feat(settings): add new settings to disable volume browser (#3239)

* feat(settings): add new settings to disable volume browser

* feat(api): update setting to be compliant with RBAC

* refactor(api): update method comment

* fix(api): remove volume browsing authorizations by default

* feat(settings): rewrite volume management setting description

* feat(settings): rewrite volume management setting tooltip

* Update app/portainer/views/settings/settings.html

Co-Authored-By: William <william.conquest@portainer.io>

api/http/proxy/docker_transport.go

@@ -26,6 +26,7 @@ type (
 		SettingsService        portainer.SettingsService
 		SignatureService       portainer.DigitalSignatureService
 		ReverseTunnelService   portainer.ReverseTunnelService
+		ExtensionService       portainer.ExtensionService
 		endpointIdentifier     portainer.EndpointID
 		endpointType           portainer.EndpointType
 	}
@@ -129,7 +130,8 @@ func (p *proxyTransport) proxyAgentRequest(r *http.Request) (*http.Response, err
 		if !found || len(volumeIDParameter) < 1 {
 			return p.administratorOperation(r)
 		}
-		return p.restrictedOperation(r, volumeIDParameter[0])
+
+		return p.restrictedVolumeBrowserOperation(r, volumeIDParameter[0])
 	}
 
 	return p.executeDockerRequest(r)
@@ -386,6 +388,62 @@ func (p *proxyTransport) restrictedOperation(request *http.Request, resourceID s
 	return p.executeDockerRequest(request)
 }
 
+// restrictedVolumeBrowserOperation is similar to restrictedOperation but adds an extra check on a specific setting
+func (p *proxyTransport) restrictedVolumeBrowserOperation(request *http.Request, resourceID string) (*http.Response, error) {
+	var err error
+	tokenData, err := security.RetrieveTokenData(request)
+	if err != nil {
+		return nil, err
+	}
+
+	if tokenData.Role != portainer.AdministratorRole {
+		settings, err := p.SettingsService.Settings()
+		if err != nil {
+			return nil, err
+		}
+
+		_, err = p.ExtensionService.Extension(portainer.RBACExtension)
+		if err == portainer.ErrObjectNotFound && !settings.AllowVolumeBrowserForRegularUsers {
+			return writeAccessDeniedResponse()
+		} else if err != nil && err != portainer.ErrObjectNotFound {
+			return nil, err
+		}
+
+		user, err := p.UserService.User(tokenData.ID)
+		if err != nil {
+			return nil, err
+		}
+
+		endpointResourceAccess := false
+		_, ok := user.EndpointAuthorizations[p.endpointIdentifier][portainer.EndpointResourcesAccess]
+		if ok {
+			endpointResourceAccess = true
+		}
+
+		teamMemberships, err := p.TeamMembershipService.TeamMembershipsByUserID(tokenData.ID)
+		if err != nil {
+			return nil, err
+		}
+
+		userTeamIDs := make([]portainer.TeamID, 0)
+		for _, membership := range teamMemberships {
+			userTeamIDs = append(userTeamIDs, membership.TeamID)
+		}
+
+		resourceControls, err := p.ResourceControlService.ResourceControls()
+		if err != nil {
+			return nil, err
+		}
+
+		resourceControl := getResourceControlByResourceID(resourceID, resourceControls)
+		if !endpointResourceAccess && (resourceControl == nil || !canUserAccessResource(tokenData.ID, userTeamIDs, resourceControl)) {
+			return writeAccessDeniedResponse()
+		}
+	}
+
+	return p.executeDockerRequest(request)
+}
+
 // rewriteOperationWithLabelFiltering will create a new operation context with data that will be used
 // to decorate the original request's response as well as retrieve all the black listed labels
 // to filter the resources.

api/http/proxy/factory.go

@@ -23,6 +23,7 @@ type proxyFactory struct {
 	DockerHubService       portainer.DockerHubService
 	SignatureService       portainer.DigitalSignatureService
 	ReverseTunnelService   portainer.ReverseTunnelService
+	ExtensionService       portainer.ExtensionService
 }
 
 func (factory *proxyFactory) newHTTPProxy(u *url.URL) http.Handler {
@@ -77,6 +78,7 @@ func (factory *proxyFactory) createDockerReverseProxy(u *url.URL, endpoint *port
 		RegistryService:        factory.RegistryService,
 		DockerHubService:       factory.DockerHubService,
 		ReverseTunnelService:   factory.ReverseTunnelService,
+		ExtensionService:       factory.ExtensionService,
 		dockerTransport:        &http.Transport{},
 		endpointIdentifier:     endpoint.ID,
 		endpointType:           endpoint.Type,

api/http/proxy/factory_local.go

@@ -18,6 +18,7 @@ func (factory *proxyFactory) newLocalProxy(path string, endpoint *portainer.Endp
 		SettingsService:        factory.SettingsService,
 		RegistryService:        factory.RegistryService,
 		DockerHubService:       factory.DockerHubService,
+		ExtensionService:       factory.ExtensionService,
 		dockerTransport:        newSocketTransport(path),
 		ReverseTunnelService:   factory.ReverseTunnelService,
 		endpointIdentifier:     endpoint.ID,

api/http/proxy/factory_local_windows.go

@@ -22,6 +22,7 @@ func (factory *proxyFactory) newLocalProxy(path string, endpoint *portainer.Endp
 		RegistryService:        factory.RegistryService,
 		DockerHubService:       factory.DockerHubService,
 		ReverseTunnelService:   factory.ReverseTunnelService,
+		ExtensionService:       factory.ExtensionService,
 		dockerTransport:        newNamedPipeTransport(path),
 		endpointIdentifier:     endpoint.ID,
 		endpointType:           endpoint.Type,

api/http/proxy/manager.go

@@ -38,6 +38,7 @@ type (
 		DockerHubService       portainer.DockerHubService
 		SignatureService       portainer.DigitalSignatureService
 		ReverseTunnelService   portainer.ReverseTunnelService
+		ExtensionService       portainer.ExtensionService
 	}
 )
 
@@ -56,6 +57,7 @@ func NewManager(parameters *ManagerParams) *Manager {
 			DockerHubService:       parameters.DockerHubService,
 			SignatureService:       parameters.SignatureService,
 			ReverseTunnelService:   parameters.ReverseTunnelService,
+			ExtensionService:       parameters.ExtensionService,
 		},
 		reverseTunnelService: parameters.ReverseTunnelService,
 	}