feat(UAC): change default ownership to admininstrators (#2137)

* #960 feat(UAC): change ownership to admins for externally created ressources

* feat(UAC): change ownership to admins for externally created resources

Deprecated AdministratorsOnly js and go backend

* #960 feat(UAC): remove AdministratorsOnly property and minor GUI  fixes

Update swagger definition changing AdministratorsOnly to Public

* #960 feat(UAC): fix create resource with access control data

* #960 feat(UAC): authorization of non-admin users for restricted operations

On stacks, containers networks, services , tasks and volumes.

* #960 feat(UAC): database migration to version 14

 The administrator resources are deleted and Public resources are now managed by admins

* #960 feat(UAC):  small fixes from PR #2137

* #960 feat(UAC): improve the readability of the source code

* feat(UAC) fix displayed ownership for Swarm related  resources  (#960)

app/docker/components/datatables/configs-datatable/configsDatatable.html

@@ -63,7 +63,7 @@
               <td ng-if="$ctrl.showOwnershipColumn">
                 <span>
                   <i ng-class="item.ResourceControl.Ownership | ownershipicon" aria-hidden="true"></i>
-                  {{ item.ResourceControl.Ownership ? item.ResourceControl.Ownership : item.ResourceControl.Ownership = 'public' }}
+                  {{ item.ResourceControl.Ownership ? item.ResourceControl.Ownership : item.ResourceControl.Ownership = 'administrators' }}
                 </span>
               </td>
             </tr>

app/docker/components/datatables/containers-datatable/containersDatatable.html

@@ -244,7 +244,7 @@
               <td ng-if="$ctrl.showOwnershipColumn" ng-show="$ctrl.columnVisibility.columns.ownership.display">
                 <span>
                   <i ng-class="item.ResourceControl.Ownership | ownershipicon" aria-hidden="true"></i>
-                  {{ item.ResourceControl.Ownership ? item.ResourceControl.Ownership : item.ResourceControl.Ownership = 'public' }}
+                  {{ item.ResourceControl.Ownership ? item.ResourceControl.Ownership : item.ResourceControl.Ownership = 'administrators' }}
                 </span>
               </td>
             </tr>

app/docker/components/datatables/networks-datatable/networksDatatable.html

@@ -111,7 +111,7 @@
               <td ng-if="$ctrl.showOwnershipColumn">
                 <span>
                   <i ng-class="item.ResourceControl.Ownership | ownershipicon" aria-hidden="true"></i>
-                  {{ item.ResourceControl.Ownership ? item.ResourceControl.Ownership : item.ResourceControl.Ownership = 'public' }}
+                  {{ item.ResourceControl.Ownership ? item.ResourceControl.Ownership : item.ResourceControl.Ownership = 'administrators' }}
                 </span>
               </td>
             </tr>

app/docker/components/datatables/secrets-datatable/secretsDatatable.html

@@ -63,7 +63,7 @@
               <td ng-if="$ctrl.showOwnershipColumn">
                 <span>
                   <i ng-class="item.ResourceControl.Ownership | ownershipicon" aria-hidden="true"></i>
-                  {{ item.ResourceControl.Ownership ? item.ResourceControl.Ownership : item.ResourceControl.Ownership = 'public' }}
+                  {{ item.ResourceControl.Ownership ? item.ResourceControl.Ownership : item.ResourceControl.Ownership = 'administrators' }}
                 </span>
               </td>
             </tr>

app/docker/components/datatables/services-datatable/servicesDatatable.html

@@ -118,7 +118,7 @@
               <td ng-if="$ctrl.showOwnershipColumn">
                 <span>
                   <i ng-class="item.ResourceControl.Ownership | ownershipicon" aria-hidden="true"></i>
-                  {{ item.ResourceControl.Ownership ? item.ResourceControl.Ownership : item.ResourceControl.Ownership = 'public' }}
+                  {{ item.ResourceControl.Ownership ? item.ResourceControl.Ownership : item.ResourceControl.Ownership = 'administrators' }}
                 </span>
               </td>
             </tr>

app/docker/components/datatables/volumes-datatable/volumesDatatable.html

@@ -115,7 +115,7 @@
               <td ng-if="$ctrl.showOwnershipColumn">
                 <span>
                   <i ng-class="item.ResourceControl.Ownership | ownershipicon" aria-hidden="true"></i>
-                  {{ item.ResourceControl.Ownership ? item.ResourceControl.Ownership : item.ResourceControl.Ownership = 'public' }}
+                  {{ item.ResourceControl.Ownership ? item.ResourceControl.Ownership : item.ResourceControl.Ownership = 'administrators' }}
                 </span>
               </td>
             </tr>

app/docker/views/containers/edit/containerController.js

@@ -285,7 +285,7 @@ function ($q, $scope, $state, $transition$, $filter, Commit, ContainerHelper, Co
       var teams = resourceControl.TeamAccesses.map(function(t) {
         return t.TeamId;
       });
-      return ResourceControlService.createResourceControl(resourceControl.AdministratorsOnly, users, teams, containerIdentifier, 'container', []);
+      return ResourceControlService.createResourceControl(resourceControl.Public, users, teams, containerIdentifier, 'container', []);
     }
 
     function notifyAndChangeView() {

app/portainer/components/accessControlPanel/porAccessControlPanel.html

@@ -11,12 +11,12 @@
               <td>
                 <i ng-class="$ctrl.resourceControl.Ownership | ownershipicon" aria-hidden="true" style="margin-right: 2px;"></i>
                 <span ng-if="!$ctrl.resourceControl">
-                  public
-                  <portainer-tooltip message="This resource can be managed by any user with access to this endpoint." position="bottom" style="margin-left: -3px;"></portainer-tooltip>
+                  administrators
+                  <portainer-tooltip message="This resource can only be managed by administrators." position="bottom" style="margin-left: -3px;"></portainer-tooltip>
                 </span>
                 <span ng-if="$ctrl.resourceControl">
                   {{ $ctrl.resourceControl.Ownership }}
-                  <portainer-tooltip ng-if="$ctrl.resourceControl.Ownership === 'administrators'" message="This resource can only be managed by administrators." position="bottom" style="margin-left: -3px;"></portainer-tooltip>
+                  <portainer-tooltip ng-if="$ctrl.resourceControl.Ownership === 'public'" message="This resource can be managed by any user with access to this endpoint." position="bottom" style="margin-left: -3px;"></portainer-tooltip>
                   <portainer-tooltip ng-if="$ctrl.resourceControl.Ownership === 'private'" message="Management of this resource is restricted to a single user." position="bottom" style="margin-left: -3px;"></portainer-tooltip>
                   <portainer-tooltip ng-if="$ctrl.resourceControl.Ownership === 'restricted'" message="This resource can be managed by a restricted set of users and/or teams." position="bottom" style="margin-left: -3px;"></portainer-tooltip>
                 </span>

app/portainer/components/accessControlPanel/porAccessControlPanelController.js

@@ -12,7 +12,7 @@ function ($q, $state, UserService, TeamService, ResourceControlService, Notifica
   };
 
   ctrl.formValues = {
-    Ownership: 'public',
+    Ownership: 'administrators',
     Ownership_Users: [],
     Ownership_Teams: []
   };
@@ -51,7 +51,7 @@ function ($q, $state, UserService, TeamService, ResourceControlService, Notifica
     return true;
   }
 
-  function processOwnershipFormValues() {
+  function processOwnershipFormValues() {    
     var userIds = [];
     angular.forEach(ctrl.formValues.Ownership_Users, function(user) {
       userIds.push(user.Id);
@@ -60,13 +60,14 @@ function ($q, $state, UserService, TeamService, ResourceControlService, Notifica
     angular.forEach(ctrl.formValues.Ownership_Teams, function(team) {
       teamIds.push(team.Id);
     });
-    var administratorsOnly = ctrl.formValues.Ownership === 'administrators' ? true : false;
+
+    var publicOnly = ctrl.formValues.Ownership === 'public' ? true : false;
 
     return {
       ownership: ctrl.formValues.Ownership,
-      authorizedUserIds: administratorsOnly ? [] : userIds,
-      authorizedTeamIds: administratorsOnly ? [] : teamIds,
-      administratorsOnly: administratorsOnly
+      authorizedUserIds: publicOnly ? [] : userIds,
+      authorizedTeamIds: publicOnly ? [] : teamIds,
+      publicOnly: publicOnly
     };
   }
 
@@ -96,12 +97,13 @@ function ($q, $state, UserService, TeamService, ResourceControlService, Notifica
       if (resourceControl) {
         ctrl.formValues.Ownership = resourceControl.Ownership === 'private' ? 'restricted' : resourceControl.Ownership;
       } else {
-        ctrl.formValues.Ownership = 'public';
+        ctrl.formValues.Ownership = 'administrators';
       }
     } else {
-      ctrl.formValues.Ownership = 'public';
+      ctrl.formValues.Ownership = 'administrators';
     }
 
+
     ResourceControlService.retrieveOwnershipDetails(resourceControl)
     .then(function success(data) {
       ctrl.authorizedUsers = data.authorizedUsers;

app/portainer/components/datatables/stacks-datatable/stacksDatatable.html

@@ -70,7 +70,7 @@
               <td ng-if="$ctrl.showOwnershipColumn">
                 <span>
                   <i ng-class="item.ResourceControl.Ownership | ownershipicon" aria-hidden="true"></i>
-                  {{ item.ResourceControl.Ownership ? item.ResourceControl.Ownership : item.ResourceControl.Ownership = 'public' }}
+                  {{ item.ResourceControl.Ownership ? item.ResourceControl.Ownership : item.ResourceControl.Ownership = 'administrators' }}
                 </span>
               </td>
             </tr>

app/portainer/models/resourceControl.js

@@ -4,16 +4,18 @@ function ResourceControlViewModel(data) {
   this.ResourceId = data.ResourceId;
   this.UserAccesses = data.UserAccesses;
   this.TeamAccesses = data.TeamAccesses;
-  this.AdministratorsOnly = data.AdministratorsOnly;
+  this.Public = data.Public;
   this.Ownership = determineOwnership(this);
 }
 
 function determineOwnership(resourceControl) {
-  if (resourceControl.AdministratorsOnly) {
-    return 'administrators';
+  if (resourceControl.Public) {
+    return 'public';
   } else if (resourceControl.UserAccesses.length === 1 && resourceControl.TeamAccesses.length === 0) {
     return 'private';
   } else if (resourceControl.UserAccesses.length > 1 || resourceControl.TeamAccesses.length > 0) {
     return 'restricted';
+  } else {
+    return 'administrators';
   }
 }

app/portainer/services/api/resourceControlService.js

@@ -3,10 +3,10 @@ angular.module('portainer.app')
   'use strict';
   var service = {};
 
-  service.createResourceControl = function(administratorsOnly, userIDs, teamIDs, resourceID, type, subResourceIDs) {
+  service.createResourceControl = function(publicOnly, userIDs, teamIDs, resourceID, type, subResourceIDs) {
     var payload = {
       Type: type,
-      AdministratorsOnly: administratorsOnly,
+      Public: publicOnly,
       ResourceID: resourceID,
       Users: userIDs,
       Teams: teamIDs,
@@ -19,9 +19,9 @@ angular.module('portainer.app')
     return ResourceControl.remove({id: rcID}).$promise;
   };
 
-  service.updateResourceControl = function(admin, userIDs, teamIDs, resourceControlId) {
+  service.updateResourceControl = function(publicOnly, userIDs, teamIDs, resourceControlId) {
     var payload = {
-      AdministratorsOnly: admin,
+      Public: publicOnly,
       Users: userIDs,
       Teams: teamIDs
     };
@@ -30,15 +30,15 @@ angular.module('portainer.app')
 
   service.applyResourceControl = function(resourceControlType, resourceIdentifier, userId, accessControlData, subResources) {
     if (!accessControlData.AccessControlEnabled) {
-      return;
+      accessControlData.Ownership = 'public';
     }
 
     var authorizedUserIds = [];
     var authorizedTeamIds = [];
-    var administratorsOnly = false;
+    var publicOnly = false;
     switch (accessControlData.Ownership) {
-      case 'administrators':
-        administratorsOnly = true;
+      case 'public':
+        publicOnly = true;
         break;
       case 'private':
         authorizedUserIds.push(userId);
@@ -51,21 +51,23 @@ angular.module('portainer.app')
           authorizedTeamIds.push(team.Id);
         });
         break;
-    }
-    return service.createResourceControl(administratorsOnly, authorizedUserIds,
+      default:
+        return;  
+      }
+    return service.createResourceControl(publicOnly, authorizedUserIds,
       authorizedTeamIds, resourceIdentifier, resourceControlType, subResources);
   };
 
-  service.applyResourceControlChange = function(resourceControlType, resourceId, resourceControl, ownershipParameters) {
+  service.applyResourceControlChange = function(resourceControlType, resourceId, resourceControl, ownershipParameters) {    
     if (resourceControl) {
-      if (ownershipParameters.ownership === 'public') {
+      if (ownershipParameters.ownership === 'administrators') {
         return service.deleteResourceControl(resourceControl.Id);
       } else {
-        return service.updateResourceControl(ownershipParameters.administratorsOnly, ownershipParameters.authorizedUserIds,
+        return service.updateResourceControl(ownershipParameters.publicOnly, ownershipParameters.authorizedUserIds,
           ownershipParameters.authorizedTeamIds, resourceControl.Id);
       }
     } else {
-        return service.createResourceControl(ownershipParameters.administratorsOnly, ownershipParameters.authorizedUserIds,
+        return service.createResourceControl(ownershipParameters.publicOnly, ownershipParameters.authorizedUserIds,
           ownershipParameters.authorizedTeamIds, resourceId, resourceControlType);
     }
   };