fix(api): add an authenticated access policy to the websocket endpoint (#1979)

* fix(api): add an authenticated access policy to the websocket endpoint

* refactor(api): centralize EndpointAccess validation

* feat(api): validate id query parameter for the /websocket/exec endpoint

api/http/handler/stacks/handler.go

@@ -14,13 +14,12 @@ import (
 type Handler struct {
 	stackCreationMutex *sync.Mutex
 	stackDeletionMutex *sync.Mutex
+	requestBouncer     *security.RequestBouncer
 	*mux.Router
 	FileService            portainer.FileService
 	GitService             portainer.GitService
 	StackService           portainer.StackService
 	EndpointService        portainer.EndpointService
-	EndpointGroupService   portainer.EndpointGroupService
-	TeamMembershipService  portainer.TeamMembershipService
 	ResourceControlService portainer.ResourceControlService
 	RegistryService        portainer.RegistryService
 	DockerHubService       portainer.DockerHubService
@@ -34,6 +33,7 @@ func NewHandler(bouncer *security.RequestBouncer) *Handler {
 		Router:             mux.NewRouter(),
 		stackCreationMutex: &sync.Mutex{},
 		stackDeletionMutex: &sync.Mutex{},
+		requestBouncer:     bouncer,
 	}
 	h.Handle("/stacks",
 		bouncer.RestrictedAccess(httperror.LoggerHandler(h.stackCreate))).Methods(http.MethodPost)
@@ -49,21 +49,3 @@ func NewHandler(bouncer *security.RequestBouncer) *Handler {
 		bouncer.RestrictedAccess(httperror.LoggerHandler(h.stackFile))).Methods(http.MethodGet)
 	return h
 }
-
-func (handler *Handler) checkEndpointAccess(endpoint *portainer.Endpoint, userID portainer.UserID) error {
-	memberships, err := handler.TeamMembershipService.TeamMembershipsByUserID(userID)
-	if err != nil {
-		return err
-	}
-
-	group, err := handler.EndpointGroupService.EndpointGroup(endpoint.GroupID)
-	if err != nil {
-		return err
-	}
-
-	if !security.AuthorizedEndpointAccess(endpoint, group, userID, memberships) {
-		return portainer.ErrEndpointAccessDenied
-	}
-
-	return nil
-}