputeFeatures"`
-	OAuthLoginURI                       string                         `json:"OAuthLoginURI"`
+	LogoURL                                   string                         `json:"LogoURL"`
+	AuthenticationMethod                      portainer.AuthenticationMethod `json:"AuthenticationMethod"`
+	AllowBindMountsForRegularUsers            bool                           `json:"AllowBindMountsForRegularUsers"`
+	AllowPrivilegedModeForRegularUsers        bool                           `json:"AllowPrivilegedModeForRegularUsers"`
+	AllowVolumeBrowserForRegularUsers         bool                           `json:"AllowVolumeBrowserForRegularUsers"`
+	AllowHostNamespaceForRegularUsers         bool                           `json:"AllowHostNamespaceForRegularUsers"`
+	AllowDeviceMappingForRegularUsers         bool                           `json:"AllowDeviceMappingForRegularUsers"`
+	AllowStackManagementForRegularUsers       bool                           `json:"AllowStackManagementForRegularUsers"`
+	AllowContainerCapabilitiesForRegularUsers bool                           `json:"AllowContainerCapabilitiesForRegularUsers"`
+	EnableHostManagementFeatures              bool                           `json:"EnableHostManagementFeatures"`
+	EnableEdgeComputeFeatures                 bool                           `json:"EnableEdgeComputeFeatures"`
+	OAuthLoginURI                             string                         `json:"OAuthLoginURI"`
 }

 // GET request on /api/settings/public
@ -31,16 +32,17 @@ func (handler *Handler) settingsPublic(w http.ResponseWriter, r *http.Request) *
 	}

 	publicSettings := &publicSettingsResponse{
-		LogoURL:                             settings.LogoURL,
-		AuthenticationMethod:                settings.AuthenticationMethod,
-		AllowBindMountsForRegularUsers:      settings.AllowBindMountsForRegularUsers,
-		AllowPrivilegedModeForRegularUsers:  settings.AllowPrivilegedModeForRegularUsers,
-		AllowVolumeBrowserForRegularUsers:   settings.AllowVolumeBrowserForRegularUsers,
-		AllowHostNamespaceForRegularUsers:   settings.AllowHostNamespaceForRegularUsers,
-		AllowDeviceMappingForRegularUsers:   settings.AllowDeviceMappingForRegularUsers,
-		AllowStackManagementForRegularUsers: settings.AllowStackManagementForRegularUsers,
-		EnableHostManagementFeatures:        settings.EnableHostManagementFeatures,
-		EnableEdgeComputeFeatures:           settings.EnableEdgeComputeFeatures,
+		LogoURL:                                   settings.LogoURL,
+		AuthenticationMethod:                      settings.AuthenticationMethod,
+		AllowBindMountsForRegularUsers:            settings.AllowBindMountsForRegularUsers,
+		AllowPrivilegedModeForRegularUsers:        settings.AllowPrivilegedModeForRegularUsers,
+		AllowVolumeBrowserForRegularUsers:         settings.AllowVolumeBrowserForRegularUsers,
+		AllowHostNamespaceForRegularUsers:         settings.AllowHostNamespaceForRegularUsers,
+		AllowDeviceMappingForRegularUsers:         settings.AllowDeviceMappingForRegularUsers,
+		AllowStackManagementForRegularUsers:       settings.AllowStackManagementForRegularUsers,
+		AllowContainerCapabilitiesForRegularUsers: settings.AllowContainerCapabilitiesForRegularUsers,
+		EnableHostManagementFeatures:              settings.EnableHostManagementFeatures,
+		EnableEdgeComputeFeatures:                 settings.EnableEdgeComputeFeatures,
 		OAuthLoginURI: fmt.Sprintf("%s?response_type=code&client_id=%s&redirect_uri=%s&scope=%s&prompt=login",
 			settings.OAuthSettings.AuthorizationURI,
 			settings.OAuthSettings.ClientID,