From 3e2fdb1891e81a8e4c5c8beb60e45f07c8ecae52 Mon Sep 17 00:00:00 2001 From: andres-portainer <91705312+andres-portainer@users.noreply.github.com> Date: Wed, 14 Jan 2026 12:25:50 -0300 Subject: [PATCH] fix(swarm): fix environment security checks BE-12541 (#1666) --- api/stacks/deployments/deployment_compose_config.go | 9 +-------- api/stacks/deployments/deployment_swarm_config.go | 5 ++--- 2 files changed, 3 insertions(+), 11 deletions(-) diff --git a/api/stacks/deployments/deployment_compose_config.go b/api/stacks/deployments/deployment_compose_config.go index a4fdbcbdc..b51497d14 100644 --- a/api/stacks/deployments/deployment_compose_config.go +++ b/api/stacks/deployments/deployment_compose_config.go @@ -79,14 +79,7 @@ func (config *ComposeStackDeploymentConfig) Deploy() error { securitySettings := &config.endpoint.SecuritySettings - if (!securitySettings.AllowBindMountsForRegularUsers || - !securitySettings.AllowPrivilegedModeForRegularUsers || - !securitySettings.AllowHostNamespaceForRegularUsers || - !securitySettings.AllowDeviceMappingForRegularUsers || - !securitySettings.AllowSysctlSettingForRegularUsers || - !securitySettings.AllowContainerCapabilitiesForRegularUsers) && - !isAdminOrEndpointAdmin { - + if !isAdminOrEndpointAdmin { if err := stackutils.ValidateStackFiles(config.stack, securitySettings, config.FileService); err != nil { return err } diff --git a/api/stacks/deployments/deployment_swarm_config.go b/api/stacks/deployments/deployment_swarm_config.go index 4c2f7d832..f178c8fcf 100644 --- a/api/stacks/deployments/deployment_swarm_config.go +++ b/api/stacks/deployments/deployment_swarm_config.go @@ -78,9 +78,8 @@ func (config *SwarmStackDeploymentConfig) Deploy() error { settings := &config.endpoint.SecuritySettings - if !settings.AllowBindMountsForRegularUsers && !isAdminOrEndpointAdmin { - err = stackutils.ValidateStackFiles(config.stack, settings, config.FileService) - if err != nil { + if !isAdminOrEndpointAdmin { + if err := stackutils.ValidateStackFiles(config.stack, settings, config.FileService); err != nil { return err } }