Images Show as Unused based User's Access Level

[fhughes90]

Before you start please confirm the following.

• Yes, I've searched similar issues on GitHub.
• Yes, I've checked whether this issue is covered in the Portainer documentation or knowledge base.

Problem Description

Creating a stack outside of Portainer (i.e. compose.yaml file on the host machine) creates a default stack with access control limited to administrators.

When a non-admin user is logged in, the images being used for the default stack (with admin privileges ) are displayed as "Unused"

Expected Behavior

Non-admin user should not even be able to see the images being used by containers with elevated privileges.

Actual Behavior

All the images are displayed for the non-admin user. Makes the user "Think" they can safely delete them.

Steps to Reproduce

1. Create Portainer via docker compose.yaml on host machine.
2. Login to Portainer as Admin user.
3. Configure LDAP authentication.
4. Create a team "XYZ" that corresponds to group "XYZ" in Active Directory.
5. Under "Environments > Groups" click "manage access" for the default "docker" group.
6. Select "XYZ" team in the "Create access" tab and add it to the environment group.
7. Under "Stacks", the default stack "srv" created outside of portainer should only be accessible to administrators. For a stack created inside Portainer, modify the access control by "changing ownership" to "XYZ" team.
8. Before logging out as Admin, Click images and observe. Images being used by the default stack "srv" should show in use.
9. Login as a non-admin user in "XYZ" group.
10. Click on the "docker" environment.
11. Click "Images".
12. You will see some images show as "Unused"

Portainer logs or screenshots

No response

Portainer version

2.19.5

Portainer Edition

Community Edition (CE)

Platform and Version

Docker 26.1.3

OS and Architecture

CentOS Stream 8

Browser

Safari v17.5

What command did you use to deploy Portainer?

services:
    portainer:
        container_name: portainer
        image: portainer/portainer-ce:latest
        ports:
            - '9000:9000' # HTTP Interface
        volumes:
            - /srv/portainer:/data
            - /var/run/docker.sock:/var/run/docker.sock:ro
        restart: unless-stopped

    nginx-proxy-manager:
        container_name: nginx-proxy-manager
        image: jc21/nginx-proxy-manager:latest
        ports:
           - '80:80' # Incoming HTTP URLs
           - '81:81' # Web Interface
           - '443:443' # Incoming HTTPS URLs
        volumes:
           - /srv/nginx_proxy_manager/data:/data
           - /srv/nginx_proxy_manager/letsencrypt:/etc/letsencrypt
        restart: always

Additional Information

Using LDAP authentication to poll Active Directory. User and Group searches are configured that correspond to "Teams" created in Portainer.

[Nick-Portainer]

Hi @fhughes90,

Thank you for raising this issue.

We have confirmed this bug in version 2.19.5. This was patched in our 2.20.x release, which no longer has the incorrect label of "unused" on images. Upgrading to 2.20.3, which is our latest STS release, will resolve this for you.

[fhughes90]

Ok great. Yes I can confirm after upgrading to 2.20.3 release, the issue is resolved.

Thank you