OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 16.1 Legacy Series »
  • [SOLVED] Captive Portal - Add user to create/drop vouchers
« previous next »
  • Print
Pages: [1]

Author Topic: [SOLVED] Captive Portal - Add user to create/drop vouchers  (Read 8326 times)

StP

  • Jr. Member
  • **
  • Posts: 58
  • Karma: 2
    • View Profile
[SOLVED] Captive Portal - Add user to create/drop vouchers
« on: July 28, 2016, 12:13:34 pm »
Hi,

as the topic says: I want to create a user that is allowed nothing but to create vouchers for the Captive Portal.
So I create user "VoucherAdmin" and set only one privilege "WebCfg-Services: Captive Portal".

Now I can login as "VoucherAdmin" and I see a heavily reduced UI.
But I have two problems:
1. The UI is not reduced enough - all the Captive Portal functionality is available. Not only "Vouchers" but "Administration", "Sessions" and "Log File", too. That is more than our office ladies can (and should) handle.
Anything I (or you) can do to further reduce the privilege?

2. In the reduced UI there is no "Logout" button. I see no way to login again as "admin" except waiting for a timeout.
This is not by intention, is it?

Regards
  Stefan
« Last Edit: July 29, 2016, 01:49:12 pm by franco »
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13602
  • Karma: 1170
    • View Profile
Re: Captive Portal - Add user to create/drop vouchers
« Reply #1 on: July 29, 2016, 12:13:46 am »
Hi Stefan,

Custom ACLs are possible and fully pluggable so that they persist through firmware updates.

https://forum.opnsense.org/index.php?topic=1355

You could copy /usr/local/opnsense/mvc/app/models/OPNsense/IDS/ACL/ACL.xml and adapt according to your specifications, e.g. a custom entry for your voucher admin with pattern "ui/captiveportal/voucher/*".

The file can be in e.g. /usr/local/opnsense/mvc/app/models/OPNsense/My_Voucher_Admin/ACL/ACL.xml and then afterwards the user privileges should show up in the listing ready for use.

I will see what I can do about the logout problem.


Cheers,
Franco
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13602
  • Karma: 1170
    • View Profile
Re: Captive Portal - Add user to create/drop vouchers
« Reply #2 on: July 29, 2016, 12:51:16 am »
This should do the trick on 16.1.20 as well as 16.7:

# opnsense-patch 6a089c219


Cheers,
Franco
Logged

StP

  • Jr. Member
  • **
  • Posts: 58
  • Karma: 2
    • View Profile
Re: Captive Portal - Add user to create/drop vouchers
« Reply #3 on: July 29, 2016, 01:16:59 pm »
Thanks Franco!

Adding a custom access rule worked fine.

Newbie question: How do I use opnsense-patch?

Have a nice weekend
  Stefan
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13602
  • Karma: 1170
    • View Profile
Re: Captive Portal - Add user to create/drop vouchers
« Reply #4 on: July 29, 2016, 01:32:01 pm »
Hi Stefan,

opnsense-patch is a command line utility that fetches commits from GitHub and applies them directly to the running system. You'll need a SSH root shell or the console, use option 8) and then simply type the command (minus the "#" prompt symbol).


Cheers,
Franco
Logged

StP

  • Jr. Member
  • **
  • Posts: 58
  • Karma: 2
    • View Profile
Re: Captive Portal - Add user to create/drop vouchers
« Reply #5 on: July 29, 2016, 01:47:37 pm »
OK, found it  :)

Patch works as expected.

Great support, thank you.

Stefan
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13602
  • Karma: 1170
    • View Profile
Re: [SOLVED] Captive Portal - Add user to create/drop vouchers
« Reply #6 on: July 29, 2016, 01:50:04 pm »
Gern geschehen, schönes Wochenende. :D


Cheers,
Franco
Logged

StP

  • Jr. Member
  • **
  • Posts: 58
  • Karma: 2
    • View Profile
Re: [SOLVED] Captive Portal - Add user to create/drop vouchers
« Reply #7 on: August 01, 2016, 12:50:57 pm »
Franco,

I need to open this one again.

The custom access rule that I implemented does show the correct UI.
But it does not let me generate vouchers!
The resulting CSV file is empty.
Actually it looks like this:

username,password,vouchergroup,validity
"undefined","undefined","undefined","undefined"

And in the UI no entry is shown for the voucher I tried to create.
Seems there are access rights missing...

Stefan

Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13602
  • Karma: 1170
    • View Profile
Re: [SOLVED] Captive Portal - Add user to create/drop vouchers
« Reply #8 on: August 01, 2016, 01:09:47 pm »
Hi Stefan,

Oh, right, we need API access too! Try adding this second pattern: "/api/captiveportal/voucher/*" to your ACL.


Cheers,
Franco
Logged

StP

  • Jr. Member
  • **
  • Posts: 58
  • Karma: 2
    • View Profile
Re: [SOLVED] Captive Portal - Add user to create/drop vouchers
« Reply #9 on: August 01, 2016, 03:15:38 pm »
Not yet working.
My ACL.xml is now looking like this:

<acl>
    <!-- unique acl key, must be globally unique for all acl's  -->
    <page-services-VoucherAdmin>
        <name>WebCfg - Services: Captive Portal Vouchers page</name>
        <description>Allow access to the 'Services: CaptivePortal: Vouchers' page.</description>
        <patterns>
            <pattern>ui/captiveportal/voucher/*</pattern>
            <pattern>api/captiveportal/voucher/*</pattern>
        </patterns>
    </page-services-VoucherAdmin>
</acl>
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13602
  • Karma: 1170
    • View Profile
Re: [SOLVED] Captive Portal - Add user to create/drop vouchers
« Reply #10 on: August 02, 2016, 08:12:35 am »
Hi Stefan,

Interesting, we do have to extend the ACL logic some more for cherry-picked MVC usage, but for now I think adding these two should solve your issue:

<pattern>ui/index.php*</pattern>
<pattern>api/api.php*</pattern>


Cheers,
Franco
Logged

StP

  • Jr. Member
  • **
  • Posts: 58
  • Karma: 2
    • View Profile
Re: [SOLVED] Captive Portal - Add user to create/drop vouchers
« Reply #11 on: August 02, 2016, 09:23:22 am »
That does it  :)

Thanks Franco!

Stefan
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 16.1 Legacy Series »
  • [SOLVED] Captive Portal - Add user to create/drop vouchers
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2