fix(api): update restricted volume browsing operation logic (#3798)

* fix(api): prevent a potential panic

* fix(api): update restricted volume browsing operation logic
pull/3796/head^2
Anthony Lapenna 2020-05-12 16:08:01 +12:00 committed by GitHub
parent 5c274f5b0c
commit 29c0584454
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 13 additions and 5 deletions

View File

@ -158,7 +158,7 @@ func (transport *Transport) applyAccessControlOnResource(parameters *resourceOpe
return responseutils.RewriteResponse(response, responseObject, http.StatusOK) return responseutils.RewriteResponse(response, responseObject, http.StatusOK)
} }
if executor.operationContext.isAdmin || executor.operationContext.endpointResourceAccess || portainer.UserCanAccessResource(executor.operationContext.userID, executor.operationContext.userTeamIDs, resourceControl) { if executor.operationContext.isAdmin || executor.operationContext.endpointResourceAccess || (resourceControl != nil && portainer.UserCanAccessResource(executor.operationContext.userID, executor.operationContext.userTeamIDs, resourceControl)) {
responseObject = decorateObject(responseObject, resourceControl) responseObject = decorateObject(responseObject, resourceControl)
return responseutils.RewriteResponse(response, responseObject, http.StatusOK) return responseutils.RewriteResponse(response, responseObject, http.StatusOK)
} }

View File

@ -171,11 +171,13 @@ func (transport *Transport) proxyAgentRequest(r *http.Request) (*http.Response,
switch { switch {
case strings.HasPrefix(requestPath, "/browse"): case strings.HasPrefix(requestPath, "/browse"):
// host file browser request
volumeIDParameter, found := r.URL.Query()["volumeID"] volumeIDParameter, found := r.URL.Query()["volumeID"]
if !found || len(volumeIDParameter) < 1 { if !found || len(volumeIDParameter) < 1 {
return transport.administratorOperation(r) return transport.administratorOperation(r)
} }
// volume browser request
return transport.restrictedResourceOperation(r, volumeIDParameter[0], portainer.VolumeResourceControl, true) return transport.restrictedResourceOperation(r, volumeIDParameter[0], portainer.VolumeResourceControl, true)
} }
@ -443,10 +445,16 @@ func (transport *Transport) restrictedResourceOperation(request *http.Request, r
return nil, err return nil, err
} }
// Return access denied for all roles except endpoint-administrator if !settings.AllowVolumeBrowserForRegularUsers {
_, userCanBrowse := user.EndpointAuthorizations[transport.endpoint.ID][portainer.OperationDockerAgentBrowseList] if rbacExtension == nil {
if rbacExtension != nil && !settings.AllowVolumeBrowserForRegularUsers && !userCanBrowse { return responseutils.WriteAccessDeniedResponse()
return responseutils.WriteAccessDeniedResponse() }
// Return access denied for all roles except endpoint-administrator
_, userCanBrowse := user.EndpointAuthorizations[transport.endpoint.ID][portainer.OperationDockerAgentBrowseList]
if !userCanBrowse {
return responseutils.WriteAccessDeniedResponse()
}
} }
} }