feat(api): relocate authorizations outside of JWT (#3079)

* feat(api): relocate authorizations outside of JWT * fix(api): update user authorization after enabling the RBAC extension * feat(api): add PortainerEndpointList operation in the default portainer authorizations * feat(auth): retrieve authorization from API instead of JWT * refactor(auth): move permissions retrieval to function * refactor(api): document authorizations methods
2025-07-25 08:19:40 +02:00 · 2019-09-10 10:58:26 +12:00 · 2019-09-10 10:58:26 +12:00 · 7d76bc89e7
commit 7d76bc89e7
parent 7ebb3e62dd
29 changed files with 472 additions and 303 deletions
--- a/api/http/handler/users/admin_init.go
+++ b/api/http/handler/users/admin_init.go
@ -43,25 +43,9 @@ func (handler *Handler) adminInit(w http.ResponseWriter, r *http.Request) *httpe
 	}

 	user := &portainer.User{
-		Username: payload.Username,
-		Role:     portainer.AdministratorRole,
-		PortainerAuthorizations: map[portainer.Authorization]bool{
-			portainer.OperationPortainerDockerHubInspect:        true,
-			portainer.OperationPortainerEndpointGroupList:       true,
-			portainer.OperationPortainerEndpointList:            true,
-			portainer.OperationPortainerEndpointInspect:         true,
-			portainer.OperationPortainerEndpointExtensionAdd:    true,
-			portainer.OperationPortainerEndpointExtensionRemove: true,
-			portainer.OperationPortainerExtensionList:           true,
-			portainer.OperationPortainerMOTD:                    true,
-			portainer.OperationPortainerRegistryList:            true,
-			portainer.OperationPortainerRegistryInspect:         true,
-			portainer.OperationPortainerTeamList:                true,
-			portainer.OperationPortainerTemplateList:            true,
-			portainer.OperationPortainerTemplateInspect:         true,
-			portainer.OperationPortainerUserList:                true,
-			portainer.OperationPortainerUserMemberships:         true,
-		},
+		Username:                payload.Username,
+		Role:                    portainer.AdministratorRole,
+		PortainerAuthorizations: portainer.DefaultPortainerAuthorizations(),
 	}

 	user.Password, err = handler.CryptoService.Hash(payload.Password)
--- a/api/http/handler/users/user_create.go
+++ b/api/http/handler/users/user_create.go
@ -58,25 +58,9 @@ func (handler *Handler) userCreate(w http.ResponseWriter, r *http.Request) *http
 	}

 	user = &portainer.User{
-		Username: payload.Username,
-		Role:     portainer.UserRole(payload.Role),
-		PortainerAuthorizations: map[portainer.Authorization]bool{
-			portainer.OperationPortainerDockerHubInspect:        true,
-			portainer.OperationPortainerEndpointGroupList:       true,
-			portainer.OperationPortainerEndpointList:            true,
-			portainer.OperationPortainerEndpointInspect:         true,
-			portainer.OperationPortainerEndpointExtensionAdd:    true,
-			portainer.OperationPortainerEndpointExtensionRemove: true,
-			portainer.OperationPortainerExtensionList:           true,
-			portainer.OperationPortainerMOTD:                    true,
-			portainer.OperationPortainerRegistryList:            true,
-			portainer.OperationPortainerRegistryInspect:         true,
-			portainer.OperationPortainerTeamList:                true,
-			portainer.OperationPortainerTemplateList:            true,
-			portainer.OperationPortainerTemplateInspect:         true,
-			portainer.OperationPortainerUserList:                true,
-			portainer.OperationPortainerUserMemberships:         true,
-		},
+		Username:                payload.Username,
+		Role:                    portainer.UserRole(payload.Role),
+		PortainerAuthorizations: portainer.DefaultPortainerAuthorizations(),
 	}

 	settings, err := handler.SettingsService.Settings()
--- a/api/http/handler/users/user_inspect.go
+++ b/api/http/handler/users/user_inspect.go
@ -3,6 +3,8 @@ package users
 import (
 	"net/http"

+	"github.com/portainer/portainer/api/http/security"
+
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
@ -16,6 +18,15 @@ func (handler *Handler) userInspect(w http.ResponseWriter, r *http.Request) *htt
 		return &httperror.HandlerError{http.StatusBadRequest, "Invalid user identifier route variable", err}
 	}

+	securityContext, err := security.RetrieveRestrictedRequestContext(r)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve info from request context", err}
+	}
+
+	if !securityContext.IsAdmin && securityContext.UserID != portainer.UserID(userID) {
+		return &httperror.HandlerError{http.StatusForbidden, "Permission denied inspect user", portainer.ErrResourceAccessDenied}
+	}
+
 	user, err := handler.UserService.User(portainer.UserID(userID))
 	if err == portainer.ErrObjectNotFound {
 		return &httperror.HandlerError{http.StatusNotFound, "Unable to find a user with the specified identifier inside the database", err}