fix(kube): don't valide resource control access for kube (#5568)

api/http/handler/stacks/stack_delete.go

@@ -87,6 +87,7 @@ func (handler *Handler) stackDelete(w http.ResponseWriter, r *http.Request) *htt
 			return &httperror.HandlerError{http.StatusForbidden, "Permission denied to access endpoint", err}
 		}
 
+		if stack.Type == portainer.DockerSwarmStack || stack.Type == portainer.DockerComposeStack {
 			access, err := handler.userCanAccessStack(securityContext, endpoint.ID, resourceControl)
 			if err != nil {
 				return &httperror.HandlerError{http.StatusInternalServerError, "Unable to verify user authorizations to validate stack access", err}
@@ -95,6 +96,7 @@ func (handler *Handler) stackDelete(w http.ResponseWriter, r *http.Request) *htt
 				return &httperror.HandlerError{http.StatusForbidden, "Access denied to resource", httperrors.ErrResourceAccessDenied}
 			}
 		}
+	}
 
 	// stop scheduler updates of the stack before removal
 	if stack.AutoUpdate != nil {

api/http/handler/stacks/stack_file.go

@@ -66,6 +66,7 @@ func (handler *Handler) stackFile(w http.ResponseWriter, r *http.Request) *httpe
 			return &httperror.HandlerError{http.StatusForbidden, "Permission denied to access endpoint", err}
 		}
 
+		if stack.Type == portainer.DockerSwarmStack || stack.Type == portainer.DockerComposeStack {
 			resourceControl, err := handler.DataStore.ResourceControl().ResourceControlByResourceIDAndType(stackutils.ResourceControlID(stack.EndpointID, stack.Name), portainer.StackResourceControl)
 			if err != nil {
 				return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve a resource control associated to the stack", err}
@@ -79,6 +80,7 @@ func (handler *Handler) stackFile(w http.ResponseWriter, r *http.Request) *httpe
 				return &httperror.HandlerError{http.StatusForbidden, "Access denied to resource", errors.ErrResourceAccessDenied}
 			}
 		}
+	}
 
 	stackFileContent, err := handler.FileService.GetFileContent(path.Join(stack.ProjectPath, stack.EntryPoint))
 	if err != nil {

api/http/handler/stacks/stack_inspect.go

@@ -1,9 +1,10 @@
 package stacks
 
 import (
-	"github.com/portainer/portainer/api/http/errors"
 	"net/http"
 
+	"github.com/portainer/portainer/api/http/errors"
+
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
@@ -60,6 +61,7 @@ func (handler *Handler) stackInspect(w http.ResponseWriter, r *http.Request) *ht
 			return &httperror.HandlerError{http.StatusForbidden, "Permission denied to access endpoint", err}
 		}
 
+		if stack.Type == portainer.DockerSwarmStack || stack.Type == portainer.DockerComposeStack {
 			resourceControl, err := handler.DataStore.ResourceControl().ResourceControlByResourceIDAndType(stackutils.ResourceControlID(stack.EndpointID, stack.Name), portainer.StackResourceControl)
 			if err != nil {
 				return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve a resource control associated to the stack", err}
@@ -77,6 +79,7 @@ func (handler *Handler) stackInspect(w http.ResponseWriter, r *http.Request) *ht
 				stack.ResourceControl = resourceControl
 			}
 		}
+	}
 
 	if stack.GitConfig != nil && stack.GitConfig.Authentication != nil && stack.GitConfig.Authentication.Password != "" {
 		// sanitize password in the http response to minimise possible security leaks

api/http/handler/stacks/stack_migrate.go

@@ -78,6 +78,7 @@ func (handler *Handler) stackMigrate(w http.ResponseWriter, r *http.Request) *ht
 		return &httperror.HandlerError{http.StatusForbidden, "Permission denied to access endpoint", err}
 	}
 
+	if stack.Type == portainer.DockerSwarmStack || stack.Type == portainer.DockerComposeStack {
 		resourceControl, err := handler.DataStore.ResourceControl().ResourceControlByResourceIDAndType(stackutils.ResourceControlID(stack.EndpointID, stack.Name), portainer.StackResourceControl)
 		if err != nil {
 			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve a resource control associated to the stack", err}
@@ -95,6 +96,7 @@ func (handler *Handler) stackMigrate(w http.ResponseWriter, r *http.Request) *ht
 		if !access {
 			return &httperror.HandlerError{http.StatusForbidden, "Access denied to resource", httperrors.ErrResourceAccessDenied}
 		}
+	}
 
 	// TODO: this is a work-around for stacks created with Portainer version >= 1.17.1
 	// The EndpointID property is not available for these stacks, this API endpoint

api/http/handler/stacks/stack_start.go

@@ -68,6 +68,7 @@ func (handler *Handler) stackStart(w http.ResponseWriter, r *http.Request) *http
 		return &httperror.HandlerError{http.StatusConflict, errorMessage, errors.New(errorMessage)}
 	}
 
+	if stack.Type == portainer.DockerSwarmStack || stack.Type == portainer.DockerComposeStack {
 		resourceControl, err := handler.DataStore.ResourceControl().ResourceControlByResourceIDAndType(stackutils.ResourceControlID(stack.EndpointID, stack.Name), portainer.StackResourceControl)
 		if err != nil {
 			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve a resource control associated to the stack", err}
@@ -80,6 +81,7 @@ func (handler *Handler) stackStart(w http.ResponseWriter, r *http.Request) *http
 		if !access {
 			return &httperror.HandlerError{http.StatusForbidden, "Access denied to resource", httperrors.ErrResourceAccessDenied}
 		}
+	}
 
 	if stack.Status == portainer.StackStatusActive {
 		return &httperror.HandlerError{http.StatusBadRequest, "Stack is already active", errors.New("Stack is already active")}

api/http/handler/stacks/stack_stop.go

@@ -57,6 +57,7 @@ func (handler *Handler) stackStop(w http.ResponseWriter, r *http.Request) *httpe
 		return &httperror.HandlerError{http.StatusForbidden, "Permission denied to access endpoint", err}
 	}
 
+	if stack.Type == portainer.DockerSwarmStack || stack.Type == portainer.DockerComposeStack {
 		resourceControl, err := handler.DataStore.ResourceControl().ResourceControlByResourceIDAndType(stackutils.ResourceControlID(stack.EndpointID, stack.Name), portainer.StackResourceControl)
 		if err != nil {
 			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve a resource control associated to the stack", err}
@@ -69,6 +70,7 @@ func (handler *Handler) stackStop(w http.ResponseWriter, r *http.Request) *httpe
 		if !access {
 			return &httperror.HandlerError{http.StatusForbidden, "Access denied to resource", httperrors.ErrResourceAccessDenied}
 		}
+	}
 
 	if stack.Status == portainer.StackStatusInactive {
 		return &httperror.HandlerError{http.StatusBadRequest, "Stack is already inactive", errors.New("Stack is already inactive")}

api/http/handler/stacks/stack_update_git.go

@@ -98,6 +98,7 @@ func (handler *Handler) stackUpdateGit(w http.ResponseWriter, r *http.Request) *
 		return &httperror.HandlerError{StatusCode: http.StatusForbidden, Message: "Permission denied to access endpoint", Err: err}
 	}
 
+	if stack.Type == portainer.DockerSwarmStack || stack.Type == portainer.DockerComposeStack {
 		resourceControl, err := handler.DataStore.ResourceControl().ResourceControlByResourceIDAndType(stackutils.ResourceControlID(stack.EndpointID, stack.Name), portainer.StackResourceControl)
 		if err != nil {
 			return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to retrieve a resource control associated to the stack", Err: err}
@@ -115,6 +116,7 @@ func (handler *Handler) stackUpdateGit(w http.ResponseWriter, r *http.Request) *
 		if !access {
 			return &httperror.HandlerError{StatusCode: http.StatusForbidden, Message: "Access denied to resource", Err: httperrors.ErrResourceAccessDenied}
 		}
+	}
 
 	//stop the autoupdate job if there is any
 	if stack.AutoUpdate != nil {