diff --git a/api/http/proxy/factory/docker/access_control.go b/api/http/proxy/factory/docker/access_control.go index 00b2c9693..fda598cce 100644 --- a/api/http/proxy/factory/docker/access_control.go +++ b/api/http/proxy/factory/docker/access_control.go @@ -155,11 +155,11 @@ func (transport *Transport) applyAccessControlOnResource(parameters *resourceOpe return err } - if resourceControl == nil && (executor.operationContext.isAdmin || executor.operationContext.endpointResourceAccess) { + if resourceControl == nil && (executor.operationContext.isAdmin) { return responseutils.RewriteResponse(response, responseObject, http.StatusOK) } - if executor.operationContext.isAdmin || executor.operationContext.endpointResourceAccess || (resourceControl != nil && authorization.UserCanAccessResource(executor.operationContext.userID, executor.operationContext.userTeamIDs, resourceControl)) { + if executor.operationContext.isAdmin || (resourceControl != nil && authorization.UserCanAccessResource(executor.operationContext.userID, executor.operationContext.userTeamIDs, resourceControl)) { responseObject = decorateObject(responseObject, resourceControl) return responseutils.RewriteResponse(response, responseObject, http.StatusOK) } @@ -168,7 +168,7 @@ func (transport *Transport) applyAccessControlOnResource(parameters *resourceOpe } func (transport *Transport) applyAccessControlOnResourceList(parameters *resourceOperationParameters, resourceData []interface{}, executor *operationExecutor) ([]interface{}, error) { - if executor.operationContext.isAdmin || executor.operationContext.endpointResourceAccess { + if executor.operationContext.isAdmin { return transport.decorateResourceList(parameters, resourceData, executor.operationContext.resourceControls) } @@ -241,13 +241,13 @@ func (transport *Transport) filterResourceList(parameters *resourceOperationPara } if resourceControl == nil { - if context.isAdmin || context.endpointResourceAccess { + if context.isAdmin { filteredResourceData = append(filteredResourceData, resourceObject) } continue } - if context.isAdmin || context.endpointResourceAccess || authorization.UserCanAccessResource(context.userID, context.userTeamIDs, resourceControl) { + if context.isAdmin || authorization.UserCanAccessResource(context.userID, context.userTeamIDs, resourceControl) { resourceObject = decorateObject(resourceObject, resourceControl) filteredResourceData = append(filteredResourceData, resourceObject) } diff --git a/api/http/proxy/factory/docker/transport.go b/api/http/proxy/factory/docker/transport.go index af8251cc6..bb49bfa4b 100644 --- a/api/http/proxy/factory/docker/transport.go +++ b/api/http/proxy/factory/docker/transport.go @@ -43,11 +43,10 @@ type ( } restrictedDockerOperationContext struct { - isAdmin bool - endpointResourceAccess bool - userID portainer.UserID - userTeamIDs []portainer.TeamID - resourceControls []portainer.ResourceControl + isAdmin bool + userID portainer.UserID + userTeamIDs []portainer.TeamID + resourceControls []portainer.ResourceControl } operationExecutor struct { @@ -650,25 +649,14 @@ func (transport *Transport) createOperationContext(request *http.Request) (*rest } operationContext := &restrictedDockerOperationContext{ - isAdmin: true, - userID: tokenData.ID, - resourceControls: resourceControls, - endpointResourceAccess: false, + isAdmin: true, + userID: tokenData.ID, + resourceControls: resourceControls, } if tokenData.Role != portainer.AdministratorRole { operationContext.isAdmin = false - user, err := transport.dataStore.User().User(operationContext.userID) - if err != nil { - return nil, err - } - - _, ok := user.EndpointAuthorizations[transport.endpoint.ID][portainer.EndpointResourcesAccess] - if ok { - operationContext.endpointResourceAccess = true - } - teamMemberships, err := transport.dataStore.TeamMembership().TeamMembershipsByUserID(tokenData.ID) if err != nil { return nil, err diff --git a/app/portainer/components/datatables/stacks-datatable/stacksDatatableController.js b/app/portainer/components/datatables/stacks-datatable/stacksDatatableController.js index e5f8f1252..94b0ec0f4 100644 --- a/app/portainer/components/datatables/stacks-datatable/stacksDatatableController.js +++ b/app/portainer/components/datatables/stacks-datatable/stacksDatatableController.js @@ -23,7 +23,7 @@ angular.module('portainer.app').controller('StacksDatatableController', [ return false; } - return !(item.External && !this.isAdmin && !this.isEndpointAdmin); + return !(item.External && !this.isAdmin); }; this.applyFilters = applyFilters.bind(this); @@ -41,7 +41,6 @@ angular.module('portainer.app').controller('StacksDatatableController', [ this.$onInit = function () { this.isAdmin = Authentication.isAdmin(); - this.isEndpointAdmin = Authentication.hasAuthorizations(['EndpointResourcesAccess']); this.setDefaults(); this.prepareTableFromDataset(); diff --git a/app/portainer/models/user.js b/app/portainer/models/user.js index dbd31cfef..e86be99f0 100644 --- a/app/portainer/models/user.js +++ b/app/portainer/models/user.js @@ -2,8 +2,6 @@ export function UserViewModel(data) { this.Id = data.Id; this.Username = data.Username; this.Role = data.Role; - this.EndpointAuthorizations = data.EndpointAuthorizations; - this.PortainerAuthorizations = data.PortainerAuthorizations; if (data.Role === 1) { this.RoleName = 'administrator'; } else { diff --git a/app/portainer/services/authentication.js b/app/portainer/services/authentication.js index c7e2af29a..80638cf72 100644 --- a/app/portainer/services/authentication.js +++ b/app/portainer/services/authentication.js @@ -7,8 +7,7 @@ angular.module('portainer.app').factory('Authentication', [ 'LocalStorage', 'StateManager', 'EndpointProvider', - 'UserService', - function AuthenticationFactory($async, $state, Auth, OAuth, jwtHelper, LocalStorage, StateManager, EndpointProvider, UserService) { + function AuthenticationFactory($async, $state, Auth, OAuth, jwtHelper, LocalStorage, StateManager, EndpointProvider) { 'use strict'; var service = {}; @@ -21,7 +20,6 @@ angular.module('portainer.app').factory('Authentication', [ service.isAuthenticated = isAuthenticated; service.getUserDetails = getUserDetails; service.isAdmin = isAdmin; - service.hasAuthorizations = hasAuthorizations; async function initAsync() { try { @@ -81,19 +79,12 @@ angular.module('portainer.app').factory('Authentication', [ return user; } - async function retrievePermissions() { - const data = await UserService.user(user.ID); - user.endpointAuthorizations = data.EndpointAuthorizations; - user.portainerAuthorizations = data.PortainerAuthorizations; - } - async function setUser(jwt) { LocalStorage.storeJWT(jwt); var tokenPayload = jwtHelper.decodeToken(jwt); user.username = tokenPayload.username; user.ID = tokenPayload.id; user.role = tokenPayload.role; - await retrievePermissions(); } function isAdmin() { @@ -103,23 +94,6 @@ angular.module('portainer.app').factory('Authentication', [ return false; } - function hasAuthorizations(authorizations) { - const endpointId = EndpointProvider.endpointID(); - if (isAdmin()) { - return true; - } - if (!user.endpointAuthorizations || (user.endpointAuthorizations && !user.endpointAuthorizations[endpointId])) { - return false; - } - for (var i = 0; i < authorizations.length; i++) { - var authorization = authorizations[i]; - if (user.endpointAuthorizations[endpointId][authorization]) { - return true; - } - } - return false; - } - return service; }, ]);