feat(settings): add settings management (#906)

2025-07-25 08:19:40 +02:00 · 2017-06-01 10:14:55 +02:00 · 2017-06-01 10:14:55 +02:00 · c7e306841a
commit c7e306841a
parent 5e74a3993b
93 changed files with 1086 additions and 457 deletions
--- a/api/http/handler/handler.go
+++ b/api/http/handler/handler.go
@ -18,6 +18,7 @@ type Handler struct {
 	TeamMembershipHandler *TeamMembershipHandler
 	EndpointHandler       *EndpointHandler
 	ResourceHandler       *ResourceHandler
+	StatusHandler         *StatusHandler
 	SettingsHandler       *SettingsHandler
 	TemplatesHandler      *TemplatesHandler
 	DockerHandler         *DockerHandler
@ -53,6 +54,8 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		http.StripPrefix("/api", h.ResourceHandler).ServeHTTP(w, r)
 	} else if strings.HasPrefix(r.URL.Path, "/api/settings") {
 		http.StripPrefix("/api", h.SettingsHandler).ServeHTTP(w, r)
+	} else if strings.HasPrefix(r.URL.Path, "/api/status") {
+		http.StripPrefix("/api", h.StatusHandler).ServeHTTP(w, r)
 	} else if strings.HasPrefix(r.URL.Path, "/api/templates") {
 		http.StripPrefix("/api", h.TemplatesHandler).ServeHTTP(w, r)
 	} else if strings.HasPrefix(r.URL.Path, "/api/upload") {
--- a/api/http/handler/settings.go
+++ b/api/http/handler/settings.go
@ -1,6 +1,9 @@
 package handler

 import (
+	"encoding/json"
+
+	"github.com/asaskevich/govalidator"
 	"github.com/portainer/portainer"
 	httperror "github.com/portainer/portainer/http/error"
 	"github.com/portainer/portainer/http/security"
@ -12,32 +15,69 @@ import (
 	"github.com/gorilla/mux"
 )

-// SettingsHandler represents an HTTP API handler for managing settings.
+// SettingsHandler represents an HTTP API handler for managing Settings.
 type SettingsHandler struct {
 	*mux.Router
-	Logger   *log.Logger
-	settings *portainer.Settings
+	Logger          *log.Logger
+	SettingsService portainer.SettingsService
 }

-// NewSettingsHandler returns a new instance of SettingsHandler.
-func NewSettingsHandler(bouncer *security.RequestBouncer, settings *portainer.Settings) *SettingsHandler {
+// NewSettingsHandler returns a new instance of OldSettingsHandler.
+func NewSettingsHandler(bouncer *security.RequestBouncer) *SettingsHandler {
 	h := &SettingsHandler{
-		Router:   mux.NewRouter(),
-		Logger:   log.New(os.Stderr, "", log.LstdFlags),
-		settings: settings,
+		Router: mux.NewRouter(),
+		Logger: log.New(os.Stderr, "", log.LstdFlags),
 	}
 	h.Handle("/settings",
-		bouncer.PublicAccess(http.HandlerFunc(h.handleGetSettings)))
+		bouncer.PublicAccess(http.HandlerFunc(h.handleGetSettings))).Methods(http.MethodGet)
+	h.Handle("/settings",
+		bouncer.AdministratorAccess(http.HandlerFunc(h.handlePutSettings))).Methods(http.MethodPut)

 	return h
 }

 // handleGetSettings handles GET requests on /settings
 func (handler *SettingsHandler) handleGetSettings(w http.ResponseWriter, r *http.Request) {
-	if r.Method != http.MethodGet {
-		httperror.WriteMethodNotAllowedResponse(w, []string{http.MethodGet})
+	settings, err := handler.SettingsService.Settings()
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
 		return
 	}

-	encodeJSON(w, handler.settings, handler.Logger)
+	encodeJSON(w, settings, handler.Logger)
+	return
+}
+
+// handlePutSettings handles PUT requests on /settings
+func (handler *SettingsHandler) handlePutSettings(w http.ResponseWriter, r *http.Request) {
+	var req putSettingsRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidJSON, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	_, err := govalidator.ValidateStruct(req)
+	if err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	settings := &portainer.Settings{
+		TemplatesURL:                req.TemplatesURL,
+		LogoURL:                     req.LogoURL,
+		BlackListedLabels:           req.BlackListedLabels,
+		DisplayExternalContributors: req.DisplayExternalContributors,
+	}
+
+	err = handler.SettingsService.StoreSettings(settings)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+	}
+}
+
+type putSettingsRequest struct {
+	TemplatesURL                string           `valid:"required"`
+	LogoURL                     string           `valid:""`
+	BlackListedLabels           []portainer.Pair `valid:""`
+	DisplayExternalContributors bool             `valid:""`
 }
--- a/api/http/handler/status.go
+++ b/api/http/handler/status.go
@ -0,0 +1,38 @@
+package handler
+
+import (
+	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/http/security"
+
+	"log"
+	"net/http"
+	"os"
+
+	"github.com/gorilla/mux"
+)
+
+// StatusHandler represents an HTTP API handler for managing Status.
+type StatusHandler struct {
+	*mux.Router
+	Logger *log.Logger
+	Status *portainer.Status
+}
+
+// NewStatusHandler returns a new instance of StatusHandler.
+func NewStatusHandler(bouncer *security.RequestBouncer, status *portainer.Status) *StatusHandler {
+	h := &StatusHandler{
+		Router: mux.NewRouter(),
+		Logger: log.New(os.Stderr, "", log.LstdFlags),
+		Status: status,
+	}
+	h.Handle("/status",
+		bouncer.PublicAccess(http.HandlerFunc(h.handleGetStatus))).Methods(http.MethodGet)
+
+	return h
+}
+
+// handleGetStatus handles GET requests on /status
+func (handler *StatusHandler) handleGetStatus(w http.ResponseWriter, r *http.Request) {
+	encodeJSON(w, handler.Status, handler.Logger)
+	return
+}
--- a/api/http/handler/templates.go
+++ b/api/http/handler/templates.go
@ -7,6 +7,7 @@ import (
 	"os"

 	"github.com/gorilla/mux"
+	"github.com/portainer/portainer"
 	httperror "github.com/portainer/portainer/http/error"
 	"github.com/portainer/portainer/http/security"
 )
@ -14,8 +15,8 @@ import (
 // TemplatesHandler represents an HTTP API handler for managing templates.
 type TemplatesHandler struct {
 	*mux.Router
-	Logger                *log.Logger
-	containerTemplatesURL string
+	Logger          *log.Logger
+	SettingsService portainer.SettingsService
 }

 const (
@ -23,11 +24,10 @@ const (
 )

 // NewTemplatesHandler returns a new instance of TemplatesHandler.
-func NewTemplatesHandler(bouncer *security.RequestBouncer, containerTemplatesURL string) *TemplatesHandler {
+func NewTemplatesHandler(bouncer *security.RequestBouncer) *TemplatesHandler {
 	h := &TemplatesHandler{
-		Router:                mux.NewRouter(),
-		Logger:                log.New(os.Stderr, "", log.LstdFlags),
-		containerTemplatesURL: containerTemplatesURL,
+		Router: mux.NewRouter(),
+		Logger: log.New(os.Stderr, "", log.LstdFlags),
 	}
 	h.Handle("/templates",
 		bouncer.AuthenticatedAccess(http.HandlerFunc(h.handleGetTemplates)))
@ -49,7 +49,12 @@ func (handler *TemplatesHandler) handleGetTemplates(w http.ResponseWriter, r *ht

 	var templatesURL string
 	if key == "containers" {
-		templatesURL = handler.containerTemplatesURL
+		settings, err := handler.SettingsService.Settings()
+		if err != nil {
+			httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+			return
+		}
+		templatesURL = settings.TemplatesURL
 	} else if key == "linuxserver.io" {
 		templatesURL = containerTemplatesURLLinuxServerIo
 	} else {
--- a/api/http/proxy/containers.go
+++ b/api/http/proxy/containers.go
@ -15,7 +15,7 @@ const (

 // containerListOperation extracts the response as a JSON object, loop through the containers array
 // decorate and/or filter the containers based on resource controls before rewriting the response
-func containerListOperation(request *http.Request, response *http.Response, operationContext *restrictedOperationContext) error {
+func containerListOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
 	var err error
 	// ContainerList response is a JSON array
 	// https://docs.docker.com/engine/api/v1.28/#operation/ContainerList
@ -24,22 +24,30 @@ func containerListOperation(request *http.Request, response *http.Response, oper
 		return err
 	}

-	if operationContext.isAdmin {
-		responseArray, err = decorateContainerList(responseArray, operationContext.resourceControls)
+	if executor.operationContext.isAdmin {
+		responseArray, err = decorateContainerList(responseArray, executor.operationContext.resourceControls)
 	} else {
-		responseArray, err = filterContainerList(responseArray, operationContext.resourceControls, operationContext.userID, operationContext.userTeamIDs)
+		responseArray, err = filterContainerList(responseArray, executor.operationContext.resourceControls,
+			executor.operationContext.userID, executor.operationContext.userTeamIDs)
 	}
 	if err != nil {
 		return err
 	}

+	if executor.labelBlackList != nil {
+		responseArray, err = filterContainersWithBlackListedLabels(responseArray, executor.labelBlackList)
+		if err != nil {
+			return err
+		}
+	}
+
 	return rewriteResponse(response, responseArray, http.StatusOK)
 }

 // containerInspectOperation extracts the response as a JSON object, verify that the user
 // has access to the container based on resource control (check are done based on the containerID and optional Swarm service ID)
 // and either rewrite an access denied response or a decorated container.
-func containerInspectOperation(request *http.Request, response *http.Response, operationContext *restrictedOperationContext) error {
+func containerInspectOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
 	// ContainerInspect response is a JSON object
 	// https://docs.docker.com/engine/api/v1.28/#operation/ContainerInspect
 	responseObject, err := getResponseAsJSONOBject(response)
@ -52,9 +60,10 @@ func containerInspectOperation(request *http.Request, response *http.Response, o
 	}
 	containerID := responseObject[containerIdentifier].(string)

-	resourceControl := getResourceControlByResourceID(containerID, operationContext.resourceControls)
+	resourceControl := getResourceControlByResourceID(containerID, executor.operationContext.resourceControls)
 	if resourceControl != nil {
-		if operationContext.isAdmin || canUserAccessResource(operationContext.userID, operationContext.userTeamIDs, resourceControl) {
+		if executor.operationContext.isAdmin || canUserAccessResource(executor.operationContext.userID,
+			executor.operationContext.userTeamIDs, resourceControl) {
 			responseObject = decorateObject(responseObject, resourceControl)
 		} else {
 			return rewriteAccessDeniedResponse(response)
@ -64,9 +73,10 @@ func containerInspectOperation(request *http.Request, response *http.Response, o
 	containerLabels := extractContainerLabelsFromContainerInspectObject(responseObject)
 	if containerLabels != nil && containerLabels[containerLabelForServiceIdentifier] != nil {
 		serviceID := containerLabels[containerLabelForServiceIdentifier].(string)
-		resourceControl := getResourceControlByResourceID(serviceID, operationContext.resourceControls)
+		resourceControl := getResourceControlByResourceID(serviceID, executor.operationContext.resourceControls)
 		if resourceControl != nil {
-			if operationContext.isAdmin || canUserAccessResource(operationContext.userID, operationContext.userTeamIDs, resourceControl) {
+			if executor.operationContext.isAdmin || canUserAccessResource(executor.operationContext.userID,
+				executor.operationContext.userTeamIDs, resourceControl) {
 				responseObject = decorateObject(responseObject, resourceControl)
 			} else {
 				return rewriteAccessDeniedResponse(response)
--- a/api/http/proxy/factory.go
+++ b/api/http/proxy/factory.go
@ -13,6 +13,7 @@ import (
 type proxyFactory struct {
 	ResourceControlService portainer.ResourceControlService
 	TeamMembershipService  portainer.TeamMembershipService
+	SettingsService        portainer.SettingsService
 }

 func (factory *proxyFactory) newHTTPProxy(u *url.URL) http.Handler {
@ -37,6 +38,7 @@ func (factory *proxyFactory) newSocketProxy(path string) http.Handler {
 	transport := &proxyTransport{
 		ResourceControlService: factory.ResourceControlService,
 		TeamMembershipService:  factory.TeamMembershipService,
+		SettingsService:        factory.SettingsService,
 		dockerTransport:        newSocketTransport(path),
 	}
 	proxy.Transport = transport
@ -48,6 +50,7 @@ func (factory *proxyFactory) createReverseProxy(u *url.URL) *httputil.ReversePro
 	transport := &proxyTransport{
 		ResourceControlService: factory.ResourceControlService,
 		TeamMembershipService:  factory.TeamMembershipService,
+		SettingsService:        factory.SettingsService,
 		dockerTransport:        newHTTPTransport(),
 	}
 	proxy.Transport = transport
--- a/api/http/proxy/filter.go
+++ b/api/http/proxy/filter.go
@ -65,6 +65,27 @@ func filterContainerList(containerData []interface{}, resourceControls []portain
 	return filteredContainerData, nil
 }

+// filterContainersWithLabels loops through a list of containers, and filters containers that do not contains
+// any labels in the labels black list.
+func filterContainersWithBlackListedLabels(containerData []interface{}, labelBlackList []portainer.Pair) ([]interface{}, error) {
+	filteredContainerData := make([]interface{}, 0)
+
+	for _, container := range containerData {
+		containerObject := container.(map[string]interface{})
+
+		containerLabels := extractContainerLabelsFromContainerListObject(containerObject)
+		if containerLabels != nil {
+			if !containerHasBlackListedLabel(containerLabels, labelBlackList) {
+				filteredContainerData = append(filteredContainerData, containerObject)
+			}
+		} else {
+			filteredContainerData = append(filteredContainerData, containerObject)
+		}
+	}
+
+	return filteredContainerData, nil
+}
+
 // filterServiceList loops through all services, filters services without any resource control (public resources) or with
 // any resource control giving access to the user (these services will be decorated).
 // Service object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ServiceList
--- a/api/http/proxy/manager.go
+++ b/api/http/proxy/manager.go
@ -15,12 +15,13 @@ type Manager struct {
 }

 // NewManager initializes a new proxy Service
-func NewManager(resourceControlService portainer.ResourceControlService, teamMembershipService portainer.TeamMembershipService) *Manager {
+func NewManager(resourceControlService portainer.ResourceControlService, teamMembershipService portainer.TeamMembershipService, settingsService portainer.SettingsService) *Manager {
 	return &Manager{
 		proxies: cmap.New(),
 		proxyFactory: &proxyFactory{
 			ResourceControlService: resourceControlService,
 			TeamMembershipService:  teamMembershipService,
+			SettingsService:        settingsService,
 		},
 	}
 }
--- a/api/http/proxy/service.go
+++ b/api/http/proxy/service.go
@ -14,7 +14,7 @@ const (

 // serviceListOperation extracts the response as a JSON array, loop through the service array
 // decorate and/or filter the services based on resource controls before rewriting the response
-func serviceListOperation(request *http.Request, response *http.Response, operationContext *restrictedOperationContext) error {
+func serviceListOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
 	var err error
 	// ServiceList response is a JSON array
 	// https://docs.docker.com/engine/api/v1.28/#operation/ServiceList
@ -23,10 +23,10 @@ func serviceListOperation(request *http.Request, response *http.Response, operat
 		return err
 	}

-	if operationContext.isAdmin {
-		responseArray, err = decorateServiceList(responseArray, operationContext.resourceControls)
+	if executor.operationContext.isAdmin {
+		responseArray, err = decorateServiceList(responseArray, executor.operationContext.resourceControls)
 	} else {
-		responseArray, err = filterServiceList(responseArray, operationContext.resourceControls, operationContext.userID, operationContext.userTeamIDs)
+		responseArray, err = filterServiceList(responseArray, executor.operationContext.resourceControls, executor.operationContext.userID, executor.operationContext.userTeamIDs)
 	}
 	if err != nil {
 		return err
@ -38,7 +38,7 @@ func serviceListOperation(request *http.Request, response *http.Response, operat
 // serviceInspectOperation extracts the response as a JSON object, verify that the user
 // has access to the service based on resource control and either rewrite an access denied response
 // or a decorated service.
-func serviceInspectOperation(request *http.Request, response *http.Response, operationContext *restrictedOperationContext) error {
+func serviceInspectOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
 	// ServiceInspect response is a JSON object
 	// https://docs.docker.com/engine/api/v1.28/#operation/ServiceInspect
 	responseObject, err := getResponseAsJSONOBject(response)
@ -51,9 +51,9 @@ func serviceInspectOperation(request *http.Request, response *http.Response, ope
 	}
 	serviceID := responseObject[serviceIdentifier].(string)

-	resourceControl := getResourceControlByResourceID(serviceID, operationContext.resourceControls)
+	resourceControl := getResourceControlByResourceID(serviceID, executor.operationContext.resourceControls)
 	if resourceControl != nil {
-		if operationContext.isAdmin || canUserAccessResource(operationContext.userID, operationContext.userTeamIDs, resourceControl) {
+		if executor.operationContext.isAdmin || canUserAccessResource(executor.operationContext.userID, executor.operationContext.userTeamIDs, resourceControl) {
 			responseObject = decorateObject(responseObject, resourceControl)
 		} else {
 			return rewriteAccessDeniedResponse(response)
--- a/api/http/proxy/transport.go
+++ b/api/http/proxy/transport.go
@ -15,6 +15,7 @@ type (
 		dockerTransport        *http.Transport
 		ResourceControlService portainer.ResourceControlService
 		TeamMembershipService  portainer.TeamMembershipService
+		SettingsService        portainer.SettingsService
 	}
 	restrictedOperationContext struct {
 		isAdmin          bool
@ -22,7 +23,11 @@ type (
 		userTeamIDs      []portainer.TeamID
 		resourceControls []portainer.ResourceControl
 	}
-	restrictedOperationRequest func(*http.Request, *http.Response, *restrictedOperationContext) error
+	operationExecutor struct {
+		operationContext *restrictedOperationContext
+		labelBlackList   []portainer.Pair
+	}
+	restrictedOperationRequest func(*http.Request, *http.Response, *operationExecutor) error
 )

 func newSocketTransport(socketPath string) *http.Transport {
@ -60,7 +65,6 @@ func (p *proxyTransport) proxyDockerRequest(request *http.Request) (*http.Respon
 }

 func (p *proxyTransport) proxyContainerRequest(request *http.Request) (*http.Response, error) {
-	// return p.executeDockerRequest(request)
 	switch requestPath := request.URL.Path; requestPath {
 	case "/containers/create":
 		return p.executeDockerRequest(request)
@ -69,7 +73,7 @@ func (p *proxyTransport) proxyContainerRequest(request *http.Request) (*http.Res
 		return p.administratorOperation(request)

 	case "/containers/json":
-		return p.rewriteOperation(request, containerListOperation)
+		return p.rewriteOperationWithLabelFiltering(request, containerListOperation)

 	default:
 		// This section assumes /containers/**
@ -96,9 +100,6 @@ func (p *proxyTransport) proxyServiceRequest(request *http.Request) (*http.Respo
 	case "/services/create":
 		return p.executeDockerRequest(request)

-	case "/volumes/prune":
-		return p.administratorOperation(request)
-
 	case "/services":
 		return p.rewriteOperation(request, serviceListOperation)

@ -177,9 +178,69 @@ func (p *proxyTransport) restrictedOperation(request *http.Request, resourceID s
 	return p.executeDockerRequest(request)
 }

+// rewriteOperation will create a new operation context with data that will be used
+// to decorate the original request's response as well as retrieve all the black listed labels
+// to filter the resources.
+func (p *proxyTransport) rewriteOperationWithLabelFiltering(request *http.Request, operation restrictedOperationRequest) (*http.Response, error) {
+	operationContext, err := p.createOperationContext(request)
+	if err != nil {
+		return nil, err
+	}
+
+	settings, err := p.SettingsService.Settings()
+	if err != nil {
+		return nil, err
+	}
+
+	executor := &operationExecutor{
+		operationContext: operationContext,
+		labelBlackList:   settings.BlackListedLabels,
+	}
+
+	return p.executeRequestAndRewriteResponse(request, operation, executor)
+}
+
 // rewriteOperation will create a new operation context with data that will be used
 // to decorate the original request's response.
 func (p *proxyTransport) rewriteOperation(request *http.Request, operation restrictedOperationRequest) (*http.Response, error) {
+	operationContext, err := p.createOperationContext(request)
+	if err != nil {
+		return nil, err
+	}
+
+	executor := &operationExecutor{
+		operationContext: operationContext,
+	}
+
+	return p.executeRequestAndRewriteResponse(request, operation, executor)
+}
+
+func (p *proxyTransport) executeRequestAndRewriteResponse(request *http.Request, operation restrictedOperationRequest, executor *operationExecutor) (*http.Response, error) {
+	response, err := p.executeDockerRequest(request)
+	if err != nil {
+		return response, err
+	}
+
+	err = operation(request, response, executor)
+	return response, err
+}
+
+// administratorOperation ensures that the user has administrator privileges
+// before executing the original request.
+func (p *proxyTransport) administratorOperation(request *http.Request) (*http.Response, error) {
+	tokenData, err := security.RetrieveTokenData(request)
+	if err != nil {
+		return nil, err
+	}
+
+	if tokenData.Role != portainer.AdministratorRole {
+		return writeAccessDeniedResponse()
+	}
+
+	return p.executeDockerRequest(request)
+}
+
+func (p *proxyTransport) createOperationContext(request *http.Request) (*restrictedOperationContext, error) {
 	var err error
 	tokenData, err := security.RetrieveTokenData(request)
 	if err != nil {
@ -212,26 +273,5 @@ func (p *proxyTransport) rewriteOperation(request *http.Request, operation restr
 		operationContext.userTeamIDs = userTeamIDs
 	}

-	response, err := p.executeDockerRequest(request)
-	if err != nil {
-		return response, err
-	}
-
-	err = operation(request, response, operationContext)
-	return response, err
-}
-
-// administratorOperation ensures that the user has administrator privileges
-// before executing the original request.
-func (p *proxyTransport) administratorOperation(request *http.Request) (*http.Response, error) {
-	tokenData, err := security.RetrieveTokenData(request)
-	if err != nil {
-		return nil, err
-	}
-
-	if tokenData.Role != portainer.AdministratorRole {
-		return writeAccessDeniedResponse()
-	}
-
-	return p.executeDockerRequest(request)
+	return operationContext, nil
 }
--- a/api/http/proxy/utils.go
+++ b/api/http/proxy/utils.go
@ -15,3 +15,18 @@ func getResourceControlByResourceID(resourceID string, resourceControls []portai
 	}
 	return nil
 }
+
+func containerHasBlackListedLabel(containerLabels map[string]interface{}, labelBlackList []portainer.Pair) bool {
+	for key, value := range containerLabels {
+		labelName := key
+		labelValue := value.(string)
+
+		for _, blackListedLabel := range labelBlackList {
+			if blackListedLabel.Name == labelName && blackListedLabel.Value == labelValue {
+				return true
+			}
+		}
+	}
+
+	return false
+}
--- a/api/http/proxy/volumes.go
+++ b/api/http/proxy/volumes.go
@ -14,7 +14,7 @@ const (

 // volumeListOperation extracts the response as a JSON object, loop through the volume array
 // decorate and/or filter the volumes based on resource controls before rewriting the response
-func volumeListOperation(request *http.Request, response *http.Response, operationContext *restrictedOperationContext) error {
+func volumeListOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
 	var err error
 	// VolumeList response is a JSON object
 	// https://docs.docker.com/engine/api/v1.28/#operation/VolumeList
@ -28,10 +28,10 @@ func volumeListOperation(request *http.Request, response *http.Response, operati
 	if responseObject["Volumes"] != nil {
 		volumeData := responseObject["Volumes"].([]interface{})

-		if operationContext.isAdmin {
-			volumeData, err = decorateVolumeList(volumeData, operationContext.resourceControls)
+		if executor.operationContext.isAdmin {
+			volumeData, err = decorateVolumeList(volumeData, executor.operationContext.resourceControls)
 		} else {
-			volumeData, err = filterVolumeList(volumeData, operationContext.resourceControls, operationContext.userID, operationContext.userTeamIDs)
+			volumeData, err = filterVolumeList(volumeData, executor.operationContext.resourceControls, executor.operationContext.userID, executor.operationContext.userTeamIDs)
 		}
 		if err != nil {
 			return err
@ -47,7 +47,7 @@ func volumeListOperation(request *http.Request, response *http.Response, operati
 // volumeInspectOperation extracts the response as a JSON object, verify that the user
 // has access to the volume based on resource control and either rewrite an access denied response
 // or a decorated volume.
-func volumeInspectOperation(request *http.Request, response *http.Response, operationContext *restrictedOperationContext) error {
+func volumeInspectOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
 	// VolumeInspect response is a JSON object
 	// https://docs.docker.com/engine/api/v1.28/#operation/VolumeInspect
 	responseObject, err := getResponseAsJSONOBject(response)
@ -60,9 +60,9 @@ func volumeInspectOperation(request *http.Request, response *http.Response, oper
 	}
 	volumeID := responseObject[volumeIdentifier].(string)

-	resourceControl := getResourceControlByResourceID(volumeID, operationContext.resourceControls)
+	resourceControl := getResourceControlByResourceID(volumeID, executor.operationContext.resourceControls)
 	if resourceControl != nil {
-		if operationContext.isAdmin || canUserAccessResource(operationContext.userID, operationContext.userTeamIDs, resourceControl) {
+		if executor.operationContext.isAdmin || canUserAccessResource(executor.operationContext.userID, executor.operationContext.userTeamIDs, resourceControl) {
 			responseObject = decorateObject(responseObject, resourceControl)
 		} else {
 			return rewriteAccessDeniedResponse(response)
--- a/api/http/server.go
+++ b/api/http/server.go
@ -15,16 +15,16 @@ type Server struct {
 	AssetsPath             string
 	AuthDisabled           bool
 	EndpointManagement     bool
+	Status                 *portainer.Status
 	UserService            portainer.UserService
 	TeamService            portainer.TeamService
 	TeamMembershipService  portainer.TeamMembershipService
 	EndpointService        portainer.EndpointService
 	ResourceControlService portainer.ResourceControlService
+	SettingsService        portainer.SettingsService
 	CryptoService          portainer.CryptoService
 	JWTService             portainer.JWTService
 	FileService            portainer.FileService
-	Settings               *portainer.Settings
-	TemplatesURL           string
 	Handler                *handler.Handler
 	SSL                    bool
 	SSLCert                string
@ -34,7 +34,7 @@ type Server struct {
 // Start starts the HTTP server
 func (server *Server) Start() error {
 	requestBouncer := security.NewRequestBouncer(server.JWTService, server.TeamMembershipService, server.AuthDisabled)
-	proxyManager := proxy.NewManager(server.ResourceControlService, server.TeamMembershipService)
+	proxyManager := proxy.NewManager(server.ResourceControlService, server.TeamMembershipService, server.SettingsService)

 	var authHandler = handler.NewAuthHandler(requestBouncer, server.AuthDisabled)
 	authHandler.UserService = server.UserService
@ -51,8 +51,11 @@ func (server *Server) Start() error {
 	teamHandler.TeamMembershipService = server.TeamMembershipService
 	var teamMembershipHandler = handler.NewTeamMembershipHandler(requestBouncer)
 	teamMembershipHandler.TeamMembershipService = server.TeamMembershipService
-	var settingsHandler = handler.NewSettingsHandler(requestBouncer, server.Settings)
-	var templatesHandler = handler.NewTemplatesHandler(requestBouncer, server.TemplatesURL)
+	var statusHandler = handler.NewStatusHandler(requestBouncer, server.Status)
+	var settingsHandler = handler.NewSettingsHandler(requestBouncer)
+	settingsHandler.SettingsService = server.SettingsService
+	var templatesHandler = handler.NewTemplatesHandler(requestBouncer)
+	templatesHandler.SettingsService = server.SettingsService
 	var dockerHandler = handler.NewDockerHandler(requestBouncer)
 	dockerHandler.EndpointService = server.EndpointService
 	dockerHandler.TeamMembershipService = server.TeamMembershipService
@ -77,6 +80,7 @@ func (server *Server) Start() error {
 		EndpointHandler:       endpointHandler,
 		ResourceHandler:       resourceHandler,
 		SettingsHandler:       settingsHandler,
+		StatusHandler:         statusHandler,
 		TemplatesHandler:      templatesHandler,
 		DockerHandler:         dockerHandler,
 		WebSocketHandler:      websocketHandler,