From d75a8027a5a22c4bdb50e214ecdda8a8fbd48b0e Mon Sep 17 00:00:00 2001
From: Dakota Walsh <101994734+dakota-portainer@users.noreply.github.com>
Date: Tue, 5 Sep 2023 09:17:55 +1200
Subject: [PATCH] fix(security): block user access policies for non admins
 EE-5826 (#10243)

---
 api/http/security/filter.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/api/http/security/filter.go b/api/http/security/filter.go
index 3852bac76..a847dd71b 100644
--- a/api/http/security/filter.go
+++ b/api/http/security/filter.go
@@ -100,6 +100,7 @@ func FilterEndpoints(endpoints []portainer.Endpoint, groups []portainer.Endpoint
 		endpointGroup := getAssociatedGroup(&endpoint, groups)
 
 		if AuthorizedEndpointAccess(&endpoint, endpointGroup, context.UserID, context.UserMemberships) {
+			endpoint.UserAccessPolicies = nil
 			endpoints[n] = endpoint
 			n++
 		}