feat(registry-manager): allow regular users to use the registry browse feature (#2664)

* feat(registries): registries accessibility to all authorized people and not only admins * feat(registry): dockerhub settings for admin only * feat(registry): remove registry config access for non admin users * feat(api): use AuthenticatedAccess policy instead of RestrictedAccess for extensionList operation * refactor(api): minor update to security package * refactor(api): revert unexporting function changes * refactor(api): apply gofmt
2025-07-24 07:49:41 +02:00 · 2019-02-25 01:02:49 +01:00 · 2019-02-25 01:02:49 +01:00 · 7aa6a30614
commit 7aa6a30614
parent 99e50370bd
13 changed files with 70 additions and 19 deletions
--- a/api/http/security/bouncer.go
+++ b/api/http/security/bouncer.go
@ -111,6 +111,31 @@ func (bouncer *RequestBouncer) EndpointAccess(r *http.Request, endpoint *portain
 	return nil
 }

+// RegistryAccess retrieves the JWT token from the request context and verifies
+// that the user can access the specified registry.
+// An error is returned when access is denied.
+func (bouncer *RequestBouncer) RegistryAccess(r *http.Request, registry *portainer.Registry) error {
+	tokenData, err := RetrieveTokenData(r)
+	if err != nil {
+		return err
+	}
+
+	if tokenData.Role == portainer.AdministratorRole {
+		return nil
+	}
+
+	memberships, err := bouncer.teamMembershipService.TeamMembershipsByUserID(tokenData.ID)
+	if err != nil {
+		return err
+	}
+
+	if !AuthorizedRegistryAccess(registry, tokenData.ID, memberships) {
+		return portainer.ErrEndpointAccessDenied
+	}
+
+	return nil
+}
+
 // mwSecureHeaders provides secure headers middleware for handlers.
 func mwSecureHeaders(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {