feat(containers): enforce disable bind mounts (#4110)

* feat(containers): enforce disable bind mounts * refactor(docker): move check for endpoint admin to a function * feat(docker): check if service has bind mounts * feat(services): allow bind mounts for endpoint admin * feat(container): enable bind mounts for endpoint admin * fix(services): fix typo
2025-07-30 10:49:40 +02:00 · 2020-07-29 12:10:46 +03:00 · 2020-07-29 12:10:46 +03:00 · 93d8c179f1
commit 93d8c179f1
parent 7539f09f98
7 changed files with 132 additions and 27 deletions
--- a/app/docker/views/services/create/createServiceController.js
+++ b/app/docker/views/services/create/createServiceController.js
@ -33,6 +33,7 @@ angular.module('portainer.docker').controller('CreateServiceController', [
  'SettingsService',
  'WebhookService',
  'EndpointProvider',
+  'ExtensionService',
  function (
    $q,
    $scope,
@ -58,7 +59,8 @@ angular.module('portainer.docker').controller('CreateServiceController', [
    NodeService,
    SettingsService,
    WebhookService,
-    EndpointProvider
+    EndpointProvider,
+    ExtensionService
  ) {
    $scope.formValues = {
      Name: '',
@ -106,6 +108,8 @@ angular.module('portainer.docker').controller('CreateServiceController', [
      actionInProgress: false,
    };

+    $scope.allowBindMounts = false;
+
    $scope.refreshSlider = function () {
      $timeout(function () {
        $scope.$broadcast('rzSliderForceRender');
@ -562,8 +566,8 @@ angular.module('portainer.docker').controller('CreateServiceController', [
        secrets: apiVersion >= 1.25 ? SecretService.secrets() : [],
        configs: apiVersion >= 1.3 ? ConfigService.configs() : [],
        nodes: NodeService.nodes(),
-        settings: SettingsService.publicSettings(),
        availableLoggingDrivers: PluginService.loggingPlugins(apiVersion < 1.25),
+        allowBindMounts: checkIfAllowedBindMounts(),
      })
        .then(function success(data) {
          $scope.availableVolumes = data.volumes;
@ -572,8 +576,8 @@ angular.module('portainer.docker').controller('CreateServiceController', [
          $scope.availableConfigs = data.configs;
          $scope.availableLoggingDrivers = data.availableLoggingDrivers;
          initSlidersMaxValuesBasedOnNodeData(data.nodes);
-          $scope.allowBindMounts = data.settings.AllowBindMountsForRegularUsers;
          $scope.isAdmin = Authentication.isAdmin();
+          $scope.allowBindMounts = data.allowBindMounts;
        })
        .catch(function error(err) {
          Notifications.error('Failure', err, 'Unable to initialize view');
@ -581,5 +585,22 @@ angular.module('portainer.docker').controller('CreateServiceController', [
    }

    initView();
+
+    async function checkIfAllowedBindMounts() {
+      const isAdmin = Authentication.isAdmin();
+
+      const settings = await SettingsService.publicSettings();
+      const { AllowBindMountsForRegularUsers } = settings;
+
+      if (isAdmin || AllowBindMountsForRegularUsers) {
+        return true;
+      }
+      const rbacEnabled = await ExtensionService.extensionEnabled(ExtensionService.EXTENSIONS.RBAC);
+      if (rbacEnabled) {
+        return Authentication.hasAuthorizations(['EndpointResourcesAccess']);
+      }
+
+      return false;
+    }
  },
 ]);