EE-2167 update message of upgrade notification (#6657)

* EE-2167 Migrate 1.24 users to 2.13
Changes:
1. When user login, popup a notification. This notification shows only once when user login.
2. Backup database when container start. Its name is portainer-1-24-backup.db.

* EE-2167 fix typo

* EE-2167 remove pre-commit

* EE-2167 backup db everytime when container start

* EE-2167 use default value 'null' of bootbox when showing upgrade notification

* move logic to backup1_24db

* added the version checking

* EE-2167 fix typo

api/bolt/datastore.go

@@ -1,7 +1,9 @@
 package bolt
 
 import (
+	"io"
 	"log"
+	"os"
 	"path"
 	"time"
 
@@ -11,7 +13,7 @@ import (
 	"github.com/portainer/portainer/api/bolt/tunnelserver"
 
 	"github.com/boltdb/bolt"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/bolt/dockerhub"
 	"github.com/portainer/portainer/api/bolt/endpoint"
 	"github.com/portainer/portainer/api/bolt/endpointgroup"
@@ -34,6 +36,7 @@ import (
 
 const (
 	databaseFileName = "portainer.db"
+	dbBackupFileName = "portainer-1-24-backup.db"
 )
 
 // Store defines the implementation of portainer.DataStore using
@@ -284,3 +287,38 @@ func (store *Store) initServices() error {
 
 	return nil
 }
+
+func (store *Store) Backup1_24db() error {
+	version, err := store.VersionService.DBVersion()
+	if err != nil && err != portainer.ErrObjectNotFound {
+		return err
+	}
+
+	if version != 24 {
+		return nil
+	}
+
+	databasePath := path.Join(store.path, databaseFileName)
+	dbBackupPath := path.Join(store.path, dbBackupFileName)
+
+	source, err := os.Open(databasePath)
+	if err != nil {
+		return err
+	}
+
+	defer source.Close()
+
+	destination, err := os.Create(dbBackupPath)
+	if err != nil {
+		return err
+	}
+
+	defer destination.Close()
+
+	_, err = io.Copy(destination, source)
+	if err == nil {
+		log.Println("backup for 1.24 finished successfully.")
+	}
+
+	return err
+}

api/bolt/migrator/migrate_dbversion22.go

@@ -1,6 +1,8 @@
 package migrator
 
-import "github.com/portainer/portainer/api"
+import (
+	"github.com/portainer/portainer/api"
+)
 
 func (m *Migrator) updateTagsToDBVersion23() error {
 	tags, err := m.tagService.Tags()

api/bolt/migrator/migrate_dbversion23.go

@@ -0,0 +1,14 @@
+package migrator
+
+func (m *Migrator) updateSettingsToDBVersion24() error {
+	legacySettings, err := m.settingsService.Settings()
+	if err != nil {
+		return err
+	}
+
+	legacySettings.AllowDeviceMappingForRegularUsers = true
+	legacySettings.AllowStackManagementForRegularUsers = true
+	legacySettings.AllowHostNamespaceForRegularUsers = true
+
+	return m.settingsService.UpdateSettings(legacySettings)
+}

api/bolt/migrator/migrate_dbversion24.go

@@ -0,0 +1,12 @@
+package migrator
+
+func (m *Migrator) updateSettingsToDBVersion25() error {
+	legacySettings, err := m.settingsService.Settings()
+	if err != nil {
+		return err
+	}
+
+	legacySettings.AllowContainerCapabilitiesForRegularUsers = true
+
+	return m.settingsService.UpdateSettings(legacySettings)
+}

api/bolt/migrator/migrator.go

@@ -2,7 +2,7 @@ package migrator
 
 import (
 	"github.com/boltdb/bolt"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/bolt/endpoint"
 	"github.com/portainer/portainer/api/bolt/endpointgroup"
 	"github.com/portainer/portainer/api/bolt/endpointrelation"
@@ -322,5 +322,21 @@ func (m *Migrator) Migrate() error {
 		}
 	}
 
+	// Portainer 1.24.1
+	if m.currentDBVersion < 24 {
+		err := m.updateSettingsToDBVersion24()
+		if err != nil {
+			return err
+		}
+	}
+
+	// Portainer 1.24.2
+	if m.currentDBVersion < 25 {
+		err := m.updateSettingsToDBVersion25()
+		if err != nil {
+			return err
+		}
+	}
+
 	return m.versionService.StoreDBVersion(portainer.DBVersion)
 }

api/cmd/portainer/main.go

@@ -9,7 +9,7 @@ import (
 
 	"github.com/portainer/portainer/api/chisel"
 
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/bolt"
 	"github.com/portainer/portainer/api/cli"
 	"github.com/portainer/portainer/api/cron"
@@ -63,10 +63,16 @@ func initStore(dataStorePath string, fileService portainer.FileService) *bolt.St
 		log.Fatal(err)
 	}
 
+	err = store.Backup1_24db()
+	if err != nil {
+		log.Fatal(err)
+	}
+
 	err = store.MigrateData()
 	if err != nil {
 		log.Fatal(err)
 	}
+
 	return store
 }
 
@@ -269,13 +275,17 @@ func initSettings(settingsService portainer.SettingsService, flags *portainer.CL
 					portainer.LDAPGroupSearchSettings{},
 				},
 			},
-			OAuthSettings:                      portainer.OAuthSettings{},
-			AllowBindMountsForRegularUsers:     true,
-			AllowPrivilegedModeForRegularUsers: true,
-			AllowVolumeBrowserForRegularUsers:  false,
-			EnableHostManagementFeatures:       false,
-			SnapshotInterval:                   *flags.SnapshotInterval,
-			EdgeAgentCheckinInterval:           portainer.DefaultEdgeAgentCheckinIntervalInSeconds,
+			OAuthSettings:                             portainer.OAuthSettings{},
+			AllowBindMountsForRegularUsers:            true,
+			AllowPrivilegedModeForRegularUsers:        true,
+			AllowVolumeBrowserForRegularUsers:         false,
+			AllowDeviceMappingForRegularUsers:         true,
+			AllowStackManagementForRegularUsers:       true,
+			AllowContainerCapabilitiesForRegularUsers: true,
+			EnableHostManagementFeatures:              false,
+			AllowHostNamespaceForRegularUsers:         true,
+			SnapshotInterval:                          *flags.SnapshotInterval,
+			EdgeAgentCheckinInterval:                  portainer.DefaultEdgeAgentCheckinIntervalInSeconds,
 		}
 
 		if *flags.Templates != "" {

api/crypto/tls.go

@@ -6,6 +6,24 @@ import (
 	"io/ioutil"
 )
 
+// CreateTLSConfiguration creates a basic tls.Config to be used by servers with recommended TLS settings
+func CreateServerTLSConfiguration() *tls.Config {
+	return &tls.Config{
+		MinVersion: tls.VersionTLS12,
+		CipherSuites: []uint16{
+			tls.TLS_AES_128_GCM_SHA256,
+			tls.TLS_AES_256_GCM_SHA384,
+			tls.TLS_CHACHA20_POLY1305_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+		},
+	}
+}
+
 // CreateTLSConfigurationFromBytes initializes a tls.Config using a CA certificate, a certificate and a key
 // loaded from memory.
 func CreateTLSConfigurationFromBytes(caCert, cert, key []byte, skipClientVerification, skipServerVerification bool) (*tls.Config, error) {

api/http/handler/endpoints/endpoint_create.go

@@ -12,7 +12,7 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/crypto"
 	"github.com/portainer/portainer/api/http/client"
 )
@@ -261,13 +261,13 @@ func (handler *Handler) createEdgeAgentEndpoint(payload *endpointCreatePayload)
 		TLSConfig: portainer.TLSConfiguration{
 			TLS: false,
 		},
-		AuthorizedUsers: []portainer.UserID{},
-		AuthorizedTeams: []portainer.TeamID{},
-		Extensions:      []portainer.EndpointExtension{},
-		TagIDs:          payload.TagIDs,
-		Status:          portainer.EndpointStatusUp,
-		Snapshots:       []portainer.Snapshot{},
-		EdgeKey:         edgeKey,
+		UserAccessPolicies: portainer.UserAccessPolicies{},
+		TeamAccessPolicies: portainer.TeamAccessPolicies{},
+		Extensions:         []portainer.EndpointExtension{},
+		TagIDs:             payload.TagIDs,
+		Status:             portainer.EndpointStatusUp,
+		Snapshots:          []portainer.Snapshot{},
+		EdgeKey:            edgeKey,
 	}
 
 	err = handler.saveEndpointAndUpdateAuthorizations(endpoint)

api/http/handler/extensions/extension_create.go

@@ -41,16 +41,21 @@ func (handler *Handler) extensionCreate(w http.ResponseWriter, r *http.Request)
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve extensions status from the database", err}
 	}
 
-	for _, existingExtension := range extensions {
-		if existingExtension.ID == extensionID && existingExtension.Enabled {
-			return &httperror.HandlerError{http.StatusConflict, "Unable to enable extension", portainer.ErrExtensionAlreadyEnabled}
-		}
-	}
-
 	extension := &portainer.Extension{
 		ID: extensionID,
 	}
 
+	for _, existingExtension := range extensions {
+		if existingExtension.ID == extensionID && (existingExtension.Enabled || !existingExtension.License.Valid) {
+			if existingExtension.License.LicenseKey == payload.License {
+				return &httperror.HandlerError{http.StatusConflict, "Unable to enable extension", portainer.ErrExtensionAlreadyEnabled}
+			}
+
+			_ = handler.ExtensionManager.DisableExtension(&existingExtension)
+			extension.Enabled = true
+		}
+	}
+
 	extensionDefinitions, err := handler.ExtensionManager.FetchExtensionDefinitions()
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve extension definitions", err}
@@ -68,15 +73,14 @@ func (handler *Handler) extensionCreate(w http.ResponseWriter, r *http.Request)
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to enable extension", err}
 	}
 
-	extension.Enabled = true
-
-	if extension.ID == portainer.RBACExtension {
+	if extension.ID == portainer.RBACExtension && !extension.Enabled {
 		err = handler.upgradeRBACData()
 		if err != nil {
 			return &httperror.HandlerError{http.StatusInternalServerError, "An error occured during database update", err}
 		}
 	}
 
+	extension.Enabled = true
 	err = handler.ExtensionService.Persist(extension)
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist extension status inside the database", err}

api/http/handler/extensions/extension_upload.go

@@ -46,10 +46,21 @@ func (handler *Handler) extensionUpload(w http.ResponseWriter, r *http.Request)
 	}
 	extensionID := portainer.ExtensionID(extensionIdentifier)
 
+	extensions, err := handler.ExtensionService.Extensions()
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve extensions status from the database", err}
+	}
+
 	extension := &portainer.Extension{
 		ID: extensionID,
 	}
 
+	for _, existingExtension := range extensions {
+		if existingExtension.ID == extensionID && (existingExtension.Enabled || !existingExtension.License.Valid) {
+			extension.Enabled = true
+		}
+	}
+
 	_ = handler.ExtensionManager.DisableExtension(extension)
 
 	err = handler.ExtensionManager.InstallExtension(extension, payload.License, payload.ArchiveFileName, payload.ExtensionArchive)
@@ -57,15 +68,15 @@ func (handler *Handler) extensionUpload(w http.ResponseWriter, r *http.Request)
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to install extension", err}
 	}
 
-	extension.Enabled = true
-
-	if extension.ID == portainer.RBACExtension {
+	if extension.ID == portainer.RBACExtension && !extension.Enabled {
 		err = handler.upgradeRBACData()
 		if err != nil {
 			return &httperror.HandlerError{http.StatusInternalServerError, "An error occured during database update", err}
 		}
 	}
 
+	extension.Enabled = true
+
 	err = handler.ExtensionService.Persist(extension)
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist extension status inside the database", err}

api/http/handler/settings/settings_public.go

@@ -6,19 +6,23 @@ import (
 
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 )
 
 type publicSettingsResponse struct {
-	LogoURL                            string                         `json:"LogoURL"`
-	AuthenticationMethod               portainer.AuthenticationMethod `json:"AuthenticationMethod"`
-	AllowBindMountsForRegularUsers     bool                           `json:"AllowBindMountsForRegularUsers"`
-	AllowPrivilegedModeForRegularUsers bool                           `json:"AllowPrivilegedModeForRegularUsers"`
-	AllowVolumeBrowserForRegularUsers  bool                           `json:"AllowVolumeBrowserForRegularUsers"`
-	EnableHostManagementFeatures       bool                           `json:"EnableHostManagementFeatures"`
-	EnableEdgeComputeFeatures          bool                           `json:"EnableEdgeComputeFeatures"`
-	ExternalTemplates                  bool                           `json:"ExternalTemplates"`
-	OAuthLoginURI                      string                         `json:"OAuthLoginURI"`
+	LogoURL                                   string                         `json:"LogoURL"`
+	AuthenticationMethod                      portainer.AuthenticationMethod `json:"AuthenticationMethod"`
+	AllowBindMountsForRegularUsers            bool                           `json:"AllowBindMountsForRegularUsers"`
+	AllowPrivilegedModeForRegularUsers        bool                           `json:"AllowPrivilegedModeForRegularUsers"`
+	AllowVolumeBrowserForRegularUsers         bool                           `json:"AllowVolumeBrowserForRegularUsers"`
+	EnableHostManagementFeatures              bool                           `json:"EnableHostManagementFeatures"`
+	EnableEdgeComputeFeatures                 bool                           `json:"EnableEdgeComputeFeatures"`
+	ExternalTemplates                         bool                           `json:"ExternalTemplates"`
+	OAuthLoginURI                             string                         `json:"OAuthLoginURI"`
+	AllowStackManagementForRegularUsers       bool                           `json:"AllowStackManagementForRegularUsers"`
+	AllowHostNamespaceForRegularUsers         bool                           `json:"AllowHostNamespaceForRegularUsers"`
+	AllowDeviceMappingForRegularUsers         bool                           `json:"AllowDeviceMappingForRegularUsers"`
+	AllowContainerCapabilitiesForRegularUsers bool                           `json:"AllowContainerCapabilitiesForRegularUsers"`
 }
 
 // GET request on /api/settings/public
@@ -29,19 +33,23 @@ func (handler *Handler) settingsPublic(w http.ResponseWriter, r *http.Request) *
 	}
 
 	publicSettings := &publicSettingsResponse{
-		LogoURL:                            settings.LogoURL,
-		AuthenticationMethod:               settings.AuthenticationMethod,
-		AllowBindMountsForRegularUsers:     settings.AllowBindMountsForRegularUsers,
-		AllowPrivilegedModeForRegularUsers: settings.AllowPrivilegedModeForRegularUsers,
-		AllowVolumeBrowserForRegularUsers:  settings.AllowVolumeBrowserForRegularUsers,
-		EnableHostManagementFeatures:       settings.EnableHostManagementFeatures,
-		EnableEdgeComputeFeatures:          settings.EnableEdgeComputeFeatures,
-		ExternalTemplates:                  false,
+		LogoURL:                                   settings.LogoURL,
+		AuthenticationMethod:                      settings.AuthenticationMethod,
+		AllowBindMountsForRegularUsers:            settings.AllowBindMountsForRegularUsers,
+		AllowPrivilegedModeForRegularUsers:        settings.AllowPrivilegedModeForRegularUsers,
+		AllowVolumeBrowserForRegularUsers:         settings.AllowVolumeBrowserForRegularUsers,
+		EnableHostManagementFeatures:              settings.EnableHostManagementFeatures,
+		EnableEdgeComputeFeatures:                 settings.EnableEdgeComputeFeatures,
+		AllowHostNamespaceForRegularUsers:         settings.AllowHostNamespaceForRegularUsers,
+		AllowStackManagementForRegularUsers:       settings.AllowStackManagementForRegularUsers,
+		ExternalTemplates:                         false,
+		AllowContainerCapabilitiesForRegularUsers: settings.AllowContainerCapabilitiesForRegularUsers,
 		OAuthLoginURI: fmt.Sprintf("%s?response_type=code&client_id=%s&redirect_uri=%s&scope=%s&prompt=login",
 			settings.OAuthSettings.AuthorizationURI,
 			settings.OAuthSettings.ClientID,
 			settings.OAuthSettings.RedirectURI,
 			settings.OAuthSettings.Scopes),
+		AllowDeviceMappingForRegularUsers: settings.AllowDeviceMappingForRegularUsers,
 	}
 
 	if settings.TemplatesURL != "" {

api/http/handler/settings/settings_update.go

@@ -7,24 +7,28 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/filesystem"
 )
 
 type settingsUpdatePayload struct {
-	LogoURL                            *string
-	BlackListedLabels                  []portainer.Pair
-	AuthenticationMethod               *int
-	LDAPSettings                       *portainer.LDAPSettings
-	OAuthSettings                      *portainer.OAuthSettings
-	AllowBindMountsForRegularUsers     *bool
-	AllowPrivilegedModeForRegularUsers *bool
-	AllowVolumeBrowserForRegularUsers  *bool
-	EnableHostManagementFeatures       *bool
-	SnapshotInterval                   *string
-	TemplatesURL                       *string
-	EdgeAgentCheckinInterval           *int
-	EnableEdgeComputeFeatures          *bool
+	LogoURL                                   *string
+	BlackListedLabels                         []portainer.Pair
+	AuthenticationMethod                      *int
+	LDAPSettings                              *portainer.LDAPSettings
+	OAuthSettings                             *portainer.OAuthSettings
+	AllowBindMountsForRegularUsers            *bool
+	AllowPrivilegedModeForRegularUsers        *bool
+	AllowVolumeBrowserForRegularUsers         *bool
+	EnableHostManagementFeatures              *bool
+	SnapshotInterval                          *string
+	TemplatesURL                              *string
+	EdgeAgentCheckinInterval                  *int
+	EnableEdgeComputeFeatures                 *bool
+	AllowStackManagementForRegularUsers       *bool
+	AllowHostNamespaceForRegularUsers         *bool
+	AllowDeviceMappingForRegularUsers         *bool
+	AllowContainerCapabilitiesForRegularUsers *bool
 }
 
 func (payload *settingsUpdatePayload) Validate(r *http.Request) error {
@@ -114,6 +118,18 @@ func (handler *Handler) settingsUpdate(w http.ResponseWriter, r *http.Request) *
 		settings.EnableEdgeComputeFeatures = *payload.EnableEdgeComputeFeatures
 	}
 
+	if payload.AllowStackManagementForRegularUsers != nil {
+		settings.AllowStackManagementForRegularUsers = *payload.AllowStackManagementForRegularUsers
+	}
+
+	if payload.AllowHostNamespaceForRegularUsers != nil {
+		settings.AllowHostNamespaceForRegularUsers = *payload.AllowHostNamespaceForRegularUsers
+	}
+
+	if payload.AllowContainerCapabilitiesForRegularUsers != nil {
+		settings.AllowContainerCapabilitiesForRegularUsers = *payload.AllowContainerCapabilitiesForRegularUsers
+	}
+
 	if payload.SnapshotInterval != nil && *payload.SnapshotInterval != settings.SnapshotInterval {
 		err := handler.updateSnapshotInterval(settings, *payload.SnapshotInterval)
 		if err != nil {
@@ -125,6 +141,10 @@ func (handler *Handler) settingsUpdate(w http.ResponseWriter, r *http.Request) *
 		settings.EdgeAgentCheckinInterval = *payload.EdgeAgentCheckinInterval
 	}
 
+	if payload.AllowDeviceMappingForRegularUsers != nil {
+		settings.AllowDeviceMappingForRegularUsers = *payload.AllowDeviceMappingForRegularUsers
+	}
+
 	tlsError := handler.updateTLS(settings)
 	if tlsError != nil {
 		return tlsError

api/http/handler/stacks/create_compose_stack.go

@@ -1,7 +1,6 @@
 package stacks
 
 import (
-	"errors"
 	"net/http"
 	"path"
 	"regexp"
@@ -11,7 +10,7 @@ import (
 	"github.com/asaskevich/govalidator"
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/filesystem"
 	"github.com/portainer/portainer/api/http/security"
 )
@@ -283,6 +282,7 @@ type composeStackDeploymentConfig struct {
 	dockerhub  *portainer.DockerHub
 	registries []portainer.Registry
 	isAdmin    bool
+	user       *portainer.User
 }
 
 func (handler *Handler) createComposeDeployConfig(r *http.Request, stack *portainer.Stack, endpoint *portainer.Endpoint) (*composeStackDeploymentConfig, *httperror.HandlerError) {
@@ -302,12 +302,21 @@ func (handler *Handler) createComposeDeployConfig(r *http.Request, stack *portai
 	}
 	filteredRegistries := security.FilterRegistries(registries, securityContext)
 
+	var user *portainer.User
+	if !handler.authDisabled {
+		user, err = handler.UserService.User(securityContext.UserID)
+		if err != nil {
+			return nil, &httperror.HandlerError{http.StatusInternalServerError, "Unable to load user information from the database", err}
+		}
+	}
+
 	config := &composeStackDeploymentConfig{
 		stack:      stack,
 		endpoint:   endpoint,
 		dockerhub:  dockerhub,
 		registries: filteredRegistries,
 		isAdmin:    securityContext.IsAdmin,
+		user:       user,
 	}
 
 	return config, nil
@@ -324,20 +333,29 @@ func (handler *Handler) deployComposeStack(config *composeStackDeploymentConfig)
 		return err
 	}
 
-	if !settings.AllowBindMountsForRegularUsers && !config.isAdmin {
-		composeFilePath := path.Join(config.stack.ProjectPath, config.stack.EntryPoint)
-
-		stackContent, err := handler.FileService.GetFileContent(composeFilePath)
+	if !handler.authDisabled {
+		isAdminOrEndpointAdmin, err := handler.userIsAdminOrEndpointAdmin(config.user, config.endpoint.ID)
 		if err != nil {
 			return err
 		}
 
-		valid, err := handler.isValidStackFile(stackContent)
-		if err != nil {
-			return err
-		}
-		if !valid {
-			return errors.New("bind-mount disabled for non administrator users")
+		if (!settings.AllowBindMountsForRegularUsers ||
+			!settings.AllowPrivilegedModeForRegularUsers ||
+			!settings.AllowHostNamespaceForRegularUsers ||
+			!settings.AllowDeviceMappingForRegularUsers ||
+			!settings.AllowContainerCapabilitiesForRegularUsers) && !isAdminOrEndpointAdmin {
+
+			composeFilePath := path.Join(config.stack.ProjectPath, config.stack.EntryPoint)
+
+			stackContent, err := handler.FileService.GetFileContent(composeFilePath)
+			if err != nil {
+				return err
+			}
+
+			err = handler.isValidStackFile(stackContent, settings)
+			if err != nil {
+				return err
+			}
 		}
 	}
 

api/http/handler/stacks/create_swarm_stack.go

@@ -1,7 +1,6 @@
 package stacks
 
 import (
-	"errors"
 	"net/http"
 	"path"
 	"strconv"
@@ -10,7 +9,7 @@ import (
 	"github.com/asaskevich/govalidator"
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/filesystem"
 	"github.com/portainer/portainer/api/http/security"
 )
@@ -292,6 +291,7 @@ type swarmStackDeploymentConfig struct {
 	registries []portainer.Registry
 	prune      bool
 	isAdmin    bool
+	user       *portainer.User
 }
 
 func (handler *Handler) createSwarmDeployConfig(r *http.Request, stack *portainer.Stack, endpoint *portainer.Endpoint, prune bool) (*swarmStackDeploymentConfig, *httperror.HandlerError) {
@@ -311,6 +311,14 @@ func (handler *Handler) createSwarmDeployConfig(r *http.Request, stack *portaine
 	}
 	filteredRegistries := security.FilterRegistries(registries, securityContext)
 
+	var user *portainer.User
+	if !handler.authDisabled {
+		user, err = handler.UserService.User(securityContext.UserID)
+		if err != nil {
+			return nil, &httperror.HandlerError{http.StatusInternalServerError, "Unable to load user information from the database", err}
+		}
+	}
+
 	config := &swarmStackDeploymentConfig{
 		stack:      stack,
 		endpoint:   endpoint,
@@ -318,6 +326,7 @@ func (handler *Handler) createSwarmDeployConfig(r *http.Request, stack *portaine
 		registries: filteredRegistries,
 		prune:      prune,
 		isAdmin:    securityContext.IsAdmin,
+		user:       user,
 	}
 
 	return config, nil
@@ -329,20 +338,25 @@ func (handler *Handler) deploySwarmStack(config *swarmStackDeploymentConfig) err
 		return err
 	}
 
-	if !settings.AllowBindMountsForRegularUsers && !config.isAdmin {
-		composeFilePath := path.Join(config.stack.ProjectPath, config.stack.EntryPoint)
-
-		stackContent, err := handler.FileService.GetFileContent(composeFilePath)
+	if !handler.authDisabled {
+		isAdminOrEndpointAdmin, err := handler.userIsAdminOrEndpointAdmin(config.user, config.endpoint.ID)
 		if err != nil {
 			return err
 		}
 
-		valid, err := handler.isValidStackFile(stackContent)
-		if err != nil {
-			return err
-		}
-		if !valid {
-			return errors.New("bind-mount disabled for non administrator users")
+		if !settings.AllowBindMountsForRegularUsers && !isAdminOrEndpointAdmin {
+
+			composeFilePath := path.Join(config.stack.ProjectPath, config.stack.EntryPoint)
+
+			stackContent, err := handler.FileService.GetFileContent(composeFilePath)
+			if err != nil {
+				return err
+			}
+
+			err = handler.isValidStackFile(stackContent, settings)
+			if err != nil {
+				return err
+			}
 		}
 	}
 

api/http/handler/stacks/handler.go

@@ -1,12 +1,13 @@
 package stacks
 
 import (
+	"errors"
 	"net/http"
 	"sync"
 
 	"github.com/gorilla/mux"
 	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/http/security"
 )
 
@@ -15,6 +16,8 @@ type Handler struct {
 	stackCreationMutex *sync.Mutex
 	stackDeletionMutex *sync.Mutex
 	requestBouncer     *security.RequestBouncer
+	authDisabled       bool
+
 	*mux.Router
 	FileService            portainer.FileService
 	GitService             portainer.GitService
@@ -31,9 +34,10 @@ type Handler struct {
 }
 
 // NewHandler creates a handler to manage stack operations.
-func NewHandler(bouncer *security.RequestBouncer) *Handler {
+func NewHandler(bouncer *security.RequestBouncer, authDisabled bool) *Handler {
 	h := &Handler{
 		Router:             mux.NewRouter(),
+		authDisabled:       authDisabled,
 		stackCreationMutex: &sync.Mutex{},
 		stackDeletionMutex: &sync.Mutex{},
 		requestBouncer:     bouncer,
@@ -56,7 +60,7 @@ func NewHandler(bouncer *security.RequestBouncer) *Handler {
 }
 
 func (handler *Handler) userCanAccessStack(securityContext *security.RestrictedRequestContext, endpointID portainer.EndpointID, resourceControl *portainer.ResourceControl) (bool, error) {
-	if securityContext.IsAdmin {
+	if securityContext.IsAdmin || handler.authDisabled {
 		return true, nil
 	}
 
@@ -87,3 +91,54 @@ func (handler *Handler) userCanAccessStack(securityContext *security.RestrictedR
 	}
 	return false, nil
 }
+
+func (handler *Handler) userCanCreateStack(securityContext *security.RestrictedRequestContext, endpointID portainer.EndpointID) (bool, error) {
+	if securityContext.IsAdmin || handler.authDisabled {
+		return true, nil
+	}
+
+	_, err := handler.ExtensionService.Extension(portainer.RBACExtension)
+	if err == portainer.ErrObjectNotFound {
+		return false, nil
+	} else if err != nil && err != portainer.ErrObjectNotFound {
+		return false, err
+	}
+
+	user, err := handler.UserService.User(securityContext.UserID)
+	if err != nil {
+		return false, err
+	}
+
+	_, ok := user.EndpointAuthorizations[endpointID][portainer.EndpointResourcesAccess]
+	if ok {
+		return true, nil
+	}
+	return false, nil
+}
+
+func (handler *Handler) userIsAdminOrEndpointAdmin(user *portainer.User, endpointID portainer.EndpointID) (bool, error) {
+	isAdmin := user.Role == portainer.AdministratorRole
+
+	rbacExtension, err := handler.ExtensionService.Extension(portainer.RBACExtension)
+	if err != nil && err != portainer.ErrObjectNotFound {
+		return false, errors.New("Unable to verify if RBAC extension is loaded")
+	}
+
+	endpointResourceAccess := false
+	_, ok := user.EndpointAuthorizations[portainer.EndpointID(endpointID)][portainer.EndpointResourcesAccess]
+	if ok {
+		endpointResourceAccess = true
+	}
+
+	if rbacExtension != nil {
+		if isAdmin || endpointResourceAccess {
+			return true, nil
+		}
+	} else {
+		if isAdmin {
+			return true, nil
+		}
+	}
+
+	return false, nil
+}

api/http/handler/stacks/stack_create.go

@@ -10,7 +10,7 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/http/security"
 )
 
@@ -43,6 +43,29 @@ func (handler *Handler) stackCreate(w http.ResponseWriter, r *http.Request) *htt
 		return &httperror.HandlerError{http.StatusBadRequest, "Invalid query parameter: endpointId", err}
 	}
 
+	settings, err := handler.SettingsService.Settings()
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve settings from the database", err}
+	}
+
+	if !settings.AllowStackManagementForRegularUsers {
+		securityContext, err := security.RetrieveRestrictedRequestContext(r)
+		if err != nil {
+			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve user info from request context", err}
+		}
+
+		canCreate, err := handler.userCanCreateStack(securityContext, portainer.EndpointID(endpointID))
+
+		if err != nil {
+			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to verify user authorizations to validate stack creation", err}
+		}
+
+		if !canCreate {
+			errMsg := "Stack creation is disabled for non-admin users"
+			return &httperror.HandlerError{http.StatusForbidden, errMsg, errors.New(errMsg)}
+		}
+	}
+
 	endpoint, err := handler.EndpointService.Endpoint(portainer.EndpointID(endpointID))
 	if err == portainer.ErrObjectNotFound {
 		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint with the specified identifier inside the database", err}
@@ -97,10 +120,10 @@ func (handler *Handler) createSwarmStack(w http.ResponseWriter, r *http.Request,
 	return &httperror.HandlerError{http.StatusBadRequest, "Invalid value for query parameter: method. Value must be one of: string, repository or file", errors.New(request.ErrInvalidQueryParameter)}
 }
 
-func (handler *Handler) isValidStackFile(stackFileContent []byte) (bool, error) {
+func (handler *Handler) isValidStackFile(stackFileContent []byte, settings *portainer.Settings) error {
 	composeConfigYAML, err := loader.ParseYAML(stackFileContent)
 	if err != nil {
-		return false, err
+		return err
 	}
 
 	composeConfigFile := types.ConfigFile{
@@ -117,19 +140,37 @@ func (handler *Handler) isValidStackFile(stackFileContent []byte) (bool, error)
 		options.SkipInterpolation = true
 	})
 	if err != nil {
-		return false, err
+		return err
 	}
 
 	for key := range composeConfig.Services {
 		service := composeConfig.Services[key]
-		for _, volume := range service.Volumes {
-			if volume.Type == "bind" {
-				return false, nil
+		if !settings.AllowBindMountsForRegularUsers {
+			for _, volume := range service.Volumes {
+				if volume.Type == "bind" {
+					return errors.New("bind-mount disabled for non administrator users")
+				}
 			}
 		}
+
+		if !settings.AllowPrivilegedModeForRegularUsers && service.Privileged == true {
+			return errors.New("privileged mode disabled for non administrator users")
+		}
+
+		if !settings.AllowHostNamespaceForRegularUsers && service.Pid == "host" {
+			return errors.New("pid host disabled for non administrator users")
+		}
+
+		if !settings.AllowDeviceMappingForRegularUsers && service.Devices != nil && len(service.Devices) > 0 {
+			return errors.New("device mapping disabled for non administrator users")
+		}
+
+		if !settings.AllowContainerCapabilitiesForRegularUsers && (len(service.CapAdd) > 0 || len(service.CapDrop) > 0) {
+			return errors.New("container capabilities disabled for non administrator users")
+		}
 	}
 
-	return true, nil
+	return nil
 }
 
 func (handler *Handler) decorateStackResponse(w http.ResponseWriter, stack *portainer.Stack, userID portainer.UserID) *httperror.HandlerError {

api/http/proxy/factory/docker.go

@@ -68,6 +68,7 @@ func (factory *ProxyFactory) newDockerHTTPProxy(endpoint *portainer.Endpoint) (h
 		ExtensionService:       factory.extensionService,
 		SignatureService:       factory.signatureService,
 		DockerClientFactory:    factory.dockerClientFactory,
+		AuthDisabled:           factory.authDisabled,
 	}
 
 	dockerTransport, err := docker.NewTransport(transportParameters, httpTransport)

api/http/proxy/factory/docker/containers.go

@@ -1,12 +1,17 @@
 package docker
 
 import (
+	"bytes"
 	"context"
+	"encoding/json"
+	"errors"
+	"io/ioutil"
 	"net/http"
 
 	"github.com/docker/docker/client"
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/http/proxy/factory/responseutils"
+	"github.com/portainer/portainer/api/http/security"
 )
 
 const (
@@ -147,3 +152,88 @@ func containerHasBlackListedLabel(containerLabels map[string]interface{}, labelB
 
 	return false
 }
+
+func (transport *Transport) decorateContainerCreationOperation(request *http.Request, resourceIdentifierAttribute string, resourceType portainer.ResourceControlType) (*http.Response, error) {
+	type PartialContainer struct {
+		HostConfig struct {
+			Privileged bool          `json:"Privileged"`
+			PidMode    string        `json:"PidMode"`
+			Devices    []interface{} `json:"Devices"`
+			CapAdd     []string      `json:"CapAdd"`
+			CapDrop    []string      `json:"CapDrop"`
+			Binds      []string      `json:"Binds"`
+		} `json:"HostConfig"`
+	}
+
+	forbiddenResponse := &http.Response{
+		StatusCode: http.StatusForbidden,
+	}
+
+	tokenData, err := security.RetrieveTokenData(request)
+	if err != nil {
+		return nil, err
+	}
+
+	isAdminOrEndpointAdmin, err := transport.isAdminOrEndpointAdmin(request)
+	if err != nil {
+		return nil, err
+	}
+
+	if !isAdminOrEndpointAdmin {
+		settings, err := transport.settingsService.Settings()
+		if err != nil {
+			return nil, err
+		}
+
+		if !settings.AllowPrivilegedModeForRegularUsers ||
+			!settings.AllowHostNamespaceForRegularUsers ||
+			!settings.AllowDeviceMappingForRegularUsers ||
+			!settings.AllowContainerCapabilitiesForRegularUsers ||
+			!settings.AllowBindMountsForRegularUsers {
+
+			body, err := ioutil.ReadAll(request.Body)
+			if err != nil {
+				return nil, err
+			}
+
+			partialContainer := &PartialContainer{}
+			err = json.Unmarshal(body, partialContainer)
+			if err != nil {
+				return nil, err
+			}
+
+			if !settings.AllowPrivilegedModeForRegularUsers && partialContainer.HostConfig.Privileged {
+				return forbiddenResponse, errors.New("forbidden to use privileged mode")
+			}
+
+			if !settings.AllowHostNamespaceForRegularUsers && partialContainer.HostConfig.PidMode == "host" {
+				return forbiddenResponse, errors.New("forbidden to use pid host namespace")
+			}
+
+			if !settings.AllowDeviceMappingForRegularUsers && len(partialContainer.HostConfig.Devices) > 0 {
+				return nil, errors.New("forbidden to use device mapping")
+			}
+
+			if !settings.AllowContainerCapabilitiesForRegularUsers && (len(partialContainer.HostConfig.CapAdd) > 0 || len(partialContainer.HostConfig.CapDrop) > 0) {
+				return nil, errors.New("forbidden to use container capabilities")
+			}
+
+			if !settings.AllowBindMountsForRegularUsers && (len(partialContainer.HostConfig.Binds) > 0) {
+				return forbiddenResponse, errors.New("forbidden to use bind mounts")
+			}
+
+			request.Body = ioutil.NopCloser(bytes.NewBuffer(body))
+		}
+	}
+
+	response, err := transport.executeDockerRequest(request)
+	if err != nil {
+		return response, err
+	}
+
+	if response.StatusCode == http.StatusCreated {
+		err = transport.decorateGenericResourceCreationResponse(response, resourceIdentifierAttribute, resourceType, tokenData.ID)
+	}
+
+	return response, err
+}

api/http/proxy/factory/docker/services.go

@@ -1,7 +1,11 @@
 package docker
 
 import (
+	"bytes"
 	"context"
+	"encoding/json"
+	"errors"
+	"io/ioutil"
 	"net/http"
 
 	"github.com/docker/docker/api/types"
@@ -84,3 +88,54 @@ func selectorServiceLabels(responseObject map[string]interface{}) map[string]int
 	}
 	return nil
 }
+
+func (transport *Transport) decorateServiceCreationOperation(request *http.Request) (*http.Response, error) {
+	type PartialService struct {
+		TaskTemplate struct {
+			ContainerSpec struct {
+				Mounts []struct {
+					Type string
+				}
+			}
+		}
+	}
+
+	forbiddenResponse := &http.Response{
+		StatusCode: http.StatusForbidden,
+	}
+
+	isAdminOrEndpointAdmin, err := transport.isAdminOrEndpointAdmin(request)
+	if err != nil {
+		return nil, err
+	}
+
+	if !isAdminOrEndpointAdmin {
+		settings, err := transport.settingsService.Settings()
+		if err != nil {
+			return nil, err
+		}
+
+		body, err := ioutil.ReadAll(request.Body)
+		if err != nil {
+			return nil, err
+		}
+
+		partialService := &PartialService{}
+		err = json.Unmarshal(body, partialService)
+		if err != nil {
+			return nil, err
+		}
+
+		if !settings.AllowBindMountsForRegularUsers && (len(partialService.TaskTemplate.ContainerSpec.Mounts) > 0) {
+			for _, mount := range partialService.TaskTemplate.ContainerSpec.Mounts {
+				if mount.Type == "bind" {
+					return forbiddenResponse, errors.New("forbidden to use bind mounts")
+				}
+			}
+		}
+
+		request.Body = ioutil.NopCloser(bytes.NewBuffer(body))
+	}
+
+	return transport.replaceRegistryAuthenticationHeader(request)
+}

api/http/proxy/factory/docker/transport.go

@@ -38,6 +38,7 @@ type (
 		extensionService       portainer.ExtensionService
 		dockerClient           *client.Client
 		dockerClientFactory    *docker.ClientFactory
+		authDisabled           bool
 	}
 
 	// TransportParameters is used to create a new Transport
@@ -54,6 +55,7 @@ type (
 		ReverseTunnelService   portainer.ReverseTunnelService
 		ExtensionService       portainer.ExtensionService
 		DockerClientFactory    *docker.ClientFactory
+		AuthDisabled           bool
 	}
 
 	restrictedDockerOperationContext struct {
@@ -94,6 +96,7 @@ func NewTransport(parameters *TransportParameters, httpTransport *http.Transport
 		dockerClientFactory:    parameters.DockerClientFactory,
 		HTTPTransport:          httpTransport,
 		dockerClient:           dockerClient,
+		authDisabled:           parameters.AuthDisabled,
 	}
 
 	return transport, nil
@@ -209,7 +212,7 @@ func (transport *Transport) proxyConfigRequest(request *http.Request) (*http.Res
 func (transport *Transport) proxyContainerRequest(request *http.Request) (*http.Response, error) {
 	switch requestPath := request.URL.Path; requestPath {
 	case "/containers/create":
-		return transport.decorateGenericResourceCreationOperation(request, containerObjectIdentifier, portainer.ContainerResourceControl)
+		return transport.decorateContainerCreationOperation(request, containerObjectIdentifier, portainer.ContainerResourceControl)
 
 	case "/containers/prune":
 		return transport.administratorOperation(request)
@@ -245,7 +248,7 @@ func (transport *Transport) proxyContainerRequest(request *http.Request) (*http.
 func (transport *Transport) proxyServiceRequest(request *http.Request) (*http.Response, error) {
 	switch requestPath := request.URL.Path; requestPath {
 	case "/services/create":
-		return transport.replaceRegistryAuthenticationHeader(request)
+		return transport.decorateServiceCreationOperation(request)
 
 	case "/services":
 		return transport.rewriteOperation(request, transport.serviceListOperation)
@@ -733,3 +736,36 @@ func (transport *Transport) createOperationContext(request *http.Request) (*rest
 
 	return operationContext, nil
 }
+
+func (transport *Transport) isAdminOrEndpointAdmin(request *http.Request) (bool, error) {
+	if transport.authDisabled {
+		return true, nil
+	}
+
+	tokenData, err := security.RetrieveTokenData(request)
+	if err != nil {
+		return false, err
+	}
+
+	if tokenData.Role == portainer.AdministratorRole {
+		return true, nil
+	}
+
+	user, err := transport.userService.User(tokenData.ID)
+	if err != nil {
+		return false, err
+	}
+
+	rbacExtension, err := transport.extensionService.Extension(portainer.RBACExtension)
+	if err != nil && err != portainer.ErrObjectNotFound {
+		return false, err
+	}
+
+	if rbacExtension == nil {
+		return false, nil
+	}
+
+	_, endpointResourceAccess := user.EndpointAuthorizations[portainer.EndpointID(transport.endpoint.ID)][portainer.EndpointResourcesAccess]
+
+	return endpointResourceAccess, nil
+}

api/http/proxy/factory/docker_unix.go

@@ -24,6 +24,7 @@ func (factory ProxyFactory) newOSBasedLocalProxy(path string, endpoint *portaine
 		ExtensionService:       factory.extensionService,
 		SignatureService:       factory.signatureService,
 		DockerClientFactory:    factory.dockerClientFactory,
+		AuthDisabled:           factory.authDisabled,
 	}
 
 	proxy := &dockerLocalProxy{}

api/http/proxy/factory/docker_windows.go

@@ -25,6 +25,7 @@ func (factory ProxyFactory) newOSBasedLocalProxy(path string, endpoint *portaine
 		ExtensionService:       factory.extensionService,
 		SignatureService:       factory.signatureService,
 		DockerClientFactory:    factory.dockerClientFactory,
+		AuthDisabled:           factory.authDisabled,
 	}
 
 	proxy := &dockerLocalProxy{}

api/http/proxy/factory/factory.go

@@ -6,7 +6,7 @@ import (
 	"net/http/httputil"
 	"net/url"
 
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/docker"
 )
 
@@ -32,6 +32,7 @@ type (
 		reverseTunnelService   portainer.ReverseTunnelService
 		extensionService       portainer.ExtensionService
 		dockerClientFactory    *docker.ClientFactory
+		authDisabled           bool
 	}
 
 	// ProxyFactoryParameters is used to create a new ProxyFactory
@@ -47,6 +48,7 @@ type (
 		ReverseTunnelService   portainer.ReverseTunnelService
 		ExtensionService       portainer.ExtensionService
 		DockerClientFactory    *docker.ClientFactory
+		AuthDisabled           bool
 	}
 )
 
@@ -64,6 +66,7 @@ func NewProxyFactory(parameters *ProxyFactoryParameters) *ProxyFactory {
 		reverseTunnelService:   parameters.ReverseTunnelService,
 		extensionService:       parameters.ExtensionService,
 		dockerClientFactory:    parameters.DockerClientFactory,
+		authDisabled:           parameters.AuthDisabled,
 	}
 }
 

api/http/proxy/manager.go

@@ -4,8 +4,8 @@ import (
 	"net/http"
 	"strconv"
 
-	"github.com/orcaman/concurrent-map"
-	"github.com/portainer/portainer/api"
+	cmap "github.com/orcaman/concurrent-map"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/docker"
 	"github.com/portainer/portainer/api/http/proxy/factory"
 )
@@ -34,6 +34,7 @@ type (
 		ReverseTunnelService   portainer.ReverseTunnelService
 		ExtensionService       portainer.ExtensionService
 		DockerClientFactory    *docker.ClientFactory
+		AuthDisabled           bool
 	}
 )
 
@@ -51,6 +52,7 @@ func NewManager(parameters *ManagerParams) *Manager {
 		ReverseTunnelService:   parameters.ReverseTunnelService,
 		ExtensionService:       parameters.ExtensionService,
 		DockerClientFactory:    parameters.DockerClientFactory,
+		AuthDisabled:           parameters.AuthDisabled,
 	}
 
 	return &Manager{

api/http/server.go

@@ -3,6 +3,7 @@ package http
 import (
 	"time"
 
+	"github.com/portainer/portainer/api/crypto"
 	"github.com/portainer/portainer/api/http/handler/edgegroups"
 	"github.com/portainer/portainer/api/http/handler/edgestacks"
 	"github.com/portainer/portainer/api/http/handler/edgetemplates"
@@ -103,6 +104,7 @@ func (server *Server) Start() error {
 		ReverseTunnelService:   server.ReverseTunnelService,
 		ExtensionService:       server.ExtensionService,
 		DockerClientFactory:    server.DockerClientFactory,
+		AuthDisabled:           server.AuthDisabled,
 	}
 	proxyManager := proxy.NewManager(proxyManagerParameters)
 
@@ -246,7 +248,7 @@ func (server *Server) Start() error {
 	settingsHandler.ExtensionService = server.ExtensionService
 	settingsHandler.AuthorizationService = authorizationService
 
-	var stackHandler = stacks.NewHandler(requestBouncer)
+	var stackHandler = stacks.NewHandler(requestBouncer, server.AuthDisabled)
 	stackHandler.FileService = server.FileService
 	stackHandler.StackService = server.StackService
 	stackHandler.EndpointService = server.EndpointService
@@ -338,8 +340,14 @@ func (server *Server) Start() error {
 		SchedulesHanlder:       schedulesHandler,
 	}
 
-	if server.SSL {
-		return http.ListenAndServeTLS(server.BindAddress, server.SSLCert, server.SSLKey, server.Handler)
+	httpServer := &http.Server{
+		Addr:    server.BindAddress,
+		Handler: server.Handler,
 	}
-	return http.ListenAndServe(server.BindAddress, server.Handler)
+
+	if server.SSL {
+		httpServer.TLSConfig = crypto.CreateServerTLSConfiguration()
+		return httpServer.ListenAndServeTLS(server.SSLCert, server.SSLKey)
+	}
+	return httpServer.ListenAndServe()
 }

api/portainer.go

@@ -420,19 +420,23 @@ type (
 
 	// Settings represents the application settings
 	Settings struct {
-		LogoURL                            string               `json:"LogoURL"`
-		BlackListedLabels                  []Pair               `json:"BlackListedLabels"`
-		AuthenticationMethod               AuthenticationMethod `json:"AuthenticationMethod"`
-		LDAPSettings                       LDAPSettings         `json:"LDAPSettings"`
-		OAuthSettings                      OAuthSettings        `json:"OAuthSettings"`
-		AllowBindMountsForRegularUsers     bool                 `json:"AllowBindMountsForRegularUsers"`
-		AllowPrivilegedModeForRegularUsers bool                 `json:"AllowPrivilegedModeForRegularUsers"`
-		AllowVolumeBrowserForRegularUsers  bool                 `json:"AllowVolumeBrowserForRegularUsers"`
-		SnapshotInterval                   string               `json:"SnapshotInterval"`
-		TemplatesURL                       string               `json:"TemplatesURL"`
-		EnableHostManagementFeatures       bool                 `json:"EnableHostManagementFeatures"`
-		EdgeAgentCheckinInterval           int                  `json:"EdgeAgentCheckinInterval"`
-		EnableEdgeComputeFeatures          bool                 `json:"EnableEdgeComputeFeatures"`
+		LogoURL                                   string               `json:"LogoURL"`
+		BlackListedLabels                         []Pair               `json:"BlackListedLabels"`
+		AuthenticationMethod                      AuthenticationMethod `json:"AuthenticationMethod"`
+		LDAPSettings                              LDAPSettings         `json:"LDAPSettings"`
+		OAuthSettings                             OAuthSettings        `json:"OAuthSettings"`
+		AllowBindMountsForRegularUsers            bool                 `json:"AllowBindMountsForRegularUsers"`
+		AllowPrivilegedModeForRegularUsers        bool                 `json:"AllowPrivilegedModeForRegularUsers"`
+		AllowVolumeBrowserForRegularUsers         bool                 `json:"AllowVolumeBrowserForRegularUsers"`
+		SnapshotInterval                          string               `json:"SnapshotInterval"`
+		TemplatesURL                              string               `json:"TemplatesURL"`
+		EnableHostManagementFeatures              bool                 `json:"EnableHostManagementFeatures"`
+		EdgeAgentCheckinInterval                  int                  `json:"EdgeAgentCheckinInterval"`
+		EnableEdgeComputeFeatures                 bool                 `json:"EnableEdgeComputeFeatures"`
+		AllowStackManagementForRegularUsers       bool                 `json:"AllowStackManagementForRegularUsers"`
+		AllowHostNamespaceForRegularUsers         bool                 `json:"AllowHostNamespaceForRegularUsers"`
+		AllowDeviceMappingForRegularUsers         bool                 `json:"AllowDeviceMappingForRegularUsers"`
+		AllowContainerCapabilitiesForRegularUsers bool                 `json:"AllowContainerCapabilitiesForRegularUsers"`
 
 		// Deprecated fields
 		DisplayDonationHeader       bool
@@ -1007,9 +1011,9 @@ type (
 
 const (
 	// APIVersion is the version number of the Portainer API
-	APIVersion = "1.24.0"
+	APIVersion = "1.25.0"
 	// DBVersion is the version number of the Portainer database
-	DBVersion = 23
+	DBVersion = 24
 	// AssetsServerURL represents the URL of the Portainer asset server
 	AssetsServerURL = "https://portainer-io-assets.sfo2.digitaloceanspaces.com"
 	// MessageOfTheDayURL represents the URL where Portainer MOTD message can be retrieved

api/swagger.yaml

@@ -54,7 +54,7 @@ info:
 
     **NOTE**: You can find more information on how to query the Docker API in the [Docker official documentation](https://docs.docker.com/engine/api/v1.30/) as well as in [this Portainer example](https://gist.github.com/deviantony/77026d402366b4b43fa5918d41bc42f8).
 
-  version: "1.24.0"
+  version: "1.24.1"
   title: "Portainer API"
   contact:
     email: "info@portainer.io"
@@ -3174,7 +3174,7 @@ definitions:
         description: "Is analytics enabled"
       Version:
         type: "string"
-        example: "1.24.0"
+        example: "1.24.1"
         description: "Portainer API version"
   PublicSettingsInspectResponse:
     type: "object"

api/swagger_config.json

@@ -1,5 +1,5 @@
 {
   "packageName": "portainer",
-  "packageVersion": "1.24.0",
+  "packageVersion": "1.24.1",
   "projectName": "portainer"
 }

app/docker/components/datatables/images-datatable/imagesDatatable.html

@@ -120,11 +120,11 @@
                     </div>
                     <div class="menuContent">
                       <div class="md-checkbox">
-                        <input id="filter_usage_usedImages" type="checkbox" ng-model="$ctrl.filters.state.showUsedImages" ng-change="$ctrl.onUsageFilterChange()" />
+                        <input id="filter_usage_usedImages" type="checkbox" ng-model="$ctrl.filters.state.showUsedImages" ng-change="$ctrl.onstateFilterChange()" />
                         <label for="filter_usage_usedImages">Used images</label>
                       </div>
                       <div class="md-checkbox">
-                        <input id="filter_usage_unusedImages" type="checkbox" ng-model="$ctrl.filters.state.showUnusedImages" ng-change="$ctrl.onUsageFilterChange()" />
+                        <input id="filter_usage_unusedImages" type="checkbox" ng-model="$ctrl.filters.state.showUnusedImages" ng-change="$ctrl.onstateFilterChange()" />
                         <label for="filter_usage_unusedImages">Unused images</label>
                       </div>
                     </div>

app/docker/components/datatables/volumes-datatable/volumesDatatable.html

@@ -93,11 +93,11 @@
                     </div>
                     <div class="menuContent">
                       <div class="md-checkbox">
-                        <input id="filter_usage_usedImages" type="checkbox" ng-model="$ctrl.filters.state.showUsedVolumes" ng-change="$ctrl.onUsageFilterChange()" />
+                        <input id="filter_usage_usedImages" type="checkbox" ng-model="$ctrl.filters.state.showUsedVolumes" ng-change="$ctrl.onstateFilterChange()" />
                         <label for="filter_usage_usedImages">Used volumes</label>
                       </div>
                       <div class="md-checkbox">
-                        <input id="filter_usage_unusedImages" type="checkbox" ng-model="$ctrl.filters.state.showUnusedVolumes" ng-change="$ctrl.onUsageFilterChange()" />
+                        <input id="filter_usage_unusedImages" type="checkbox" ng-model="$ctrl.filters.state.showUnusedVolumes" ng-change="$ctrl.onstateFilterChange()" />
                         <label for="filter_usage_unusedImages">Unused volumes</label>
                       </div>
                     </div>

app/docker/components/dockerSidebarContent/docker-sidebar-content.js

@@ -6,5 +6,6 @@ angular.module('portainer.docker').component('dockerSidebarContent', {
     standaloneManagement: '<',
     adminAccess: '<',
     offlineMode: '<',
+    showStacks: '<',
   },
 });

app/docker/components/dockerSidebarContent/dockerSidebarContent.html

@@ -4,7 +4,7 @@
 <li class="sidebar-list" ng-if="!$ctrl.offlineMode" authorization="DockerContainerCreate, PortainerStackCreate">
   <a ui-sref="portainer.templates" ui-sref-active="active">App Templates <span class="menu-icon fa fa-rocket fa-fw"></span></a>
 </li>
-<li class="sidebar-list">
+<li class="sidebar-list" ng-if="$ctrl.showStacks">
   <a ui-sref="portainer.stacks" ui-sref-active="active">Stacks <span class="menu-icon fa fa-th-list fa-fw"></span></a>
 </li>
 <li class="sidebar-list" ng-if="$ctrl.swarmManagement">

app/docker/views/containers/create/createContainerController.js

@@ -30,6 +30,7 @@ angular.module('portainer.docker').controller('CreateContainerController', [
   'SettingsService',
   'PluginService',
   'HttpRequestHelper',
+  'ExtensionService',
   function (
     $q,
     $scope,
@@ -55,7 +56,8 @@ angular.module('portainer.docker').controller('CreateContainerController', [
     SystemService,
     SettingsService,
     PluginService,
-    HttpRequestHelper
+    HttpRequestHelper,
+    ExtensionService
   ) {
     $scope.create = create;
 
@@ -603,11 +605,16 @@ angular.module('portainer.docker').controller('CreateContainerController', [
       });
     }
 
-    function initView() {
+    async function initView() {
       var nodeName = $transition$.params().nodeName;
       $scope.formValues.NodeName = nodeName;
       HttpRequestHelper.setPortainerAgentTargetHeader(nodeName);
 
+      $scope.isAdmin = Authentication.isAdmin();
+      $scope.isAdminOrEndpointAdmin = await checkIfAdminOrEndpointAdmin();
+      $scope.showDeviceMapping = await shouldShowDevices($scope.isAdminOrEndpointAdmin);
+      $scope.areContainerCapabilitiesEnabled = await checkIfContainerCapabilitiesEnabled($scope.isAdminOrEndpointAdmin);
+
       Volume.query(
         {},
         function (d) {
@@ -643,7 +650,7 @@ angular.module('portainer.docker').controller('CreateContainerController', [
             loadFromContainerSpec();
           } else {
             $scope.fromContainer = {};
-            $scope.formValues.capabilities = new ContainerCapabilities();
+            $scope.formValues.capabilities = $scope.areContainerCapabilitiesEnabled ? new ContainerCapabilities() : [];
           }
         },
         function (e) {
@@ -670,7 +677,7 @@ angular.module('portainer.docker').controller('CreateContainerController', [
 
       SettingsService.publicSettings()
         .then(function success(data) {
-          $scope.allowBindMounts = data.AllowBindMountsForRegularUsers;
+          $scope.allowBindMounts = $scope.isAdminOrEndpointAdmin || data.AllowBindMountsForRegularUsers;
           $scope.allowPrivilegedMode = data.AllowPrivilegedModeForRegularUsers;
         })
         .catch(function error(err) {
@@ -680,8 +687,6 @@ angular.module('portainer.docker').controller('CreateContainerController', [
       PluginService.loggingPlugins(apiVersion < 1.25).then(function success(loggingDrivers) {
         $scope.availableLoggingDrivers = loggingDrivers;
       });
-
-      $scope.isAdmin = Authentication.isAdmin();
     }
 
     function validateForm(accessControlData, isAdmin) {
@@ -894,6 +899,27 @@ angular.module('portainer.docker').controller('CreateContainerController', [
       }
     }
 
+    async function shouldShowDevices(isAdminOrEndpointAdmin) {
+      const { allowDeviceMappingForRegularUsers } = $scope.applicationState.application;
+
+      return allowDeviceMappingForRegularUsers || isAdminOrEndpointAdmin;
+    }
+
+    async function checkIfContainerCapabilitiesEnabled(isAdminOrEndpointAdmin) {
+      const { allowContainerCapabilitiesForRegularUsers } = $scope.applicationState.application;
+
+      return allowContainerCapabilitiesForRegularUsers || isAdminOrEndpointAdmin;
+    }
+
+    async function checkIfAdminOrEndpointAdmin() {
+      if (Authentication.isAdmin()) {
+        return true;
+      }
+
+      const rbacEnabled = await ExtensionService.extensionEnabled(ExtensionService.EXTENSIONS.RBAC);
+      return rbacEnabled ? Authentication.hasAuthorizations(['EndpointResourcesAccess']) : false;
+    }
+
     initView();
   },
 ]);

app/docker/views/containers/create/createcontainer.html

@@ -185,7 +185,7 @@
           <li class="interactive"><a data-target="#labels" data-toggle="tab">Labels</a></li>
           <li class="interactive"><a data-target="#restart-policy" data-toggle="tab">Restart policy</a></li>
           <li class="interactive"><a data-target="#runtime-resources" ng-click="refreshSlider()" data-toggle="tab">Runtime & Resources</a></li>
-          <li class="interactive"><a data-target="#container-capabilities" data-toggle="tab">Capabilities</a></li>
+          <li ng-if="areContainerCapabilitiesEnabled" class="interactive"><a data-target="#container-capabilities" data-toggle="tab">Capabilities</a></li>
         </ul>
         <!-- tab-content -->
         <div class="tab-content">
@@ -338,8 +338,8 @@
                       </div>
                       <!-- !container-path -->
                       <!-- volume-type -->
-                      <div class="input-group col-sm-5" style="margin-left: 5px;" ng-if="isAdmin || allowBindMounts">
-                        <div class="btn-group btn-group-sm">
+                      <div class="input-group col-sm-5" style="margin-left: 5px;">
+                        <div class="btn-group btn-group-sm" ng-if="allowBindMounts">
                           <label class="btn btn-primary" ng-model="volume.type" uib-btn-radio="'volume'" ng-click="volume.name = ''">Volume</label>
                           <label class="btn btn-primary" ng-model="volume.type" uib-btn-radio="'bind'" ng-click="volume.name = ''">Bind</label>
                         </div>
@@ -629,7 +629,7 @@
             </form>
             <form class="form-horizontal" style="margin-top: 15px;">
               <!-- devices -->
-              <div class="form-group">
+              <div ng-if="showDeviceMapping" class="form-group">
                 <div class="col-sm-12" style="margin-top: 5px;">
                   <label class="control-label text-left">Devices</label>
                   <span class="label label-default interactive" style="margin-left: 10px;" ng-click="addDevice()">

app/docker/views/containers/edit/containerController.js

@@ -21,6 +21,7 @@ angular.module('portainer.docker').controller('ContainerController', [
   'ImageService',
   'HttpRequestHelper',
   'Authentication',
+  'StateManager',
   function (
     $q,
     $scope,
@@ -40,7 +41,8 @@ angular.module('portainer.docker').controller('ContainerController', [
     RegistryService,
     ImageService,
     HttpRequestHelper,
-    Authentication
+    Authentication,
+    StateManager
   ) {
     $scope.activityTime = 0;
     $scope.portBindings = [];
@@ -94,9 +96,13 @@ angular.module('portainer.docker').controller('ContainerController', [
           const inSwarm = $scope.container.Config.Labels['com.docker.swarm.service.id'];
           const autoRemove = $scope.container.HostConfig.AutoRemove;
           const admin = Authentication.isAdmin();
+          const appState = StateManager.getState();
+          const { allowHostNamespaceForRegularUsers, allowDeviceMappingForRegularUsers, allowBindMountsForRegularUsers, allowPrivilegedModeForRegularUsers } = appState.application;
+          const settingRestrictsRegularUsers =
+            !allowBindMountsForRegularUsers || !allowDeviceMappingForRegularUsers || !allowHostNamespaceForRegularUsers || !allowPrivilegedModeForRegularUsers;
 
           ExtensionService.extensionEnabled(ExtensionService.EXTENSIONS.RBAC).then((rbacEnabled) => {
-            $scope.displayRecreateButton = !inSwarm && !autoRemove && (rbacEnabled ? admin : true);
+            $scope.displayRecreateButton = !inSwarm && !autoRemove && (settingRestrictsRegularUsers || rbacEnabled ? admin : true);
           });
         })
         .catch(function error(err) {

app/docker/views/dashboard/dashboard.html

@@ -81,7 +81,7 @@
 </div>
 
 <div class="row">
-  <div class="col-xs-12 col-md-6">
+  <div class="col-xs-12 col-md-6" ng-if="showStacks">
     <a ui-sref="portainer.stacks">
       <rd-widget>
         <rd-widget-body>

app/docker/views/dashboard/dashboardController.js

@@ -1,6 +1,7 @@
 angular.module('portainer.docker').controller('DashboardController', [
   '$scope',
   '$q',
+  'Authentication',
   'ContainerService',
   'ImageService',
   'NetworkService',
@@ -11,10 +12,12 @@ angular.module('portainer.docker').controller('DashboardController', [
   'EndpointService',
   'Notifications',
   'EndpointProvider',
+  'ExtensionService',
   'StateManager',
   function (
     $scope,
     $q,
+    Authentication,
     ContainerService,
     ImageService,
     NetworkService,
@@ -25,6 +28,7 @@ angular.module('portainer.docker').controller('DashboardController', [
     EndpointService,
     Notifications,
     EndpointProvider,
+    ExtensionService,
     StateManager
   ) {
     $scope.dismissInformationPanel = function (id) {
@@ -32,11 +36,14 @@ angular.module('portainer.docker').controller('DashboardController', [
     };
 
     $scope.offlineMode = false;
+    $scope.showStacks = false;
 
-    function initView() {
+    async function initView() {
       var endpointMode = $scope.applicationState.endpoint.mode;
       var endpointId = EndpointProvider.endpointID();
 
+      $scope.showStacks = await shouldShowStacks();
+
       $q.all({
         containers: ContainerService.containers(1),
         images: ImageService.images(false),
@@ -63,6 +70,19 @@ angular.module('portainer.docker').controller('DashboardController', [
         });
     }
 
+    async function shouldShowStacks() {
+      const isAdmin = !$scope.applicationState.application.authentication || Authentication.isAdmin();
+      const { allowStackManagementForRegularUsers } = $scope.applicationState.application;
+
+      if (isAdmin || allowStackManagementForRegularUsers) {
+        return true;
+      }
+      const rbacEnabled = await ExtensionService.extensionEnabled(ExtensionService.EXTENSIONS.RBAC);
+      if (rbacEnabled) {
+        return Authentication.hasAuthorizations(['EndpointResourcesAccess']);
+      }
+    }
+
     initView();
   },
 ]);

app/docker/views/services/create/createServiceController.js

@@ -33,6 +33,7 @@ angular.module('portainer.docker').controller('CreateServiceController', [
   'SettingsService',
   'WebhookService',
   'EndpointProvider',
+  'ExtensionService',
   function (
     $q,
     $scope,
@@ -58,7 +59,8 @@ angular.module('portainer.docker').controller('CreateServiceController', [
     NodeService,
     SettingsService,
     WebhookService,
-    EndpointProvider
+    EndpointProvider,
+    ExtensionService
   ) {
     $scope.formValues = {
       Name: '',
@@ -106,6 +108,8 @@ angular.module('portainer.docker').controller('CreateServiceController', [
       actionInProgress: false,
     };
 
+    $scope.allowBindMounts = false;
+
     $scope.refreshSlider = function () {
       $timeout(function () {
         $scope.$broadcast('rzSliderForceRender');
@@ -562,8 +566,8 @@ angular.module('portainer.docker').controller('CreateServiceController', [
         secrets: apiVersion >= 1.25 ? SecretService.secrets() : [],
         configs: apiVersion >= 1.3 ? ConfigService.configs() : [],
         nodes: NodeService.nodes(),
-        settings: SettingsService.publicSettings(),
         availableLoggingDrivers: PluginService.loggingPlugins(apiVersion < 1.25),
+        allowBindMounts: checkIfAllowedBindMounts(),
       })
         .then(function success(data) {
           $scope.availableVolumes = data.volumes;
@@ -572,8 +576,8 @@ angular.module('portainer.docker').controller('CreateServiceController', [
           $scope.availableConfigs = data.configs;
           $scope.availableLoggingDrivers = data.availableLoggingDrivers;
           initSlidersMaxValuesBasedOnNodeData(data.nodes);
-          $scope.allowBindMounts = data.settings.AllowBindMountsForRegularUsers;
           $scope.isAdmin = Authentication.isAdmin();
+          $scope.allowBindMounts = data.allowBindMounts;
         })
         .catch(function error(err) {
           Notifications.error('Failure', err, 'Unable to initialize view');
@@ -581,5 +585,22 @@ angular.module('portainer.docker').controller('CreateServiceController', [
     }
 
     initView();
+
+    async function checkIfAllowedBindMounts() {
+      const isAdmin = Authentication.isAdmin();
+
+      const settings = await SettingsService.publicSettings();
+      const { AllowBindMountsForRegularUsers } = settings;
+
+      if (isAdmin || AllowBindMountsForRegularUsers) {
+        return true;
+      }
+      const rbacEnabled = await ExtensionService.extensionEnabled(ExtensionService.EXTENSIONS.RBAC);
+      if (rbacEnabled) {
+        return Authentication.hasAuthorizations(['EndpointResourcesAccess']);
+      }
+
+      return false;
+    }
   },
 ]);

app/docker/views/services/create/createservice.html

@@ -305,7 +305,7 @@
                         <!-- !container-path -->
                         <!-- volume-type -->
                         <div class="input-group col-sm-5" style="margin-left: 5px;">
-                          <div class="btn-group btn-group-sm" ng-if="isAdmin || allowBindMounts">
+                          <div class="btn-group btn-group-sm" ng-if="allowBindMounts">
                             <label class="btn btn-primary" ng-model="volume.Type" uib-btn-radio="'volume'" ng-click="volume.name = ''">Volume</label>
                             <label class="btn btn-primary" ng-model="volume.Type" uib-btn-radio="'bind'" ng-click="volume.Id = ''">Bind</label>
                           </div>

app/docker/views/volumes/volumesController.js

@@ -73,14 +73,16 @@ angular.module('portainer.docker').controller('VolumesController', [
 
       $scope.showBrowseAction = $scope.applicationState.endpoint.mode.agentProxy;
 
-      ExtensionService.extensionEnabled(ExtensionService.EXTENSIONS.RBAC).then(function success(extensionEnabled) {
-        if (!extensionEnabled) {
-          var isAdmin = Authentication.isAdmin();
-          if (!$scope.applicationState.application.enableVolumeBrowserForNonAdminUsers && !isAdmin) {
-            $scope.showBrowseAction = false;
+      if ($scope.applicationState.application.authentication) {
+        ExtensionService.extensionEnabled(ExtensionService.EXTENSIONS.RBAC).then(function success(extensionEnabled) {
+          if (!extensionEnabled) {
+            var isAdmin = Authentication.isAdmin();
+            if (!$scope.applicationState.application.enableVolumeBrowserForNonAdminUsers && !isAdmin) {
+              $scope.showBrowseAction = false;
+            }
           }
-        }
-      });
+        });
+      }
     }
 
     initView();

app/extensions/registry-management/services/registryGitlabService.js

@@ -42,7 +42,8 @@ angular.module('portainer.extensions.registrymanagement').factory('RegistryGitla
 
     async function _getRepositoriesPage(params, repositories) {
       const response = await Gitlab().repositories(params).$promise;
-      repositories = _.concat(repositories, response.data);
+      const filteredRepositories = _.filter(response.data, (repository) => repository.tags && repository.tags.length > 0);
+      repositories = _.concat(repositories, filteredRepositories);
       if (response.next) {
         params.page = response.next;
         repositories = await _getRepositoriesPage(params, repositories);

app/extensions/registry-management/views/repositories/registryRepositoriesController.js

@@ -54,8 +54,8 @@ angular.module('portainer.extensions.registrymanagement').controller('RegistryRe
             .then(function success() {
               return RegistryServiceSelector.repositories($scope.registry);
             })
-            .then(function success(data) {
-              $scope.repositories = data;
+            .then(function success(repositories) {
+              $scope.repositories = repositories;
             })
             .catch(function error() {
               $scope.state.displayInvalidConfigurationMessage = true;

app/portainer/components/datatables/genericDatatableController.js

@@ -42,12 +42,11 @@ angular.module('portainer.app').controller('GenericDatatableController', [
       DatatableService.setDataTableTextFilters(this.tableKey, this.state.textFilter);
     };
 
-    this.changeOrderBy = changeOrderBy.bind(this);
-    function changeOrderBy(orderField) {
+    this.changeOrderBy = function changeOrderBy(orderField) {
       this.state.reverseOrder = this.state.orderBy === orderField ? !this.state.reverseOrder : false;
       this.state.orderBy = orderField;
       DatatableService.setDataTableOrder(this.tableKey, orderField, this.state.reverseOrder);
-    }
+    };
 
     this.selectItem = function (item, event) {
       // Handle range select using shift

app/portainer/components/datatables/stacks-datatable/stacksDatatable.html

@@ -2,7 +2,7 @@
   <rd-widget>
     <rd-widget-body classes="no-padding">
       <div class="toolBar">
-        <div class="toolBarTitle"> <i class="fa" ng-class="$ctrl.titleIcon" aria-hidden="true" style="margin-right: 2px;"></i> {{ $ctrl.titleText }} </div>
+        <div class="toolBarTitle"><i class="fa" ng-class="$ctrl.titleIcon" aria-hidden="true" style="margin-right: 2px;"></i> {{ $ctrl.titleText }} </div>
         <div class="settings">
           <span class="setting" ng-class="{ 'setting-active': $ctrl.settings.open }" uib-dropdown dropdown-append-to-body auto-close="disabled" is-open="$ctrl.settings.open">
             <span uib-dropdown-toggle><i class="fa fa-cog" aria-hidden="true"></i> Settings</span>
@@ -52,7 +52,7 @@
         >
           <i class="fa fa-trash-alt space-right" aria-hidden="true"></i>Remove
         </button>
-        <button type="button" class="btn btn-sm btn-primary" ui-sref="portainer.stacks.newstack" authorization="PortainerStackCreate">
+        <button type="button" class="btn btn-sm btn-primary" ui-sref="portainer.stacks.newstack" ng-disabled="!$ctrl.createEnabled" authorization="PortainerStackCreate">
           <i class="fa fa-plus space-right" aria-hidden="true"></i>Add stack
         </button>
       </div>
@@ -144,7 +144,10 @@
         </table>
       </div>
       <div class="footer" ng-if="$ctrl.dataset">
-        <div class="infoBar" ng-if="$ctrl.state.selectedItemCount !== 0"> {{ $ctrl.state.selectedItemCount }} item(s) selected </div>
+        <div class="infoBar" ng-if="$ctrl.state.selectedItemCount !== 0">
+          {{ $ctrl.state.selectedItemCount }}
+          item(s) selected
+        </div>
         <div class="paginationControls">
           <form class="form-inline">
             <span class="limitSelector">

app/portainer/components/datatables/stacks-datatable/stacksDatatable.js

@@ -12,5 +12,6 @@ angular.module('portainer.app').component('stacksDatatable', {
     removeAction: '<',
     offlineMode: '<',
     refreshCallback: '<',
+    createEnabled: '<',
   },
 });

app/portainer/models/settings.js

@@ -13,6 +13,10 @@ export function SettingsViewModel(data) {
   this.EnableHostManagementFeatures = data.EnableHostManagementFeatures;
   this.EdgeAgentCheckinInterval = data.EdgeAgentCheckinInterval;
   this.EnableEdgeComputeFeatures = data.EnableEdgeComputeFeatures;
+  this.AllowStackManagementForRegularUsers = data.AllowStackManagementForRegularUsers;
+  this.AllowHostNamespaceForRegularUsers = data.AllowHostNamespaceForRegularUsers;
+  this.AllowDeviceMappingForRegularUsers = data.AllowDeviceMappingForRegularUsers;
+  this.AllowContainerCapabilitiesForRegularUsers = data.AllowContainerCapabilitiesForRegularUsers;
 }
 
 export function PublicSettingsViewModel(settings) {
@@ -25,6 +29,10 @@ export function PublicSettingsViewModel(settings) {
   this.EnableEdgeComputeFeatures = settings.EnableEdgeComputeFeatures;
   this.LogoURL = settings.LogoURL;
   this.OAuthLoginURI = settings.OAuthLoginURI;
+  this.AllowStackManagementForRegularUsers = settings.AllowStackManagementForRegularUsers;
+  this.AllowDeviceMappingForRegularUsers = settings.AllowDeviceMappingForRegularUsers;
+  this.AllowHostNamespaceForRegularUsers = settings.AllowHostNamespaceForRegularUsers;
+  this.AllowContainerCapabilitiesForRegularUsers = settings.AllowContainerCapabilitiesForRegularUsers;
 }
 
 export function LDAPSettingsViewModel(data) {

app/portainer/services/authentication.js

@@ -37,7 +37,7 @@ angular.module('portainer.app').factory('Authentication', [
     function logout() {
       StateManager.clean();
       EndpointProvider.clean();
-      LocalStorage.clean();
+      LocalStorage.cleanAuthData();
       LocalStorage.storeLoginStateUUID('');
     }
 

app/portainer/services/endpointProvider.js

@@ -24,6 +24,7 @@ angular.module('portainer.app').factory('EndpointProvider', [
     };
 
     service.clean = function () {
+      LocalStorage.cleanEndpointData();
       endpoint = {};
     };
 

app/portainer/services/localStorage.js

@@ -1,7 +1,6 @@
 angular.module('portainer.app').factory('LocalStorage', [
   'localStorageService',
   function LocalStorageFactory(localStorageService) {
-    'use strict';
     return {
       storeEndpointID: function (id) {
         localStorageService.set('ENDPOINT_ID', id);
@@ -16,10 +15,10 @@ angular.module('portainer.app').factory('LocalStorage', [
         return localStorageService.get('ENDPOINT_PUBLIC_URL');
       },
       storeLoginStateUUID: function (uuid) {
-        localStorageService.cookie.set('LOGIN_STATE_UUID', uuid);
+        localStorageService.set('LOGIN_STATE_UUID', uuid);
       },
       getLoginStateUUID: function () {
-        return localStorageService.cookie.get('LOGIN_STATE_UUID');
+        return localStorageService.get('LOGIN_STATE_UUID');
       },
       storeOfflineMode: function (isOffline) {
         localStorageService.set('ENDPOINT_OFFLINE_MODE', isOffline);
@@ -46,10 +45,10 @@ angular.module('portainer.app').factory('LocalStorage', [
         return localStorageService.get('APPLICATION_STATE');
       },
       storeUIState: function (state) {
-        localStorageService.cookie.set('UI_STATE', state);
+        localStorageService.set('UI_STATE', state);
       },
       getUIState: function () {
-        return localStorageService.cookie.get('UI_STATE');
+        return localStorageService.get('UI_STATE');
       },
       storeExtensionState: function (state) {
         localStorageService.set('EXTENSION_STATE', state);
@@ -67,40 +66,40 @@ angular.module('portainer.app').factory('LocalStorage', [
         localStorageService.remove('JWT');
       },
       storePaginationLimit: function (key, count) {
-        localStorageService.cookie.set('datatable_pagination_' + key, count);
+        localStorageService.set('datatable_pagination_' + key, count);
       },
       getPaginationLimit: function (key) {
-        return localStorageService.cookie.get('datatable_pagination_' + key);
+        return localStorageService.get('datatable_pagination_' + key);
       },
       getDataTableOrder: function (key) {
-        return localStorageService.cookie.get('datatable_order_' + key);
+        return localStorageService.get('datatable_order_' + key);
       },
       storeDataTableOrder: function (key, data) {
-        localStorageService.cookie.set('datatable_order_' + key, data);
+        localStorageService.set('datatable_order_' + key, data);
       },
       getDataTableTextFilters: function (key) {
-        return localStorageService.cookie.get('datatable_text_filter_' + key);
+        return localStorageService.get('datatable_text_filter_' + key);
       },
       storeDataTableTextFilters: function (key, data) {
-        localStorageService.cookie.set('datatable_text_filter_' + key, data);
+        localStorageService.set('datatable_text_filter_' + key, data);
       },
       getDataTableFilters: function (key) {
-        return localStorageService.cookie.get('datatable_filters_' + key);
+        return localStorageService.get('datatable_filters_' + key);
       },
       storeDataTableFilters: function (key, data) {
-        localStorageService.cookie.set('datatable_filters_' + key, data);
+        localStorageService.set('datatable_filters_' + key, data);
       },
       getDataTableSettings: function (key) {
-        return localStorageService.cookie.get('datatable_settings_' + key);
+        return localStorageService.get('datatable_settings_' + key);
       },
       storeDataTableSettings: function (key, data) {
-        localStorageService.cookie.set('datatable_settings_' + key, data);
+        localStorageService.set('datatable_settings_' + key, data);
       },
       getDataTableExpandedItems: function (key) {
-        return localStorageService.cookie.get('datatable_expandeditems_' + key);
+        return localStorageService.get('datatable_expandeditems_' + key);
       },
       storeDataTableExpandedItems: function (key, data) {
-        localStorageService.cookie.set('datatable_expandeditems_' + key, data);
+        localStorageService.set('datatable_expandeditems_' + key, data);
       },
       getDataTableSelectedItems: function (key) {
         return localStorageService.get('datatable_selecteditems_' + key);
@@ -109,16 +108,16 @@ angular.module('portainer.app').factory('LocalStorage', [
         localStorageService.set('datatable_selecteditems_' + key, data);
       },
       storeSwarmVisualizerSettings: function (key, data) {
-        localStorageService.cookie.set('swarmvisualizer_' + key, data);
+        localStorageService.set('swarmvisualizer_' + key, data);
       },
       getSwarmVisualizerSettings: function (key) {
-        return localStorageService.cookie.get('swarmvisualizer_' + key);
+        return localStorageService.get('swarmvisualizer_' + key);
       },
       storeColumnVisibilitySettings: function (key, data) {
-        localStorageService.cookie.set('col_visibility_' + key, data);
+        localStorageService.set('col_visibility_' + key, data);
       },
       getColumnVisibilitySettings: function (key) {
-        return localStorageService.cookie.get('col_visibility_' + key);
+        return localStorageService.get('col_visibility_' + key);
       },
       storeJobImage: function (data) {
         localStorageService.set('job_image', data);
@@ -126,12 +125,24 @@ angular.module('portainer.app').factory('LocalStorage', [
       getJobImage: function () {
         return localStorageService.get('job_image');
       },
+      storeToolbarToggle(value) {
+        localStorageService.set('toolbar_toggle', value);
+      },
+      getToolbarToggle() {
+        return localStorageService.get('toolbar_toggle');
+      },
       storeLogoutReason: (reason) => localStorageService.set('logout_reason', reason),
       getLogoutReason: () => localStorageService.get('logout_reason'),
       cleanLogoutReason: () => localStorageService.remove('logout_reason'),
       clean: function () {
         localStorageService.clearAll();
       },
+      cleanAuthData() {
+        localStorageService.remove('JWT', 'EXTENSION_STATE', 'APPLICATION_STATE', 'LOGIN_STATE_UUID');
+      },
+      cleanEndpointData() {
+        localStorageService.remove('ENDPOINT_ID', 'ENDPOINT_PUBLIC_URL', 'ENDPOINT_OFFLINE_MODE', 'ENDPOINTS_DATA', 'ENDPOINT_STATE');
+      },
     };
   },
 ]);

app/portainer/services/modalService.js

@@ -225,6 +225,23 @@ angular.module('portainer.app').factory('ModalService', [
       );
     };
 
+    service.upgradeNotification = function () {
+      bootbox.dialog({
+        size: 'extra-large',
+        title: 'Upgrade notification',
+        message: `You are currently using version 1.x of Portainer, which is no longer supported maintained or enhanced. Continuing to use this version is at your own risk.
+        <br/><br/>Please upgrade immediately by using the tag <code>portainer/portainer-ce:2.0.1</code>
+        <br/><br/>If you decide to stay on version 1, please use the tag <code>portainer/portainer:1.24.2</code> to prevent automatically upgrading to version 2, as <code>portainer:latest</code> will be updated to version 2 from May.`,
+        onEscape: false,
+        buttons: {
+          Close: {
+            label: 'Close',
+            className: 'btn-primary',
+          },
+        },
+      });
+    };
+
     return service;
   },
 ]);

app/portainer/services/stateManager.js

@@ -76,6 +76,36 @@ angular.module('portainer.app').factory('StateManager', [
       LocalStorage.storeApplicationState(state.application);
     };
 
+    manager.updateAllowStackManagementForRegularUsers = function updateAllowStackManagementForRegularUsers(allowStackManagementForRegularUsers) {
+      state.application.allowStackManagementForRegularUsers = allowStackManagementForRegularUsers;
+      LocalStorage.storeApplicationState(state.application);
+    };
+
+    manager.updateAllowDeviceMappingForRegularUsers = function updateAllowDeviceMappingForRegularUsers(allowDeviceMappingForRegularUsers) {
+      state.application.allowDeviceMappingForRegularUsers = allowDeviceMappingForRegularUsers;
+      LocalStorage.storeApplicationState(state.application);
+    };
+
+    manager.updateAllowHostNamespaceForRegularUsers = function (allowHostNamespaceForRegularUsers) {
+      state.application.allowHostNamespaceForRegularUsers = allowHostNamespaceForRegularUsers;
+      LocalStorage.storeApplicationState(state.application);
+    };
+
+    manager.updateAllowBindMountsForRegularUsers = function updateAllowBindMountsForRegularUsers(allowBindMountsForRegularUsers) {
+      state.application.allowBindMountsForRegularUsers = allowBindMountsForRegularUsers;
+      LocalStorage.storeApplicationState(state.application);
+    };
+
+    manager.updateAllowPrivilegedModeForRegularUsers = function (AllowPrivilegedModeForRegularUsers) {
+      state.application.allowPrivilegedModeForRegularUsers = AllowPrivilegedModeForRegularUsers;
+      LocalStorage.storeApplicationState(state.application);
+    };
+
+    manager.updateAllowContainerCapabilitiesForRegularUsers = function updateAllowContainerCapabilitiesForRegularUsers(allowContainerCapabilitiesForRegularUsers) {
+      state.application.allowContainerCapabilitiesForRegularUsers = allowContainerCapabilitiesForRegularUsers;
+      LocalStorage.storeApplicationState(state.application);
+    };
+
     function assignStateFromStatusAndSettings(status, settings) {
       state.application.authentication = status.Authentication;
       state.application.analytics = status.Analytics;
@@ -87,6 +117,12 @@ angular.module('portainer.app').factory('StateManager', [
       state.application.enableHostManagementFeatures = settings.EnableHostManagementFeatures;
       state.application.enableVolumeBrowserForNonAdminUsers = settings.AllowVolumeBrowserForRegularUsers;
       state.application.enableEdgeComputeFeatures = settings.EnableEdgeComputeFeatures;
+      state.application.allowStackManagementForRegularUsers = settings.AllowStackManagementForRegularUsers;
+      state.application.allowBindMountsForRegularUsers = settings.AllowBindMountsForRegularUsers;
+      state.application.allowPrivilegedModeForRegularUsers = settings.AllowPrivilegedModeForRegularUsers;
+      state.application.allowDeviceMappingForRegularUsers = settings.AllowDeviceMappingForRegularUsers;
+      state.application.allowHostNamespaceForRegularUsers = settings.AllowHostNamespaceForRegularUsers;
+      state.application.allowContainerCapabilitiesForRegularUsers = settings.AllowContainerCapabilitiesForRegularUsers;
       state.application.validity = moment().unix();
     }
 

app/portainer/views/auth/authController.js

@@ -19,7 +19,8 @@ class AuthenticationController {
     SettingsService,
     URLHelper,
     LocalStorage,
-    StatusService
+    StatusService,
+    ModalService
   ) {
     this.$async = $async;
     this.$scope = $scope;
@@ -37,6 +38,7 @@ class AuthenticationController {
     this.URLHelper = URLHelper;
     this.LocalStorage = LocalStorage;
     this.StatusService = StatusService;
+    this.ModalService = ModalService;
 
     this.logo = this.StateManager.getState().application.logo;
     this.formValues = {
@@ -157,6 +159,7 @@ class AuthenticationController {
       }
     } finally {
       this.StateManager.setVersionInfo(versionInfo);
+      this.ModalService.upgradeNotification();
     }
   }
 

app/portainer/views/extensions/extensions.html

@@ -102,8 +102,10 @@
                 button-spinner="state.actionInProgress"
                 style="margin-left: 0px;"
               >
-                <span ng-hide="state.actionInProgress">Enable extension</span>
-                <span ng-show="state.actionInProgress">Enabling extension...</span>
+                <span ng-hide="state.actionInProgress" ng-if="!state.updateLicense">Enable extension</span>
+                <span ng-show="state.actionInProgress" ng-if="!state.updateLicense">Enabling extension...</span>
+                <span ng-hide="state.actionInProgress" ng-if="state.updateLicense">Update license</span>
+                <span ng-show="state.actionInProgress" ng-if="state.updateLicense">Updating license...</span>
               </button>
             </div>
           </div>

app/portainer/views/extensions/extensionsController.js

@@ -1,4 +1,5 @@
 import moment from 'moment';
+import _ from 'lodash-es';
 
 angular.module('portainer.app').controller('ExtensionsController', [
   '$scope',
@@ -9,6 +10,7 @@ angular.module('portainer.app').controller('ExtensionsController', [
     $scope.state = {
       actionInProgress: false,
       currentDate: moment().format('YYYY-MM-dd'),
+      updateLicense: false,
     };
 
     $scope.formValues = {
@@ -59,6 +61,15 @@ angular.module('portainer.app').controller('ExtensionsController', [
         valid = false;
       }
 
+      const licensePrefix = $scope.formValues.License[0];
+
+      $scope.state.updateLicense = false;
+      _.forEach($scope.extensions, (extension) => {
+        if (licensePrefix === '' + extension.Id && extension.Enabled) {
+          $scope.state.updateLicense = true;
+        }
+      });
+
       form.extension_license.$setValidity('invalidLicense', valid);
     };
 

app/portainer/views/main/mainController.js

@@ -1,9 +1,9 @@
 angular.module('portainer.app').controller('MainController', [
   '$scope',
-  '$cookieStore',
+  'LocalStorage',
   'StateManager',
   'EndpointProvider',
-  function ($scope, $cookieStore, StateManager, EndpointProvider) {
+  function ($scope, LocalStorage, StateManager, EndpointProvider) {
     /**
      * Sidebar Toggle & Cookie Control
      */
@@ -17,11 +17,8 @@ angular.module('portainer.app').controller('MainController', [
 
     $scope.$watch($scope.getWidth, function (newValue) {
       if (newValue >= mobileView) {
-        if (angular.isDefined($cookieStore.get('toggle'))) {
-          $scope.toggle = !$cookieStore.get('toggle') ? false : true;
-        } else {
-          $scope.toggle = true;
-        }
+        const toggleValue = LocalStorage.getToolbarToggle();
+        $scope.toggle = typeof toggleValue === 'boolean' ? toggleValue : true;
       } else {
         $scope.toggle = false;
       }
@@ -29,7 +26,7 @@ angular.module('portainer.app').controller('MainController', [
 
     $scope.toggleSidebar = function () {
       $scope.toggle = !$scope.toggle;
-      $cookieStore.put('toggle', $scope.toggle);
+      LocalStorage.storeToolbarToggle($scope.toggle);
     };
 
     window.onresize = function () {

app/portainer/views/settings/settings.html

@@ -120,6 +120,55 @@
               </label>
             </div>
           </div>
+          <div class="form-group">
+            <div class="col-sm-12">
+              <label for="toggle_disableStackManagementForRegularUsers" class="control-label text-left">
+                Disable the use of Stacks for non-administrators
+              </label>
+              <label class="switch" style="margin-left: 20px;">
+                <input type="checkbox" name="toggle_disableStackManagementForRegularUsers" ng-model="formValues.disableStackManagementForRegularUsers" /><i></i>
+              </label>
+            </div>
+          </div>
+          <div class="form-group">
+            <div class="col-sm-12">
+              <label for="toggle_allowHostNamespaceForRegularUsers" class="control-label text-left">
+                Disable the use of host PID 1 for non-administrators
+                <portainer-tooltip position="bottom" message="Prevent users from accessing the host filesystem through the host PID namespace."></portainer-tooltip>
+              </label>
+              <label class="switch" style="margin-left: 20px;">
+                <input type="checkbox" name="toggle_allowHostNamespaceForRegularUsers" ng-model="formValues.restrictHostNamespaceForRegularUsers" /><i></i>
+              </label>
+            </div>
+          </div>
+
+          <div class="form-group">
+            <div class="col-sm-12">
+              <label for="toggle_disableDeviceMappingForRegularUsers" class="control-label text-left">
+                Disable device mappings for non-administrators
+              </label>
+              <label class="switch" style="margin-left: 20px;">
+                <input type="checkbox" name="toggle_disableDeviceMappingForRegularUsers" ng-model="formValues.disableDeviceMappingForRegularUsers" /><i></i>
+              </label>
+            </div>
+          </div>
+
+          <div class="form-group">
+            <div class="col-sm-12">
+              <label for="toggle_disableContainerCapabilitiesForRegularUsers" class="control-label text-left">
+                Disable container capabilities for non-administrators
+              </label>
+              <label class="switch" style="margin-left: 20px;">
+                <input type="checkbox" name="toggle_disableContainerCapabilitiesForRegularUsers" ng-model="formValues.disableContainerCapabilitiesForRegularUsers" /><i></i>
+              </label>
+            </div>
+          </div>
+
+          <div class="form-group" ng-if="isContainerEditDisabled()">
+            <span class="col-sm-12 text-muted small">
+              Note: The recreate/duplicate/edit feature is currently disabled (for non-admin users) by one or more security settings.
+            </span>
+          </div>
           <!-- !security -->
           <!-- edge -->
           <div class="col-sm-12 form-section-title">

app/portainer/views/settings/settingsController.js

@@ -33,6 +33,23 @@ angular.module('portainer.app').controller('SettingsController', [
       enableHostManagementFeatures: false,
       enableVolumeBrowser: false,
       enableEdgeComputeFeatures: false,
+      allowStackManagementForRegularUsers: false,
+      restrictHostNamespaceForRegularUsers: false,
+      allowDeviceMappingForRegularUsers: false,
+      disableContainerCapabilitiesForRegularUsers: false,
+    };
+
+    $scope.isContainerEditDisabled = function isContainerEditDisabled() {
+      const {
+        restrictBindMounts,
+        restrictHostNamespaceForRegularUsers,
+        restrictPrivilegedMode,
+        disableDeviceMappingForRegularUsers,
+        disableContainerCapabilitiesForRegularUsers,
+      } = this.formValues;
+      return (
+        restrictBindMounts || restrictHostNamespaceForRegularUsers || restrictPrivilegedMode || disableDeviceMappingForRegularUsers || disableContainerCapabilitiesForRegularUsers
+      );
     };
 
     $scope.removeFilteredContainerLabel = function (index) {
@@ -69,6 +86,10 @@ angular.module('portainer.app').controller('SettingsController', [
       settings.AllowVolumeBrowserForRegularUsers = $scope.formValues.enableVolumeBrowser;
       settings.EnableHostManagementFeatures = $scope.formValues.enableHostManagementFeatures;
       settings.EnableEdgeComputeFeatures = $scope.formValues.enableEdgeComputeFeatures;
+      settings.AllowStackManagementForRegularUsers = !$scope.formValues.disableStackManagementForRegularUsers;
+      settings.AllowHostNamespaceForRegularUsers = !$scope.formValues.restrictHostNamespaceForRegularUsers;
+      settings.AllowDeviceMappingForRegularUsers = !$scope.formValues.disableDeviceMappingForRegularUsers;
+      settings.AllowContainerCapabilitiesForRegularUsers = !$scope.formValues.disableContainerCapabilitiesForRegularUsers;
 
       $scope.state.actionInProgress = true;
       updateSettings(settings);
@@ -83,6 +104,12 @@ angular.module('portainer.app').controller('SettingsController', [
           StateManager.updateEnableHostManagementFeatures(settings.EnableHostManagementFeatures);
           StateManager.updateEnableVolumeBrowserForNonAdminUsers(settings.AllowVolumeBrowserForRegularUsers);
           StateManager.updateEnableEdgeComputeFeatures(settings.EnableEdgeComputeFeatures);
+          StateManager.updateAllowStackManagementForRegularUsers(settings.AllowStackManagementForRegularUsers);
+          StateManager.updateAllowHostNamespaceForRegularUsers(settings.AllowHostNamespaceForRegularUsers);
+          StateManager.updateAllowDeviceMappingForRegularUsers(settings.AllowDeviceMappingForRegularUsers);
+          StateManager.updateAllowPrivilegedModeForRegularUsers(settings.AllowPrivilegedModeForRegularUsers);
+          StateManager.updateAllowBindMountsForRegularUsers(settings.AllowBindMountsForRegularUsers);
+          StateManager.updateAllowContainerCapabilitiesForRegularUsers(settings.AllowContainerCapabilitiesForRegularUsers);
           $state.reload();
         })
         .catch(function error(err) {
@@ -109,6 +136,10 @@ angular.module('portainer.app').controller('SettingsController', [
           $scope.formValues.enableVolumeBrowser = settings.AllowVolumeBrowserForRegularUsers;
           $scope.formValues.enableHostManagementFeatures = settings.EnableHostManagementFeatures;
           $scope.formValues.enableEdgeComputeFeatures = settings.EnableEdgeComputeFeatures;
+          $scope.formValues.disableStackManagementForRegularUsers = !settings.AllowStackManagementForRegularUsers;
+          $scope.formValues.restrictHostNamespaceForRegularUsers = !settings.AllowHostNamespaceForRegularUsers;
+          $scope.formValues.disableDeviceMappingForRegularUsers = !settings.AllowDeviceMappingForRegularUsers;
+          $scope.formValues.disableContainerCapabilitiesForRegularUsers = !settings.AllowContainerCapabilitiesForRegularUsers;
         })
         .catch(function error(err) {
           Notifications.error('Failure', err, 'Unable to retrieve application settings');

app/portainer/views/sidebar/sidebar.html

@@ -21,6 +21,7 @@
         standalone-management="applicationState.endpoint.mode.provider === 'DOCKER_STANDALONE' || applicationState.endpoint.mode.provider === 'VMWARE_VIC'"
         admin-access="!applicationState.application.authentication || isAdmin"
         offline-mode="endpointState.OfflineMode"
+        show-stacks="showStacks"
       ></docker-sidebar-content>
       <li class="sidebar-title" authorization="IntegrationStoridgeAdmin" ng-if="applicationState.endpoint.mode && applicationState.endpoint.extensions.length > 0">
         <span>Integrations</span>

app/portainer/views/sidebar/sidebarController.js

@@ -1,11 +1,13 @@
 angular.module('portainer.app').controller('SidebarController', [
   '$q',
   '$scope',
+  '$transitions',
   'StateManager',
   'Notifications',
   'Authentication',
   'UserService',
-  function ($q, $scope, StateManager, Notifications, Authentication, UserService) {
+  'ExtensionService',
+  function ($q, $scope, $transitions, StateManager, Notifications, Authentication, UserService, ExtensionService) {
     function checkPermissions(memberships) {
       var isLeader = false;
       angular.forEach(memberships, function (membership) {
@@ -16,9 +18,10 @@ angular.module('portainer.app').controller('SidebarController', [
       $scope.isTeamLeader = isLeader;
     }
 
-    function initView() {
+    async function initView() {
       $scope.uiVersion = StateManager.getState().application.version;
       $scope.logo = StateManager.getState().application.logo;
+      $scope.showStacks = await shouldShowStacks();
 
       var authenticationEnabled = $scope.applicationState.application.authentication;
       if (authenticationEnabled) {
@@ -37,5 +40,24 @@ angular.module('portainer.app').controller('SidebarController', [
     }
 
     initView();
+
+    async function shouldShowStacks() {
+      const isAdmin = !$scope.applicationState.application.authentication || Authentication.isAdmin();
+      const { allowStackManagementForRegularUsers } = $scope.applicationState.application;
+
+      if (isAdmin || allowStackManagementForRegularUsers) {
+        return true;
+      }
+      const rbacEnabled = await ExtensionService.extensionEnabled(ExtensionService.EXTENSIONS.RBAC);
+      if (rbacEnabled) {
+        return Authentication.hasAuthorizations(['EndpointResourcesAccess']);
+      }
+
+      return false;
+    }
+
+    $transitions.onEnter({}, async () => {
+      $scope.showStacks = await shouldShowStacks();
+    });
   },
 ]);

app/portainer/views/stacks/stacks.html

@@ -19,6 +19,7 @@
       show-ownership-column="applicationState.application.authentication"
       offline-mode="offlineMode"
       refresh-callback="getStacks"
+      create-enabled="createEnabled"
     ></stacks-datatable>
   </div>
 </div>

app/portainer/views/stacks/stacksController.js

@@ -1,65 +1,85 @@
-angular.module('portainer.app').controller('StacksController', [
-  '$scope',
-  '$state',
-  'Notifications',
-  'StackService',
-  'ModalService',
-  'EndpointProvider',
-  function ($scope, $state, Notifications, StackService, ModalService, EndpointProvider) {
-    $scope.removeAction = function (selectedItems) {
-      ModalService.confirmDeletion('Do you want to remove the selected stack(s)? Associated services will be removed as well.', function onConfirm(confirmed) {
-        if (!confirmed) {
-          return;
-        }
-        deleteSelectedStacks(selectedItems);
-      });
-    };
+angular.module('portainer.app').controller('StacksController', StacksController);
 
-    function deleteSelectedStacks(stacks) {
-      var endpointId = EndpointProvider.endpointID();
-      var actionCount = stacks.length;
-      angular.forEach(stacks, function (stack) {
-        StackService.remove(stack, stack.External, endpointId)
-          .then(function success() {
-            Notifications.success('Stack successfully removed', stack.Name);
-            var index = $scope.stacks.indexOf(stack);
-            $scope.stacks.splice(index, 1);
-          })
-          .catch(function error(err) {
-            Notifications.error('Failure', err, 'Unable to remove stack ' + stack.Name);
-          })
-          .finally(function final() {
-            --actionCount;
-            if (actionCount === 0) {
-              $state.reload();
-            }
-          });
-      });
-    }
+/* @ngInject */
+function StacksController($scope, $state, Notifications, StackService, ModalService, EndpointProvider, Authentication, StateManager, ExtensionService) {
+  $scope.removeAction = function (selectedItems) {
+    ModalService.confirmDeletion('Do you want to remove the selected stack(s)? Associated services will be removed as well.', function onConfirm(confirmed) {
+      if (!confirmed) {
+        return;
+      }
+      deleteSelectedStacks(selectedItems);
+    });
+  };
 
-    $scope.offlineMode = false;
-
-    $scope.getStacks = getStacks;
-    function getStacks() {
-      var endpointMode = $scope.applicationState.endpoint.mode;
-      var endpointId = EndpointProvider.endpointID();
-
-      StackService.stacks(true, endpointMode.provider === 'DOCKER_SWARM_MODE' && endpointMode.role === 'MANAGER', endpointId)
-        .then(function success(data) {
-          var stacks = data;
-          $scope.stacks = stacks;
-          $scope.offlineMode = EndpointProvider.offlineMode();
+  function deleteSelectedStacks(stacks) {
+    var endpointId = EndpointProvider.endpointID();
+    var actionCount = stacks.length;
+    angular.forEach(stacks, function (stack) {
+      StackService.remove(stack, stack.External, endpointId)
+        .then(function success() {
+          Notifications.success('Stack successfully removed', stack.Name);
+          var index = $scope.stacks.indexOf(stack);
+          $scope.stacks.splice(index, 1);
         })
         .catch(function error(err) {
-          $scope.stacks = [];
-          Notifications.error('Failure', err, 'Unable to retrieve stacks');
+          Notifications.error('Failure', err, 'Unable to remove stack ' + stack.Name);
+        })
+        .finally(function final() {
+          --actionCount;
+          if (actionCount === 0) {
+            $state.reload();
+          }
         });
+    });
+  }
+
+  $scope.offlineMode = false;
+  $scope.createEnabled = false;
+
+  $scope.getStacks = getStacks;
+
+  function getStacks() {
+    var endpointMode = $scope.applicationState.endpoint.mode;
+    var endpointId = EndpointProvider.endpointID();
+
+    StackService.stacks(true, endpointMode.provider === 'DOCKER_SWARM_MODE' && endpointMode.role === 'MANAGER', endpointId)
+      .then(function success(data) {
+        var stacks = data;
+        $scope.stacks = stacks;
+        $scope.offlineMode = EndpointProvider.offlineMode();
+      })
+      .catch(function error(err) {
+        $scope.stacks = [];
+        Notifications.error('Failure', err, 'Unable to retrieve stacks');
+      });
+  }
+
+  async function loadCreateEnabled() {
+    const appState = StateManager.getState().application;
+    if (appState.allowStackManagementForRegularUsers) {
+      return true;
     }
 
-    function initView() {
-      getStacks();
+    let isAdmin = true;
+    if (appState.authentication) {
+      isAdmin = Authentication.isAdmin();
+    }
+    if (isAdmin) {
+      return true;
     }
 
-    initView();
-  },
-]);
+    const RBACExtensionEnabled = await ExtensionService.extensionEnabled(ExtensionService.EXTENSIONS.RBAC);
+    if (!RBACExtensionEnabled) {
+      return false;
+    }
+
+    return Authentication.hasAuthorizations(['EndpointResourcesAccess']);
+  }
+
+  async function initView() {
+    getStacks();
+    $scope.createEnabled = await loadCreateEnabled();
+  }
+
+  initView();
+}

build/build_binary_azuredevops.ps1

@@ -1,24 +0,0 @@
-param (
-  [string]$platform,
-  [string]$arch
-)
-
-$ErrorActionPreference = "Stop";
-
-$binary = "portainer.exe"
-$go_path = "$($(Get-ITEM -Path env:AGENT_TEMPDIRECTORY).Value)\go"
-
-Set-Item env:GOPATH "$go_path"
-
-New-Item -Name dist -Path "." -ItemType Directory -Force | Out-Null
-New-Item -Name portainer -Path "$go_path\src\github.com\portainer" -ItemType Directory -Force | Out-Null
-
-Copy-Item -Path "api" -Destination "$go_path\src\github.com\portainer\portainer\api" -Recurse -Force
-
-Set-Location -Path "api\cmd\portainer"
-
-go get -t -d -v ./...
-## go build -v
-& cmd /c 'go build -v 2>&1'
-
-Copy-Item -Path "portainer.exe" -Destination "$($env:BUILD_SOURCESDIRECTORY)\dist\portainer.exe" -Force 

build/build_binary_azuredevops.sh

@@ -1,3 +1,8 @@
+#!/usr/bin/env bash
+
+PLATFORM=$1
+ARCH=$2
+
 export GOPATH="/tmp/go"
 
 binary="portainer"
@@ -10,6 +15,10 @@ cp -R api ${GOPATH}/src/github.com/portainer/portainer/api
 cd 'api/cmd/portainer'
 
 go get -t -d -v ./...
-GOOS=$1 GOARCH=$2 CGO_ENABLED=0 go build -a --installsuffix cgo --ldflags '-s'
+GOOS=${PLATFORM} GOARCH=${ARCH} CGO_ENABLED=0 go build -a --installsuffix cgo --ldflags '-s'
 
-mv "$BUILD_SOURCESDIRECTORY/api/cmd/portainer/$binary" "$BUILD_SOURCESDIRECTORY/dist/portainer"
+if [ "${PLATFORM}" == 'windows' ]; then
+  mv "$BUILD_SOURCESDIRECTORY/api/cmd/portainer/${binary}.exe" "$BUILD_SOURCESDIRECTORY/dist/portainer.exe"
+else  
+  mv "$BUILD_SOURCESDIRECTORY/api/cmd/portainer/$binary" "$BUILD_SOURCESDIRECTORY/dist/portainer"
+fi

build/download_docker_binary.ps1

@@ -1,13 +0,0 @@
-param (
-  [string]$docker_version
-)
-
-$ErrorActionPreference = "Stop";
-
-New-Item -Path "docker-binary" -ItemType Directory | Out-Null
-
-$download_folder = "docker-binary"
-
-Invoke-WebRequest -O "$($download_folder)/docker-binaries.zip" "https://download.docker.com/win/static/stable/x86_64/docker-$($docker_version).zip"
-Expand-Archive -Path "$($download_folder)/docker-binaries.zip" -DestinationPath "$($download_folder)"
-Move-Item -Path "$($download_folder)/docker/docker.exe" -Destination "dist"

build/windows/Dockerfile

@@ -0,0 +1,14 @@
+ARG OSVERSION
+FROM --platform=linux/amd64 gcr.io/k8s-staging-e2e-test-images/windows-servercore-cache:1.0-linux-amd64-${OSVERSION} as core
+FROM mcr.microsoft.com/windows/nanoserver:${OSVERSION}
+
+COPY --from=core /Windows/System32/netapi32.dll /Windows/System32/netapi32.dll
+
+USER ContainerAdministrator
+
+COPY dist /
+
+EXPOSE 9000
+EXPOSE 8000
+
+ENTRYPOINT ["/portainer.exe"]

build/windows2016/nanoserver/Dockerfile

@@ -1,9 +0,0 @@
-FROM microsoft/nanoserver:sac2016
-
-COPY dist /
-
-WORKDIR /
-
-EXPOSE 9000
-
-ENTRYPOINT ["/portainer.exe"]

distribution/portainer.spec

@@ -1,5 +1,5 @@
 Name:           portainer
-Version:        1.24.0
+Version:        1.24.1
 Release:        0
 License:        Zlib
 Summary:        A lightweight docker management UI

gruntfile.js

@@ -142,11 +142,7 @@ function shell_build_binary(p, a) {
 }
 
 function shell_build_binary_azuredevops(p, a) {
-  if (p === 'linux') {
-    return 'build/build_binary_azuredevops.sh ' + p + ' ' + a + ';';
-  } else {
-    return 'powershell -Command ".\\build\\build_binary_azuredevops.ps1 -platform ' + p + ' -arch ' + a + '"';
-  }
+  return 'build/build_binary_azuredevops.sh ' + p + ' ' + a + ';';
 }
 
 function shell_run_container() {
@@ -164,15 +160,12 @@ function shell_download_docker_binary(p, a) {
   var ip = ps[p] === undefined ? p : ps[p];
   var ia = as[a] === undefined ? a : as[a];
   var binaryVersion = p === 'windows' ? '<%= shippedDockerVersionWindows %>' : '<%= shippedDockerVersion %>';
-  if (p === 'linux' || p === 'mac') {
-    return ['if [ -f dist/docker ]; then', 'echo "Docker binary exists";', 'else', 'build/download_docker_binary.sh ' + ip + ' ' + ia + ' ' + binaryVersion + ';', 'fi'].join(' ');
-  } else {
-    return [
-      'powershell -Command "& {if (Get-Item -Path dist/docker.exe -ErrorAction:SilentlyContinue) {',
-      'Write-Host "Docker binary exists"',
-      '} else {',
-      '& ".\\build\\download_docker_binary.ps1" -docker_version ' + binaryVersion + '',
-      '}}"',
-    ].join(' ');
-  }
+  
+  return [
+    'if [ -f dist/docker ] || [ -f dist/docker.exe ]; then',
+    'echo "docker binary exists";',
+    'else',
+    'build/download_docker_binary.sh ' + ip + ' ' + ia + ' ' + binaryVersion + ';',
+    'fi',
+  ].join(' ');
 }

package.json

@@ -2,7 +2,7 @@
   "author": "Portainer.io",
   "name": "portainer",
   "homepage": "http://portainer.io",
-  "version": "1.24.0",
+  "version": "1.25.0",
   "repository": {
     "type": "git",
     "url": "git@github.com:portainer/portainer.git"