feat(api): relocate authorizations outside of JWT (#3079)

* feat(api): relocate authorizations outside of JWT * fix(api): update user authorization after enabling the RBAC extension * feat(api): add PortainerEndpointList operation in the default portainer authorizations * feat(auth): retrieve authorization from API instead of JWT * refactor(auth): move permissions retrieval to function * refactor(api): document authorizations methods
2025-07-24 15:59:41 +02:00 · 2019-09-10 10:58:26 +12:00 · 2019-09-10 10:58:26 +12:00 · 7d76bc89e7
commit 7d76bc89e7
parent 7ebb3e62dd
29 changed files with 472 additions and 303 deletions
--- a/api/bolt/migrator/migrate_dbversion19.go
+++ b/api/bolt/migrator/migrate_dbversion19.go
@ -0,0 +1,29 @@
+package migrator
+
+import portainer "github.com/portainer/portainer/api"
+
+func (m *Migrator) updateUsersToDBVersion20() error {
+	legacyUsers, err := m.userService.Users()
+	if err != nil {
+		return err
+	}
+
+	authorizationServiceParameters := &portainer.AuthorizationServiceParameters{
+		EndpointService:       m.endpointService,
+		EndpointGroupService:  m.endpointGroupService,
+		RoleService:           m.roleService,
+		TeamMembershipService: m.teamMembershipService,
+		UserService:           m.userService,
+	}
+
+	authorizationService := portainer.NewAuthorizationService(authorizationServiceParameters)
+
+	for _, user := range legacyUsers {
+		err := authorizationService.UpdateUserAuthorizations(user.ID)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
--- a/api/bolt/migrator/migrator.go
+++ b/api/bolt/migrator/migrator.go
@ -8,8 +8,10 @@ import (
 	"github.com/portainer/portainer/api/bolt/extension"
 	"github.com/portainer/portainer/api/bolt/registry"
 	"github.com/portainer/portainer/api/bolt/resourcecontrol"
+	"github.com/portainer/portainer/api/bolt/role"
 	"github.com/portainer/portainer/api/bolt/settings"
 	"github.com/portainer/portainer/api/bolt/stack"
+	"github.com/portainer/portainer/api/bolt/teammembership"
 	"github.com/portainer/portainer/api/bolt/template"
 	"github.com/portainer/portainer/api/bolt/user"
 	"github.com/portainer/portainer/api/bolt/version"
@ -25,8 +27,10 @@ type (
 		extensionService       *extension.Service
 		registryService        *registry.Service
 		resourceControlService *resourcecontrol.Service
+		roleService            *role.Service
 		settingsService        *settings.Service
 		stackService           *stack.Service
+		teamMembershipService  *teammembership.Service
 		templateService        *template.Service
 		userService            *user.Service
 		versionService         *version.Service
@ -42,8 +46,10 @@ type (
 		ExtensionService       *extension.Service
 		RegistryService        *registry.Service
 		ResourceControlService *resourcecontrol.Service
+		RoleService            *role.Service
 		SettingsService        *settings.Service
 		StackService           *stack.Service
+		TeamMembershipService  *teammembership.Service
 		TemplateService        *template.Service
 		UserService            *user.Service
 		VersionService         *version.Service
@ -61,7 +67,9 @@ func NewMigrator(parameters *Parameters) *Migrator {
 		extensionService:       parameters.ExtensionService,
 		registryService:        parameters.RegistryService,
 		resourceControlService: parameters.ResourceControlService,
+		roleService:            parameters.RoleService,
 		settingsService:        parameters.SettingsService,
+		teamMembershipService:  parameters.TeamMembershipService,
 		templateService:        parameters.TemplateService,
 		stackService:           parameters.StackService,
 		userService:            parameters.UserService,
@ -257,5 +265,13 @@ func (m *Migrator) Migrate() error {
 		}
 	}

+	// Portainer 1.22.x
+	if m.currentDBVersion < 20 {
+		err := m.updateUsersToDBVersion20()
+		if err != nil {
+			return err
+		}
+	}
+
 	return m.versionService.StoreDBVersion(portainer.DBVersion)
 }