feat(containers): enforce disable bind mounts (#4110)

* feat(containers): enforce disable bind mounts * refactor(docker): move check for endpoint admin to a function * feat(docker): check if service has bind mounts * feat(services): allow bind mounts for endpoint admin * feat(container): enable bind mounts for endpoint admin * fix(services): fix typo
2025-08-05 05:45:22 +02:00 · 2020-07-29 12:10:46 +03:00 · 2020-07-29 12:10:46 +03:00 · 93d8c179f1
commit 93d8c179f1
parent 7539f09f98
7 changed files with 132 additions and 27 deletions
--- a/api/http/proxy/factory/docker/transport.go
+++ b/api/http/proxy/factory/docker/transport.go
@ -225,7 +225,7 @@ func (transport *Transport) proxyContainerRequest(request *http.Request) (*http.
 func (transport *Transport) proxyServiceRequest(request *http.Request) (*http.Response, error) {
 	switch requestPath := request.URL.Path; requestPath {
 	case "/services/create":
-		return transport.replaceRegistryAuthenticationHeader(request)
+		return transport.decorateServiceCreationOperation(request)

 	case "/services":
 		return transport.rewriteOperation(request, transport.serviceListOperation)
@ -629,7 +629,6 @@ func (transport *Transport) createRegistryAccessContext(request *http.Request) (
 		return nil, err
 	}

-
 	accessContext := &registryAccessContext{
 		isAdmin: true,
 		userID:  tokenData.ID,
@ -707,3 +706,32 @@ func (transport *Transport) createOperationContext(request *http.Request) (*rest

 	return operationContext, nil
 }
+
+func (transport *Transport) isAdminOrEndpointAdmin(request *http.Request) (bool, error) {
+	tokenData, err := security.RetrieveTokenData(request)
+	if err != nil {
+		return false, err
+	}
+
+	if tokenData.Role == portainer.AdministratorRole {
+		return true, nil
+	}
+
+	user, err := transport.dataStore.User().User(tokenData.ID)
+	if err != nil {
+		return false, err
+	}
+
+	rbacExtension, err := transport.dataStore.Extension().Extension(portainer.RBACExtension)
+	if err != nil && err != bolterrors.ErrObjectNotFound {
+		return false, err
+	}
+
+	if rbacExtension == nil {
+		return false, nil
+	}
+
+	_, endpointResourceAccess := user.EndpointAuthorizations[portainer.EndpointID(transport.endpoint.ID)][portainer.EndpointResourcesAccess]
+
+	return endpointResourceAccess, nil
+}