fix(service-details): prevent regular users from using bind mounts (#1778)

2018-03-29 18:41:47 +11:00 · 2018-03-29 18:41:47 +11:00 · 8d32703456
parent eca39b11a8
commit 8d32703456
2 changed files with 15 additions and 6 deletions
--- a/app/docker/views/services/edit/includes/mounts.html
+++ b/app/docker/views/services/edit/includes/mounts.html
@ -14,7 +14,7 @@
      <table class="table" >
        <thead>
          <tr>
-            <th>Type</th>
+            <th ng-if="isAdmin || allowBindMounts">Type</th>
            <th>Source</th>
            <th>Target</th>
            <th>Read only</th>
@ -23,14 +23,17 @@
        </thead>
        <tbody>
          <tr ng-repeat="mount in service.ServiceMounts">
-            <td>
+            <td ng-if="isAdmin || allowBindMounts">
              <select name="mountType" class="form-control" ng-model="mount.Type" ng-disabled="isUpdating">
                <option value="volume">Volume</option>
                <option value="bind">Bind</option>
              </select>
            </td>
            <td>
-              <input type="text" class="form-control" ng-model="mount.Source" placeholder="e.g. /tmp/portainer/data" ng-change="updateMount(service, mount)" ng-disabled="isUpdating">
+              <select class="form-control" ng-model="mount.Source" ng-options="vol.Id|truncate:30 as vol.Id for vol in availableVolumes" ng-if="mount.Type === 'volume'">
+                <option selected disabled hidden value="">Select a volume</option>
+              </select>
+              <input type="text" class="form-control" ng-model="mount.Source" placeholder="e.g. /tmp/portainer/data" ng-change="updateMount(service, mount)" ng-disabled="isUpdating || (!isAdmin && !allowBindMounts && mount.Type === 'bind')" ng-if="mount.Type === 'bind'">
            </td>
            <td>
              <input type="text" class="form-control" ng-model="mount.Target" placeholder="e.g. /tmp/portainer/data" ng-change="updateMount(service, mount)" ng-disabled="isUpdating">
--- a/app/docker/views/services/edit/serviceController.js
+++ b/app/docker/views/services/edit/serviceController.js
@ -1,6 +1,6 @@
 angular.module('portainer.docker')
-.controller('ServiceController', ['$q', '$scope', '$transition$', '$state', '$location', '$timeout', '$anchorScroll', 'ServiceService', 'ConfigService', 'ConfigHelper', 'SecretService', 'ImageService', 'SecretHelper', 'Service', 'ServiceHelper', 'LabelHelper', 'TaskService', 'NodeService', 'Notifications', 'ModalService', 'PluginService',
-function ($q, $scope, $transition$, $state, $location, $timeout, $anchorScroll, ServiceService, ConfigService, ConfigHelper, SecretService, ImageService, SecretHelper, Service, ServiceHelper, LabelHelper, TaskService, NodeService, Notifications, ModalService, PluginService) {
+.controller('ServiceController', ['$q', '$scope', '$transition$', '$state', '$location', '$timeout', '$anchorScroll', 'ServiceService', 'ConfigService', 'ConfigHelper', 'SecretService', 'ImageService', 'SecretHelper', 'Service', 'ServiceHelper', 'LabelHelper', 'TaskService', 'NodeService', 'Notifications', 'ModalService', 'PluginService', 'Authentication', 'SettingsService', 'VolumeService',
+function ($q, $scope, $transition$, $state, $location, $timeout, $anchorScroll, ServiceService, ConfigService, ConfigHelper, SecretService, ImageService, SecretHelper, Service, ServiceHelper, LabelHelper, TaskService, NodeService, Notifications, ModalService, PluginService, Authentication, SettingsService, VolumeService) {

  $scope.state = {
    updateInProgress: false,
@ -423,12 +423,14 @@ function ($q, $scope, $transition$, $state, $location, $timeout, $anchorScroll,
      originalService = angular.copy(service);

      return $q.all({
+        volumes: VolumeService.volumes(),
        tasks: TaskService.tasks({ service: [service.Name] }),
        nodes: NodeService.nodes(),
        secrets: apiVersion >= 1.25 ? SecretService.secrets() : [],
        configs: apiVersion >= 1.30 ? ConfigService.configs() : [],
        availableImages: ImageService.images(),
-        availableLoggingDrivers: PluginService.loggingPlugins(apiVersion < 1.25)
+        availableLoggingDrivers: PluginService.loggingPlugins(apiVersion < 1.25),
+        settings: SettingsService.publicSettings()
      });
    })
    .then(function success(data) {
@ -438,6 +440,10 @@ function ($q, $scope, $transition$, $state, $location, $timeout, $anchorScroll,
      $scope.secrets = data.secrets;
      $scope.availableImages = ImageService.getUniqueTagListFromImages(data.availableImages);
      $scope.availableLoggingDrivers = data.availableLoggingDrivers;
+      $scope.availableVolumes = data.volumes;
+      $scope.allowBindMounts = data.settings.AllowBindMountsForRegularUsers;
+      var userDetails = Authentication.getUserDetails();
+      $scope.isAdmin = userDetails.role === 1;

      // Set max cpu value
      var maxCpus = 0;