fix(stacks): enforce stack permissions for non admin users EE-3683 (#7399)

* fix(stacks): hide stacks in sidebar EE-3683

* fix(stacks): for unauth, take the user to the dashboard

* fix(stacks): block the user from stack details EE-3683

* fix(stacks): disable stack managment for non admins

app/portainer/components/datatables/stacks-datatable/stacksDatatable.html

@@ -1,6 +1,6 @@
 <div class="datatable">
   <rd-widget>
-    <rd-widget-body classes="no-padding">
+    <rd-widget-body classes="no-padding" ng-if="$ctrl.createEnabled">
       <div class="toolBar vertical-center !gap-x-5 !gap-y-1 flex-wrap">
         <div class="toolBarTitle vertical-center">
           <pr-icon icon="'layers'" feather="true" class-name="'icon-nested-blue vertical-center'" mode="'primary'"></pr-icon>
@@ -21,6 +21,7 @@
         </div>
         <div class="actionBar !gap-3" ng-if="!$ctrl.offlineMode" authorization="PortainerStackCreate, PortainerStackDelete">
           <button
+            ng-disabled="!$ctrl.createEnabled"
             type="button"
             class="btn btn-sm btn-dangerlight h-fit vertical-center !ml-0"
             authorization="PortainerStackDelete"
@@ -178,7 +179,7 @@
                   <label for="select_{{ $index }}"></label>
                 </span>
                 <a
-                  ng-if="!$ctrl.offlineMode"
+                  ng-if="!$ctrl.offlineMode && $ctrl.createEnabled"
                   ui-sref="docker.stacks.stack({ name: item.Name, id: item.Id, type: item.Type, regular: item.Regular, external: item.External, orphaned: item.Orphaned, orphanedRunning: item.OrphanedRunning })"
                   >{{ item.Name }}</a
                 >

app/portainer/hooks/useUser.tsx

@@ -70,7 +70,7 @@ export function useAuthorizations(
 export function isEnvironmentAdmin(
   user: User,
   environmentId: EnvironmentId,
-  adminOnlyCE = false
+  adminOnlyCE = true
 ) {
   return hasAuthorizations(
     user,

app/portainer/views/stacks/edit/stackController.js

@@ -477,7 +477,17 @@ angular.module('portainer.app').controller('StackController', [
       }
     };
 
+    async function canManageStacks() {
+      return endpoint.SecuritySettings.allowStackManagementForRegularUsers || Authentication.isAdmin();
+    }
+
     async function initView() {
+      // if the user is not an admin, and stack management is disabled for non admins, then take the user to the dashboard
+      $scope.createEnabled = await canManageStacks();
+      if (!$scope.createEnabled) {
+        $state.go('docker.dashboard');
+      }
+
       var stackName = $transition$.params().name;
       $scope.stackName = stackName;
 

app/portainer/views/stacks/stacksController.js

@@ -56,13 +56,17 @@ function StacksController($scope, $state, Notifications, StackService, ModalServ
       });
   }
 
-  async function loadCreateEnabled() {
+  async function canManageStacks() {
     return endpoint.SecuritySettings.allowStackManagementForRegularUsers || Authentication.isAdmin();
   }
 
   async function initView() {
+    // if the user is not an admin, and stack management is disabled for non admins, then take the user to the dashboard
+    $scope.createEnabled = await canManageStacks();
+    if (!$scope.createEnabled) {
+      $state.go('docker.dashboard');
+    }
     getStacks();
-    $scope.createEnabled = await loadCreateEnabled();
   }
 
   initView();