feat(settings): add setting to disable device mapping for regular users (#4017)

* feat(settings): introduce device mapping service

* feat(containers): hide devices field when setting is on

* feat(containers): prevent passing of devices when not allowed

* feat(stacks): prevent non admin from device mapping

* feat(stacks): disallow swarm stack creation for user

* refactor(settings): replace disableDeviceMapping with allow

* fix(stacks): remove check for disable device mappings from swarm

* feat(settings): rename field to disable

* feat(settings): supply default value for disableDeviceMapping

* feat(container): check for endpoint admin
This commit is contained in:
Chaim Lev-Ari
2020-07-13 07:32:56 +03:00
committed by GitHub
parent dffcd3fdfd
commit 5ebb03cb4e
16 changed files with 93 additions and 9 deletions
@@ -30,6 +30,7 @@ angular.module('portainer.docker').controller('CreateContainerController', [
'SettingsService',
'PluginService',
'HttpRequestHelper',
'ExtensionService',
function (
$q,
$scope,
@@ -55,7 +56,8 @@ angular.module('portainer.docker').controller('CreateContainerController', [
SystemService,
SettingsService,
PluginService,
HttpRequestHelper
HttpRequestHelper,
ExtensionService
) {
$scope.create = create;
@@ -603,7 +605,7 @@ angular.module('portainer.docker').controller('CreateContainerController', [
});
}
function initView() {
async function initView() {
var nodeName = $transition$.params().nodeName;
$scope.formValues.NodeName = nodeName;
HttpRequestHelper.setPortainerAgentTargetHeader(nodeName);
@@ -682,6 +684,7 @@ angular.module('portainer.docker').controller('CreateContainerController', [
});
$scope.isAdmin = Authentication.isAdmin();
$scope.showDeviceMapping = await shouldShowDevices();
}
function validateForm(accessControlData, isAdmin) {
@@ -894,6 +897,19 @@ angular.module('portainer.docker').controller('CreateContainerController', [
}
}
async function shouldShowDevices() {
const isAdmin = !$scope.applicationState.application.authentication || Authentication.isAdmin();
const { allowDeviceMappingForRegularUsers } = $scope.applicationState.application;
if (isAdmin || allowDeviceMappingForRegularUsers) {
return true;
}
const rbacEnabled = await ExtensionService.extensionEnabled(ExtensionService.EXTENSIONS.RBAC);
if (rbacEnabled) {
return Authentication.hasAuthorizations(['EndpointResourcesAccess']);
}
}
initView();
},
]);