From badb6ee50fe976fa23c32de6219b0c7b5578fe08 Mon Sep 17 00:00:00 2001
From: Anthony Lapenna <anthony.lapenna@portainer.io>
Date: Tue, 3 Dec 2019 10:42:55 +1300
Subject: [PATCH] fix(http): update volume browsing validation (#3416)

---
 api/http/proxy/factory/docker/transport.go | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/api/http/proxy/factory/docker/transport.go b/api/http/proxy/factory/docker/transport.go
index c4bc33897..469e3f67d 100644
--- a/api/http/proxy/factory/docker/transport.go
+++ b/api/http/proxy/factory/docker/transport.go
@@ -432,22 +432,24 @@ func (transport *Transport) restrictedResourceOperation(request *http.Request, r
 			return nil, err
 		}
 
+		user, err := transport.userService.User(tokenData.ID)
+		if err != nil {
+			return nil, err
+		}
+
 		if volumeBrowseRestrictionCheck {
 			settings, err := transport.settingsService.Settings()
 			if err != nil {
 				return nil, err
 			}
 
-			if rbacExtension != nil && !settings.AllowVolumeBrowserForRegularUsers {
+			// Return access denied for all roles except endpoint-administrator
+			_, userCanBrowse := user.EndpointAuthorizations[transport.endpoint.ID][portainer.OperationDockerAgentBrowseList]
+			if rbacExtension != nil && !settings.AllowVolumeBrowserForRegularUsers && !userCanBrowse {
 				return responseutils.WriteAccessDeniedResponse()
 			}
 		}
 
-		user, err := transport.userService.User(tokenData.ID)
-		if err != nil {
-			return nil, err
-		}
-
 		endpointResourceAccess := false
 		_, ok := user.EndpointAuthorizations[transport.endpoint.ID][portainer.EndpointResourcesAccess]
 		if ok {