Portainer
/
portainer
mirror of https://github.com/portainer/portainer.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix(ui): check for authorization [EE-6733] (#11208)

pull/11229/head
Chaim Lev-Ari 2024-02-20 11:06:09 +02:00 committed by GitHub
parent 5932c78b88
commit 76fdfeaafc
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
16 changed files with 40 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/react/docker/containers/CreateView/CreateView.tsx
View File

@ -49,7 +49,7 @@ function CreateForm() {
const router = useRouter(); const router = useRouter();
const { trackEvent } = useAnalytics(); const { trackEvent } = useAnalytics();
const isAdminQuery = useIsEdgeAdmin(); const isAdminQuery = useIsEdgeAdmin();
const isEnvironmentAdmin = useIsEnvironmentAdmin(); const { authorized: isEnvironmentAdmin } = useIsEnvironmentAdmin();
const [isDockerhubRateLimited, setIsDockerhubRateLimited] = useState(false); const [isDockerhubRateLimited, setIsDockerhubRateLimited] = useState(false);
const mutation = useCreateOrReplaceMutation(); const mutation = useCreateOrReplaceMutation();

10
app/react/docker/containers/CreateView/InnerForm.tsx
View File

@ -41,7 +41,7 @@ export function InnerForm({
const environmentId = useEnvironmentId(); const environmentId = useEnvironmentId();
const [tab, setTab] = useState('commands'); const [tab, setTab] = useState('commands');
const apiVersion = useApiVersion(environmentId); const apiVersion = useApiVersion(environmentId);
const isEnvironmentAdmin = useIsEnvironmentAdmin(); const isEnvironmentAdminQuery = useIsEnvironmentAdmin();
const envQuery = useCurrentEnvironment(); const envQuery = useCurrentEnvironment();
if (!envQuery.data) { if (!envQuery.data) {
@ -102,7 +102,7 @@ export function InnerForm({
} }
errors={errors.volumes} errors={errors.volumes}
allowBindMounts={ allowBindMounts={
isEnvironmentAdmin.authorized || isEnvironmentAdminQuery.authorized ||
environment.SecuritySettings environment.SecuritySettings
.allowBindMountsForRegularUsers .allowBindMountsForRegularUsers
} }
@ -166,18 +166,18 @@ export function InnerForm({
setFieldValue(`resources.${field}`, value) setFieldValue(`resources.${field}`, value)
} }
allowPrivilegedMode={ allowPrivilegedMode={
isEnvironmentAdmin.authorized || isEnvironmentAdminQuery.authorized ||
environment.SecuritySettings environment.SecuritySettings
.allowPrivilegedModeForRegularUsers .allowPrivilegedModeForRegularUsers
} }
isDevicesFieldVisible={ isDevicesFieldVisible={
isEnvironmentAdmin.authorized || isEnvironmentAdminQuery.authorized ||
environment.SecuritySettings environment.SecuritySettings
.allowDeviceMappingForRegularUsers .allowDeviceMappingForRegularUsers
} }
isInitFieldVisible={apiVersion >= 1.37} isInitFieldVisible={apiVersion >= 1.37}
isSysctlFieldVisible={ isSysctlFieldVisible={
isEnvironmentAdmin.authorized || isEnvironmentAdminQuery.authorized ||
environment.SecuritySettings environment.SecuritySettings
.allowSysctlSettingForRegularUsers .allowSysctlSettingForRegularUsers
} }

2
app/react/docker/containers/ItemView/ContainerNetworksDatatable/ConnectNetworkForm.tsx
View File

@ -25,7 +25,7 @@ export function ConnectNetworkForm({
selectedNetworks: string[]; selectedNetworks: string[];
}) { }) {
const environmentId = useEnvironmentId(); const environmentId = useEnvironmentId();
const authorized = useAuthorizations('DockerNetworkConnect'); const { authorized } = useAuthorizations('DockerNetworkConnect');
const connectMutation = useConnectContainerMutation(environmentId); const connectMutation = useConnectContainerMutation(environmentId);
const router = useRouter(); const router = useRouter();
if (!authorized) { if (!authorized) {

9
app/react/docker/containers/ListView/ContainersDatatable/ContainersDatatableActions.tsx
View File

@ -68,7 +68,7 @@ export function ContainersDatatableActions({
].includes(item.Status) ].includes(item.Status)
); );
const isAuthorized = useAuthorizations([ const { authorized } = useAuthorizations([
'DockerContainerStart', 'DockerContainerStart',
'DockerContainerStop', 'DockerContainerStop',
'DockerContainerKill', 'DockerContainerKill',
@ -81,12 +81,12 @@ export function ContainersDatatableActions({
const router = useRouter(); const router = useRouter();
if (!isAuthorized) { if (!authorized) {
return null; return null;
} }
return ( return (
<> <div className="flex gap-2">
<ButtonGroup> <ButtonGroup>
<Authorized authorizations="DockerContainerStart"> <Authorized authorizations="DockerContainerStart">
<Button <Button
@ -165,7 +165,6 @@ export function ContainersDatatableActions({
</Button> </Button>
</Authorized> </Authorized>
</ButtonGroup> </ButtonGroup>
{isAddActionVisible && ( {isAddActionVisible && (
<Authorized authorizations="DockerContainerCreate"> <Authorized authorizations="DockerContainerCreate">
<Link to="docker.containers.new" className="space-left"> <Link to="docker.containers.new" className="space-left">
@ -173,7 +172,7 @@ export function ContainersDatatableActions({
</Link> </Link>
</Authorized> </Authorized>
)} )}
</> </div>
); );
function onStartClick(selectedItems: DockerContainer[]) { function onStartClick(selectedItems: DockerContainer[]) {

4
app/react/docker/containers/ListView/ContainersDatatable/columns/quick-actions.tsx
View File

@ -38,7 +38,7 @@ function QuickActionsCell({
wrapperState.showQuickActionLogs || wrapperState.showQuickActionLogs ||
wrapperState.showQuickActionStats; wrapperState.showQuickActionStats;
const isAuthorized = useAuthorizations([ const { authorized } = useAuthorizations([
'DockerContainerStats', 'DockerContainerStats',
'DockerContainerLogs', 'DockerContainerLogs',
'DockerExecStart', 'DockerExecStart',
@ -47,7 +47,7 @@ function QuickActionsCell({
'DockerTaskLogs', 'DockerTaskLogs',
]); ]);
if (!someOn || !isAuthorized) { if (!someOn || !authorized) {
return null; return null;
} }

4
app/react/docker/stacks/ListView/StacksDatatable/StacksDatatable.tsx
View File

@ -35,7 +35,7 @@ export function StacksDatatable({
const tableState = useTableState(settingsStore, tableKey); const tableState = useTableState(settingsStore, tableKey);
useRepeater(tableState.autoRefreshRate, onReload); useRepeater(tableState.autoRefreshRate, onReload);
const isAdminQuery = useIsEdgeAdmin(); const isAdminQuery = useIsEdgeAdmin();
const canManageStacks = useAuthorizations([ const { authorized: canManageStacks } = useAuthorizations([
'PortainerStackCreate', 'PortainerStackCreate',
'PortainerStackDelete', 'PortainerStackDelete',
]); ]);
@ -58,7 +58,7 @@ export function StacksDatatable({
columns={columns} columns={columns}
dataset={dataset} dataset={dataset}
isRowSelectable={({ original: item }) => isRowSelectable={({ original: item }) =>
allowSelection(item, isAdminQuery.isAdmin, canManageStacks.authorized) allowSelection(item, isAdminQuery.isAdmin, canManageStacks)
} }
getRowId={(item) => item.Id.toString()} getRowId={(item) => item.Id.toString()}
initialTableState={{ initialTableState={{

4
app/react/hooks/useUser.tsx
View File

@ -177,13 +177,13 @@ export function Authorized({
children, children,
childrenUnauthorized = null, childrenUnauthorized = null,
}: PropsWithChildren<AuthorizedProps>) { }: PropsWithChildren<AuthorizedProps>) {
const isAllowed = useAuthorizations( const { authorized } = useAuthorizations(
authorizations, authorizations,
environmentId, environmentId,
adminOnlyCE adminOnlyCE
); );
return isAllowed ? <>{children}</> : <>{childrenUnauthorized}</>; return authorized ? <>{children}</> : <>{childrenUnauthorized}</>;
} }
interface UserProviderProps { interface UserProviderProps {

2
app/react/kubernetes/applications/DetailsView/PlacementsDatatable/PlacementsDatatableSubRow.tsx
View File

@ -13,7 +13,7 @@ interface SubRowProps {
} }
export function SubRow({ node, cellCount }: SubRowProps) { export function SubRow({ node, cellCount }: SubRowProps) {
const authorized = useAuthorizations( const { authorized } = useAuthorizations(
'K8sApplicationErrorDetailsR', 'K8sApplicationErrorDetailsR',
undefined, undefined,
true true

2
app/react/kubernetes/applications/ListView/ApplicationsStacksDatatable/ApplicationsStacksDatatable.tsx
View File

@ -53,7 +53,7 @@ export function ApplicationsStacksDatatable({
// eslint-disable-next-line react-hooks/exhaustive-deps // eslint-disable-next-line react-hooks/exhaustive-deps
}, [showSystem]); }, [showSystem]);
const authorized = useAuthorizations('K8sApplicationsW'); const { authorized } = useAuthorizations('K8sApplicationsW');
useRepeater(tableState.autoRefreshRate, onRefresh); useRepeater(tableState.autoRefreshRate, onRefresh);
return ( return (

2
app/react/kubernetes/applications/components/EditYamlFormSection.tsx
View File

@ -22,7 +22,7 @@ export function EditYamlFormSection({
const environmentId = useEnvironmentId(); const environmentId = useEnvironmentId();
const { data: deploymentOptions } = const { data: deploymentOptions } =
useEnvironmentDeploymentOptions(environmentId); useEnvironmentDeploymentOptions(environmentId);
const roleHasAuth = useAuthorizations('K8sYAMLW'); const { authorized: roleHasAuth } = useAuthorizations('K8sYAMLW');
const isAllowedToEdit = roleHasAuth && !deploymentOptions?.hideWebEditor; const isAllowedToEdit = roleHasAuth && !deploymentOptions?.hideWebEditor;
const formId = 'kubernetes-deploy-editor'; const formId = 'kubernetes-deploy-editor';

5
app/react/kubernetes/configs/ListView/ConfigMapsDatatable/ConfigMapsDatatable.tsx
View File

@ -34,8 +34,9 @@ const settingsStore = createStore(storageKey);
export function ConfigMapsDatatable() { export function ConfigMapsDatatable() {
const tableState = useTableState(settingsStore, storageKey); const tableState = useTableState(settingsStore, storageKey);
const readOnly = !useAuthorizations(['K8sConfigMapsW']); const { authorized: canWrite } = useAuthorizations(['K8sConfigMapsW']);
const canAccessSystemResources = useAuthorizations( const readOnly = !canWrite;
const { authorized: canAccessSystemResources } = useAuthorizations(
'K8sAccessSystemNamespaces' 'K8sAccessSystemNamespaces'
); );

5
app/react/kubernetes/configs/ListView/SecretsDatatable/SecretsDatatable.tsx
View File

@ -34,8 +34,9 @@ const settingsStore = createStore(storageKey);
export function SecretsDatatable() { export function SecretsDatatable() {
const tableState = useTableState(settingsStore, storageKey); const tableState = useTableState(settingsStore, storageKey);
const readOnly = !useAuthorizations(['K8sSecretsW']); const { authorized: canWrite } = useAuthorizations(['K8sSecretsW']);
const canAccessSystemResources = useAuthorizations( const readOnly = !canWrite;
const { authorized: canAccessSystemResources } = useAuthorizations(
'K8sAccessSystemNamespaces' 'K8sAccessSystemNamespaces'
); );

8
app/react/kubernetes/ingresses/CreateIngressView/CreateIngressView.tsx
View File

@ -43,19 +43,21 @@ import {
export function CreateIngressView() { export function CreateIngressView() {
const environmentId = useEnvironmentId(); const environmentId = useEnvironmentId();
const { params } = useCurrentStateAndParams(); const { params } = useCurrentStateAndParams();
const isAuthorisedToAddEdit = useAuthorizations(['K8sIngressesW']); const { authorized: isAuthorizedToAddEdit } = useAuthorizations([
'K8sIngressesW',
]);
const router = useRouter(); const router = useRouter();
const isEdit = !!params.namespace; const isEdit = !!params.namespace;
useEffect(() => { useEffect(() => {
if (!isAuthorisedToAddEdit) { if (!isAuthorizedToAddEdit) {
const message = `Not authorized to ${isEdit ? 'edit' : 'add'} ingresses`; const message = `Not authorized to ${isEdit ? 'edit' : 'add'} ingresses`;
notifyError('Error', new Error(message)); notifyError('Error', new Error(message));
router.stateService.go('kubernetes.ingresses'); router.stateService.go('kubernetes.ingresses');
} }
// eslint-disable-next-line react-hooks/exhaustive-deps // eslint-disable-next-line react-hooks/exhaustive-deps
}, [isAuthorisedToAddEdit, isEdit]); }, [isAuthorizedToAddEdit, isEdit]);
const [namespace, setNamespace] = useState<string>(params.namespace || ''); const [namespace, setNamespace] = useState<string>(params.namespace || '');
const [ingressRule, setIngressRule] = useState<Rule>({} as Rule); const [ingressRule, setIngressRule] = useState<Rule>({} as Rule);

5
app/react/kubernetes/ingresses/IngressDatatable/IngressDatatable.tsx
View File

@ -36,7 +36,7 @@ export function IngressDatatable() {
const tableState = useTableState(settingsStore, storageKey); const tableState = useTableState(settingsStore, storageKey);
const environmentId = useEnvironmentId(); const environmentId = useEnvironmentId();
const canAccessSystemResources = useAuthorizations( const { authorized: canAccessSystemResources } = useAuthorizations(
'K8sAccessSystemNamespaces' 'K8sAccessSystemNamespaces'
); );
const { data: namespaces, ...namespacesQuery } = const { data: namespaces, ...namespacesQuery } =
@ -147,7 +147,8 @@ export function IngressDatatable() {
} }
function useCheckboxes() { function useCheckboxes() {
return !useAuthorizations(['K8sIngressesW']); const { authorized } = useAuthorizations(['K8sIngressesW']);
return !authorized;
} }
async function handleRemoveClick(ingresses: SelectedIngress[]) { async function handleRemoveClick(ingresses: SelectedIngress[]) {

5
app/react/kubernetes/services/ServicesView/ServicesDatatable/ServicesDatatable.tsx
View File

@ -45,8 +45,9 @@ export function ServicesDatatable() {
} }
); );
const readOnly = !useAuthorizations(['K8sServiceW']); const { authorized: canWrite } = useAuthorizations(['K8sServiceW']);
const canAccessSystemResources = useAuthorizations( const readOnly = !canWrite;
const { authorized: canAccessSystemResources } = useAuthorizations(
'K8sAccessSystemNamespaces' 'K8sAccessSystemNamespaces'
); );

4
app/react/sidebar/DockerSidebar.tsx
View File

@ -30,7 +30,9 @@ interface Props {
} }
export function DockerSidebar({ environmentId, environment }: Props) { export function DockerSidebar({ environmentId, environment }: Props) {
const isEnvironmentAdmin = useIsEnvironmentAdmin({ adminOnlyCE: true }); const { authorized: isEnvironmentAdmin } = useIsEnvironmentAdmin({
adminOnlyCE: true,
});
const areStacksVisible = const areStacksVisible =
isEnvironmentAdmin || isEnvironmentAdmin ||