feat(settings): add a setting to disable bind mounts for non-admins (#1237)

* feat(settings): add a setting to disable bind mounts for non-admins

* refactor(gruntfile): remove temporary setting

api/bolt/migrate_dbversion4.go

@@ -0,0 +1,16 @@
+package bolt
+
+func (m *Migrator) updateSettingsToVersion5() error {
+	legacySettings, err := m.SettingsService.Settings()
+	if err != nil {
+		return err
+	}
+	legacySettings.AllowBindMountsForRegularUsers = true
+
+	err = m.SettingsService.StoreSettings(legacySettings)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}

api/bolt/migrator.go

@@ -65,6 +65,14 @@ func (m *Migrator) Migrate() error {
 		}
 	}
 
+	// https://github.com/portainer/portainer/issues/1235
+	if m.CurrentDBVersion < 5 {
+		err := m.updateSettingsToVersion5()
+		if err != nil {
+			return err
+		}
+	}
+
 	err := m.VersionService.StoreDBVersion(portainer.DBVersion)
 	if err != nil {
 		return err

api/cmd/portainer/main.go

@@ -125,6 +125,7 @@ func initSettings(settingsService portainer.SettingsService, flags *portainer.CL
 					portainer.LDAPSearchSettings{},
 				},
 			},
+			AllowBindMountsForRegularUsers: true,
 		}
 
 		if *flags.Templates != "" {

api/http/handler/settings.go

@@ -45,18 +45,20 @@ func NewSettingsHandler(bouncer *security.RequestBouncer) *SettingsHandler {
 
 type (
 	publicSettingsResponse struct {
-		LogoURL                     string                         `json:"LogoURL"`
-		DisplayExternalContributors bool                           `json:"DisplayExternalContributors"`
-		AuthenticationMethod        portainer.AuthenticationMethod `json:"AuthenticationMethod"`
+		LogoURL                        string                         `json:"LogoURL"`
+		DisplayExternalContributors    bool                           `json:"DisplayExternalContributors"`
+		AuthenticationMethod           portainer.AuthenticationMethod `json:"AuthenticationMethod"`
+		AllowBindMountsForRegularUsers bool                           `json:"AllowBindMountsForRegularUsers"`
 	}
 
 	putSettingsRequest struct {
-		TemplatesURL                string                 `valid:"required"`
-		LogoURL                     string                 `valid:""`
-		BlackListedLabels           []portainer.Pair       `valid:""`
-		DisplayExternalContributors bool                   `valid:""`
-		AuthenticationMethod        int                    `valid:"required"`
-		LDAPSettings                portainer.LDAPSettings `valid:""`
+		TemplatesURL                   string                 `valid:"required"`
+		LogoURL                        string                 `valid:""`
+		BlackListedLabels              []portainer.Pair       `valid:""`
+		DisplayExternalContributors    bool                   `valid:""`
+		AuthenticationMethod           int                    `valid:"required"`
+		LDAPSettings                   portainer.LDAPSettings `valid:""`
+		AllowBindMountsForRegularUsers bool                   `valid:""`
 	}
 
 	putSettingsLDAPCheckRequest struct {
@@ -85,9 +87,10 @@ func (handler *SettingsHandler) handleGetPublicSettings(w http.ResponseWriter, r
 	}
 
 	publicSettings := &publicSettingsResponse{
-		LogoURL:                     settings.LogoURL,
-		DisplayExternalContributors: settings.DisplayExternalContributors,
-		AuthenticationMethod:        settings.AuthenticationMethod,
+		LogoURL:                        settings.LogoURL,
+		DisplayExternalContributors:    settings.DisplayExternalContributors,
+		AuthenticationMethod:           settings.AuthenticationMethod,
+		AllowBindMountsForRegularUsers: settings.AllowBindMountsForRegularUsers,
 	}
 
 	encodeJSON(w, publicSettings, handler.Logger)
@@ -109,11 +112,12 @@ func (handler *SettingsHandler) handlePutSettings(w http.ResponseWriter, r *http
 	}
 
 	settings := &portainer.Settings{
-		TemplatesURL:                req.TemplatesURL,
-		LogoURL:                     req.LogoURL,
-		BlackListedLabels:           req.BlackListedLabels,
-		DisplayExternalContributors: req.DisplayExternalContributors,
-		LDAPSettings:                req.LDAPSettings,
+		TemplatesURL:                   req.TemplatesURL,
+		LogoURL:                        req.LogoURL,
+		BlackListedLabels:              req.BlackListedLabels,
+		DisplayExternalContributors:    req.DisplayExternalContributors,
+		LDAPSettings:                   req.LDAPSettings,
+		AllowBindMountsForRegularUsers: req.AllowBindMountsForRegularUsers,
 	}
 
 	if req.AuthenticationMethod == 1 {

api/portainer.go

@@ -70,12 +70,13 @@ type (
 
 	// Settings represents the application settings.
 	Settings struct {
-		TemplatesURL                string               `json:"TemplatesURL"`
-		LogoURL                     string               `json:"LogoURL"`
-		BlackListedLabels           []Pair               `json:"BlackListedLabels"`
-		DisplayExternalContributors bool                 `json:"DisplayExternalContributors"`
-		AuthenticationMethod        AuthenticationMethod `json:"AuthenticationMethod"`
-		LDAPSettings                LDAPSettings         `json:"LDAPSettings"`
+		TemplatesURL                   string               `json:"TemplatesURL"`
+		LogoURL                        string               `json:"LogoURL"`
+		BlackListedLabels              []Pair               `json:"BlackListedLabels"`
+		DisplayExternalContributors    bool                 `json:"DisplayExternalContributors"`
+		AuthenticationMethod           AuthenticationMethod `json:"AuthenticationMethod"`
+		LDAPSettings                   LDAPSettings         `json:"LDAPSettings"`
+		AllowBindMountsForRegularUsers bool                 `json:"AllowBindMountsForRegularUsers"`
 	}
 
 	// User represents a user account.
@@ -348,7 +349,7 @@ const (
 	// APIVersion is the version number of the Portainer API.
 	APIVersion = "1.14.2"
 	// DBVersion is the version number of the Portainer database.
-	DBVersion = 4
+	DBVersion = 5
 	// DefaultTemplatesURL represents the default URL for the templates definitions.
 	DefaultTemplatesURL = "https://raw.githubusercontent.com/portainer/templates/master/templates.json"
 )