feat(containers): enforce disable bind mounts (#4110)

* feat(containers): enforce disable bind mounts

* refactor(docker): move check for endpoint admin to a function

* feat(docker): check if service has bind mounts

* feat(services): allow bind mounts for endpoint admin

* feat(container): enable bind mounts for endpoint admin

* fix(services): fix typo

app/docker/views/containers/create/createContainerController.js

@@ -614,6 +614,7 @@ angular.module('portainer.docker').controller('CreateContainerController', [
       $scope.isAdmin = Authentication.isAdmin();
       $scope.showDeviceMapping = await shouldShowDevices();
       $scope.areContainerCapabilitiesEnabled = await checkIfContainerCapabilitiesEnabled();
+      $scope.isAdminOrEndpointAdmin = await checkIfAdminOrEndpointAdmin();
 
       Volume.query(
         {},
@@ -678,7 +679,7 @@ angular.module('portainer.docker').controller('CreateContainerController', [
 
       SettingsService.publicSettings()
         .then(function success(data) {
-          $scope.allowBindMounts = data.AllowBindMountsForRegularUsers;
+          $scope.allowBindMounts = $scope.isAdminOrEndpointAdmin || data.AllowBindMountsForRegularUsers;
           $scope.allowPrivilegedMode = data.AllowPrivilegedModeForRegularUsers;
         })
         .catch(function error(err) {
@@ -922,6 +923,15 @@ angular.module('portainer.docker').controller('CreateContainerController', [
       return allowContainerCapabilitiesForRegularUsers || isAdminOrEndpointAdmin();
     }
 
+    async function checkIfAdminOrEndpointAdmin() {
+      if (Authentication.isAdmin()) {
+        return true;
+      }
+
+      const rbacEnabled = await ExtensionService.extensionEnabled(ExtensionService.EXTENSIONS.RBAC);
+      return rbacEnabled ? Authentication.hasAuthorizations(['EndpointResourcesAccess']) : false;
+    }
+
     initView();
   },
 ]);