From 0fd20277c1b84513c5a700c7f7d7b0e06691265d Mon Sep 17 00:00:00 2001
From: Chaim Lev-Ari <chiptus@users.noreply.github.com>
Date: Sun, 25 Feb 2024 11:57:19 +0200
Subject: [PATCH] fix(docker): prevent non admins from passing security
 settings [EE-6765] (#11239)

---
 .../docker/containers/CreateView/CreateView.tsx      |  4 +++-
 app/react/docker/containers/CreateView/InnerForm.tsx |  2 +-
 app/react/hooks/useUser.tsx                          | 12 +++++++++---
 3 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/app/react/docker/containers/CreateView/CreateView.tsx b/app/react/docker/containers/CreateView/CreateView.tsx
index c9ec67698..04c4d192c 100644
--- a/app/react/docker/containers/CreateView/CreateView.tsx
+++ b/app/react/docker/containers/CreateView/CreateView.tsx
@@ -49,7 +49,9 @@ function CreateForm() {
   const router = useRouter();
   const { trackEvent } = useAnalytics();
   const isAdminQuery = useIsEdgeAdmin();
-  const { authorized: isEnvironmentAdmin } = useIsEnvironmentAdmin();
+  const { authorized: isEnvironmentAdmin } = useIsEnvironmentAdmin({
+    adminOnlyCE: true,
+  });
   const [isDockerhubRateLimited, setIsDockerhubRateLimited] = useState(false);
 
   const mutation = useCreateOrReplaceMutation();
diff --git a/app/react/docker/containers/CreateView/InnerForm.tsx b/app/react/docker/containers/CreateView/InnerForm.tsx
index 0c208902e..e39dbc932 100644
--- a/app/react/docker/containers/CreateView/InnerForm.tsx
+++ b/app/react/docker/containers/CreateView/InnerForm.tsx
@@ -41,7 +41,7 @@ export function InnerForm({
   const environmentId = useEnvironmentId();
   const [tab, setTab] = useState('commands');
   const apiVersion = useApiVersion(environmentId);
-  const isEnvironmentAdminQuery = useIsEnvironmentAdmin();
+  const isEnvironmentAdminQuery = useIsEnvironmentAdmin({ adminOnlyCE: true });
   const envQuery = useCurrentEnvironment();
 
   if (!envQuery.data) {
diff --git a/app/react/hooks/useUser.tsx b/app/react/hooks/useUser.tsx
index ceac5a7ce..04df8f195 100644
--- a/app/react/hooks/useUser.tsx
+++ b/app/react/hooks/useUser.tsx
@@ -98,17 +98,17 @@ export function useAuthorizations(
     params: { endpointId },
   } = useCurrentStateAndParams();
   const envQuery = useEnvironment(forceEnvironmentId || endpointId);
-  const isAdmin = useIsEdgeAdmin({ forceEnvironmentId });
+  const isAdminQuery = useIsEdgeAdmin({ forceEnvironmentId });
 
   if (!user) {
     return { authorized: false, isLoading: false };
   }
 
-  if (envQuery.isLoading) {
+  if (envQuery.isLoading || isAdminQuery.isLoading) {
     return { authorized: false, isLoading: true };
   }
 
-  if (isAdmin) {
+  if (isAdminQuery.isAdmin) {
     return { authorized: true, isLoading: false };
   }
 
@@ -138,12 +138,18 @@ export function useIsEnvironmentAdmin({
 
 /**
  * will return true if the user has the authorizations. assumes the user is authenticated and not an admin
+ *
+ * @private Please use `useAuthorizations` instead. Exported only for angular's authentication service app/portainer/services/authentication.js:154
  */
 export function hasAuthorizations(
   user: User,
   authorizations: string | string[],
   environmentId?: EnvironmentId
 ) {
+  if (!isBE) {
+    return true;
+  }
+
   const authorizationsArray =
     typeof authorizations === 'string' ? [authorizations] : authorizations;