fix(docker): prevent non admins from passing security settings [EE-6765] (#11239)

9 months ago · 0fd20277c1
parent 988064a542
commit 0fd20277c1
3 changed files with 13 additions and 5 deletions
--- a/app/react/docker/containers/CreateView/CreateView.tsx
+++ b/app/react/docker/containers/CreateView/CreateView.tsx
@ -49,7 +49,9 @@ function CreateForm() {
  const router = useRouter();
  const { trackEvent } = useAnalytics();
  const isAdminQuery = useIsEdgeAdmin();
-  const { authorized: isEnvironmentAdmin } = useIsEnvironmentAdmin();
+  const { authorized: isEnvironmentAdmin } = useIsEnvironmentAdmin({
+    adminOnlyCE: true,
+  });
  const [isDockerhubRateLimited, setIsDockerhubRateLimited] = useState(false);

  const mutation = useCreateOrReplaceMutation();
--- a/app/react/docker/containers/CreateView/InnerForm.tsx
+++ b/app/react/docker/containers/CreateView/InnerForm.tsx
@ -41,7 +41,7 @@ export function InnerForm({
  const environmentId = useEnvironmentId();
  const [tab, setTab] = useState('commands');
  const apiVersion = useApiVersion(environmentId);
-  const isEnvironmentAdminQuery = useIsEnvironmentAdmin();
+  const isEnvironmentAdminQuery = useIsEnvironmentAdmin({ adminOnlyCE: true });
  const envQuery = useCurrentEnvironment();

  if (!envQuery.data) {
--- a/app/react/hooks/useUser.tsx
+++ b/app/react/hooks/useUser.tsx
@ -98,17 +98,17 @@ export function useAuthorizations(
    params: { endpointId },
  } = useCurrentStateAndParams();
  const envQuery = useEnvironment(forceEnvironmentId || endpointId);
-  const isAdmin = useIsEdgeAdmin({ forceEnvironmentId });
+  const isAdminQuery = useIsEdgeAdmin({ forceEnvironmentId });

  if (!user) {
    return { authorized: false, isLoading: false };
  }

-  if (envQuery.isLoading) {
+  if (envQuery.isLoading || isAdminQuery.isLoading) {
    return { authorized: false, isLoading: true };
  }

-  if (isAdmin) {
+  if (isAdminQuery.isAdmin) {
    return { authorized: true, isLoading: false };
  }

@ -138,12 +138,18 @@ export function useIsEnvironmentAdmin({

 /**
 * will return true if the user has the authorizations. assumes the user is authenticated and not an admin
+ *
+ * @private Please use `useAuthorizations` instead. Exported only for angular's authentication service app/portainer/services/authentication.js:154
 */
 export function hasAuthorizations(
  user: User,
  authorizations: string | string[],
  environmentId?: EnvironmentId
 ) {
+  if (!isBE) {
+    return true;
+  }
+
  const authorizationsArray =
    typeof authorizations === 'string' ? [authorizations] : authorizations;