fix(api): manage registry authentication in the API (#1751)

2025-08-02 20:35:25 +02:00 · 2018-03-23 08:44:43 +10:00 · 2018-03-23 08:44:43 +10:00 · 30dfd3d616
commit 30dfd3d616
parent c267f8bf57
11 changed files with 183 additions and 42 deletions
--- a/api/http/security/authorization.go
+++ b/api/http/security/authorization.go
@ -140,3 +140,22 @@ func AuthorizedEndpointAccess(endpoint *portainer.Endpoint, userID portainer.Use
 	}
 	return false
 }
+
+// AuthorizedRegistryAccess ensure that the user can access the specified registry.
+// It will check if the user is part of the authorized users or part of a team that is
+// listed in the authorized teams.
+func AuthorizedRegistryAccess(registry *portainer.Registry, userID portainer.UserID, memberships []portainer.TeamMembership) bool {
+	for _, authorizedUserID := range registry.AuthorizedUsers {
+		if authorizedUserID == userID {
+			return true
+		}
+	}
+	for _, membership := range memberships {
+		for _, authorizedTeamID := range registry.AuthorizedTeams {
+			if membership.TeamID == authorizedTeamID {
+				return true
+			}
+		}
+	}
+	return false
+}
--- a/api/http/security/filter.go
+++ b/api/http/security/filter.go
@ -69,7 +69,7 @@ func FilterRegistries(registries []portainer.Registry, context *RestrictedReques
 		filteredRegistries = make([]portainer.Registry, 0)

 		for _, registry := range registries {
-			if isRegistryAccessAuthorized(&registry, context.UserID, context.UserMemberships) {
+			if AuthorizedRegistryAccess(&registry, context.UserID, context.UserMemberships) {
 				filteredRegistries = append(filteredRegistries, registry)
 			}
 		}
@ -87,7 +87,7 @@ func FilterEndpoints(endpoints []portainer.Endpoint, context *RestrictedRequestC
 		filteredEndpoints = make([]portainer.Endpoint, 0)

 		for _, endpoint := range endpoints {
-			if isEndpointAccessAuthorized(&endpoint, context.UserID, context.UserMemberships) {
+			if AuthorizedEndpointAccess(&endpoint, context.UserID, context.UserMemberships) {
 				filteredEndpoints = append(filteredEndpoints, endpoint)
 			}
 		}
@ -95,35 +95,3 @@ func FilterEndpoints(endpoints []portainer.Endpoint, context *RestrictedRequestC

 	return filteredEndpoints, nil
 }
-
-func isRegistryAccessAuthorized(registry *portainer.Registry, userID portainer.UserID, memberships []portainer.TeamMembership) bool {
-	for _, authorizedUserID := range registry.AuthorizedUsers {
-		if authorizedUserID == userID {
-			return true
-		}
-	}
-	for _, membership := range memberships {
-		for _, authorizedTeamID := range registry.AuthorizedTeams {
-			if membership.TeamID == authorizedTeamID {
-				return true
-			}
-		}
-	}
-	return false
-}
-
-func isEndpointAccessAuthorized(endpoint *portainer.Endpoint, userID portainer.UserID, memberships []portainer.TeamMembership) bool {
-	for _, authorizedUserID := range endpoint.AuthorizedUsers {
-		if authorizedUserID == userID {
-			return true
-		}
-	}
-	for _, membership := range memberships {
-		for _, authorizedTeamID := range endpoint.AuthorizedTeams {
-			if membership.TeamID == authorizedTeamID {
-				return true
-			}
-		}
-	}
-	return false
-}