feat(settings): introduce setting to disable container caps for non-admins (#4109)

* feat(settings): introduce settings to allow/disable * feat(settings): update the setting * feat(docker): prevent user from using caps if disabled * refactor(stacks): revert file * style(api): remove portainer ns
2025-07-24 15:59:41 +02:00 · 2020-07-28 10:08:15 +03:00 · 2020-07-28 10:08:15 +03:00 · 1a3f77137a
commit 1a3f77137a
parent fec85c77d6
14 changed files with 136 additions and 82 deletions
--- a/api/http/handler/settings/settings_update.go
+++ b/api/http/handler/settings/settings_update.go
@ -15,23 +15,24 @@ import (
 )

 type settingsUpdatePayload struct {
-	LogoURL                             *string
-	BlackListedLabels                   []portainer.Pair
-	AuthenticationMethod                *int
-	LDAPSettings                        *portainer.LDAPSettings
-	OAuthSettings                       *portainer.OAuthSettings
-	AllowBindMountsForRegularUsers      *bool
-	AllowPrivilegedModeForRegularUsers  *bool
-	AllowHostNamespaceForRegularUsers   *bool
-	AllowVolumeBrowserForRegularUsers   *bool
-	AllowDeviceMappingForRegularUsers   *bool
-	AllowStackManagementForRegularUsers *bool
-	EnableHostManagementFeatures        *bool
-	SnapshotInterval                    *string
-	TemplatesURL                        *string
-	EdgeAgentCheckinInterval            *int
-	EnableEdgeComputeFeatures           *bool
-	UserSessionTimeout                  *string
+	LogoURL                                   *string
+	BlackListedLabels                         []portainer.Pair
+	AuthenticationMethod                      *int
+	LDAPSettings                              *portainer.LDAPSettings
+	OAuthSettings                             *portainer.OAuthSettings
+	AllowBindMountsForRegularUsers            *bool
+	AllowPrivilegedModeForRegularUsers        *bool
+	AllowHostNamespaceForRegularUsers         *bool
+	AllowVolumeBrowserForRegularUsers         *bool
+	AllowDeviceMappingForRegularUsers         *bool
+	AllowStackManagementForRegularUsers       *bool
+	AllowContainerCapabilitiesForRegularUsers *bool
+	EnableHostManagementFeatures              *bool
+	SnapshotInterval                          *string
+	TemplatesURL                              *string
+	EdgeAgentCheckinInterval                  *int
+	EnableEdgeComputeFeatures                 *bool
+	UserSessionTimeout                        *string
 }

 func (payload *settingsUpdatePayload) Validate(r *http.Request) error {
@ -136,6 +137,10 @@ func (handler *Handler) settingsUpdate(w http.ResponseWriter, r *http.Request) *
 		settings.AllowStackManagementForRegularUsers = *payload.AllowStackManagementForRegularUsers
 	}

+	if payload.AllowContainerCapabilitiesForRegularUsers != nil {
+		settings.AllowContainerCapabilitiesForRegularUsers = *payload.AllowContainerCapabilitiesForRegularUsers
+	}
+
 	if payload.SnapshotInterval != nil && *payload.SnapshotInterval != settings.SnapshotInterval {
 		err := handler.updateSnapshotInterval(settings, *payload.SnapshotInterval)
 		if err != nil {