feat(extensions): remove rbac extension (#4157)

* feat(extensions): remove rbac extension client code * feat(extensions): remove server rbac code * remove extensions code * fix(notifications): remove error * feat(extensions): remove authorizations service * feat(rbac): deprecate fields * fix(portainer): revert change * fix(bouncer): remove rbac authorization check * feat(sidebar): remove roles link * fix(portainer): remove portainer module
2025-07-25 08:19:40 +02:00 · 2020-08-11 08:41:37 +03:00 · 2020-08-11 08:41:37 +03:00 · 9d18d47194
commit 9d18d47194
parent 8629738e34
117 changed files with 98 additions and 3487 deletions
--- a/api/http/proxy/factory/docker/transport.go
+++ b/api/http/proxy/factory/docker/transport.go
@ -12,7 +12,6 @@ import (

 	"github.com/docker/docker/client"
 	"github.com/portainer/portainer/api"
-	bolterrors "github.com/portainer/portainer/api/bolt/errors"
 	"github.com/portainer/portainer/api/docker"
 	"github.com/portainer/portainer/api/http/proxy/factory/responseutils"
 	"github.com/portainer/portainer/api/http/security"
@ -402,16 +401,6 @@ func (transport *Transport) restrictedResourceOperation(request *http.Request, r
 	}

 	if tokenData.Role != portainer.AdministratorRole {
-		rbacExtension, err := transport.dataStore.Extension().Extension(portainer.RBACExtension)
-		if err != nil && err != bolterrors.ErrObjectNotFound {
-			return nil, err
-		}
-
-		user, err := transport.dataStore.User().User(tokenData.ID)
-		if err != nil {
-			return nil, err
-		}
-
 		if volumeBrowseRestrictionCheck {
 			settings, err := transport.dataStore.Settings().Settings()
 			if err != nil {
@ -419,28 +408,10 @@ func (transport *Transport) restrictedResourceOperation(request *http.Request, r
 			}

 			if !settings.AllowVolumeBrowserForRegularUsers {
-				if rbacExtension == nil {
-					return responseutils.WriteAccessDeniedResponse()
-				}
-
-				// Return access denied for all roles except endpoint-administrator
-				_, userCanBrowse := user.EndpointAuthorizations[transport.endpoint.ID][portainer.OperationDockerAgentBrowseList]
-				if !userCanBrowse {
-					return responseutils.WriteAccessDeniedResponse()
-				}
+				return responseutils.WriteAccessDeniedResponse()
 			}
 		}

-		endpointResourceAccess := false
-		_, ok := user.EndpointAuthorizations[transport.endpoint.ID][portainer.EndpointResourcesAccess]
-		if ok {
-			endpointResourceAccess = true
-		}
-
-		if rbacExtension != nil && endpointResourceAccess {
-			return transport.executeDockerRequest(request)
-		}
-
 		teamMemberships, err := transport.dataStore.TeamMembership().TeamMembershipsByUserID(tokenData.ID)
 		if err != nil {
 			return nil, err
@ -713,25 +684,5 @@ func (transport *Transport) isAdminOrEndpointAdmin(request *http.Request) (bool,
 		return false, err
 	}

-	if tokenData.Role == portainer.AdministratorRole {
-		return true, nil
-	}
-
-	user, err := transport.dataStore.User().User(tokenData.ID)
-	if err != nil {
-		return false, err
-	}
-
-	rbacExtension, err := transport.dataStore.Extension().Extension(portainer.RBACExtension)
-	if err != nil && err != bolterrors.ErrObjectNotFound {
-		return false, err
-	}
-
-	if rbacExtension == nil {
-		return false, nil
-	}
-
-	_, endpointResourceAccess := user.EndpointAuthorizations[portainer.EndpointID(transport.endpoint.ID)][portainer.EndpointResourcesAccess]
-
-	return endpointResourceAccess, nil
+	return tokenData.Role == portainer.AdministratorRole, nil
 }