fix(api): add an authenticated access policy to the websocket endpoint (#1979)

* fix(api): add an authenticated access policy to the websocket endpoint

* refactor(api): centralize EndpointAccess validation

* feat(api): validate id query parameter for the /websocket/exec endpoint

api/http/handler/stacks/stack_create.go

@@ -7,7 +7,6 @@ import (
 	"github.com/portainer/portainer"
 	httperror "github.com/portainer/portainer/http/error"
 	"github.com/portainer/portainer/http/request"
-	"github.com/portainer/portainer/http/security"
 )
 
 func (handler *Handler) cleanUp(stack *portainer.Stack, doCleanUp *bool) error {
@@ -47,18 +46,9 @@ func (handler *Handler) stackCreate(w http.ResponseWriter, r *http.Request) *htt
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an endpoint with the specified identifier inside the database", err}
 	}
 
-	tokenData, err := security.RetrieveTokenData(r)
+	err = handler.requestBouncer.EndpointAccess(r, endpoint)
 	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve user authentication token", err}
-	}
-
-	if tokenData.Role != portainer.AdministratorRole {
-		err = handler.checkEndpointAccess(endpoint, tokenData.ID)
-		if err != nil && err == portainer.ErrEndpointAccessDenied {
-			return &httperror.HandlerError{http.StatusForbidden, "Permission denied to access endpoint", portainer.ErrEndpointAccessDenied}
-		} else if err != nil {
-			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to verify permission to access endpoint", err}
-		}
+		return &httperror.HandlerError{http.StatusForbidden, "Permission denied to access endpoint", portainer.ErrEndpointAccessDenied}
 	}
 
 	switch portainer.StackType(stackType) {