github
/
portainer
mirror of https://github.com/portainer/portainer
1
0
Fork 0
Code Issues Releases Wiki Activity

fix(http): update volume browsing validation (#3416)

pull/3423/head
Anthony Lapenna 2019-12-03 10:42:55 +13:00 committed by GitHub
parent c2e1129804
commit badb6ee50f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
api/http/proxy/factory/docker/transport.go
View File

@ -432,22 +432,24 @@ func (transport *Transport) restrictedResourceOperation(request *http.Request, r
return nil, err
}
user, err := transport.userService.User(tokenData.ID)
if err != nil {
return nil, err
}
if volumeBrowseRestrictionCheck {
settings, err := transport.settingsService.Settings()
if err != nil {
return nil, err
}
if rbacExtension != nil && !settings.AllowVolumeBrowserForRegularUsers {
// Return access denied for all roles except endpoint-administrator
_, userCanBrowse := user.EndpointAuthorizations[transport.endpoint.ID][portainer.OperationDockerAgentBrowseList]
if rbacExtension != nil && !settings.AllowVolumeBrowserForRegularUsers && !userCanBrowse {
return responseutils.WriteAccessDeniedResponse()
}
}
user, err := transport.userService.User(tokenData.ID)
if err != nil {
return nil, err
}
endpointResourceAccess := false
_, ok := user.EndpointAuthorizations[transport.endpoint.ID][portainer.EndpointResourcesAccess]
if ok {