[SOLVED] Captive Portal - Add user to create/drop vouchers

[StP]

Hi,

as the topic says: I want to create a user that is allowed nothing but to create vouchers for the Captive Portal.
So I create user "VoucherAdmin" and set only one privilege "WebCfg-Services: Captive Portal".

Now I can login as "VoucherAdmin" and I see a heavily reduced UI.
But I have two problems:
1. The UI is not reduced enough - all the Captive Portal functionality is available. Not only "Vouchers" but "Administration", "Sessions" and "Log File", too. That is more than our office ladies can (and should) handle.
Anything I (or you) can do to further reduce the privilege?

2. In the reduced UI there is no "Logout" button. I see no way to login again as "admin" except waiting for a timeout.
This is not by intention, is it?

Regards
  Stefan

[franco]

Hi Stefan,

Custom ACLs are possible and fully pluggable so that they persist through firmware updates.

https://forum.opnsense.org/index.php?topic=1355

You could copy /usr/local/opnsense/mvc/app/models/OPNsense/IDS/ACL/ACL.xml and adapt according to your specifications, e.g. a custom entry for your voucher admin with pattern "ui/captiveportal/voucher/*".

The file can be in e.g. /usr/local/opnsense/mvc/app/models/OPNsense/My_Voucher_Admin/ACL/ACL.xml and then afterwards the user privileges should show up in the listing ready for use.

I will see what I can do about the logout problem.


Cheers,
Franco

[franco]

This should do the trick on 16.1.20 as well as 16.7:

# opnsense-patch 6a089c219


Cheers,
Franco

[StP]

Thanks Franco!

Adding a custom access rule worked fine.

Newbie question: How do I use opnsense-patch?

Have a nice weekend
  Stefan

[franco]

Hi Stefan,

opnsense-patch is a command line utility that fetches commits from GitHub and applies them directly to the running system. You'll need a SSH root shell or the console, use option 8) and then simply type the command (minus the "#" prompt symbol).


Cheers,
Franco

[StP]

OK, found it 

Patch works as expected.

Great support, thank you.

Stefan

[franco]

Gern geschehen, schönes Wochenende.


Cheers,
Franco

[StP]

Franco,

I need to open this one again.

The custom access rule that I implemented does show the correct UI.
But it does not let me generate vouchers!
The resulting CSV file is empty.
Actually it looks like this:

username,password,vouchergroup,validity
"undefined","undefined","undefined","undefined"

And in the UI no entry is shown for the voucher I tried to create.
Seems there are access rights missing...

Stefan

[franco]

Hi Stefan,

Oh, right, we need API access too! Try adding this second pattern: "/api/captiveportal/voucher/*" to your ACL.


Cheers,
Franco

[StP]

Not yet working.
My ACL.xml is now looking like this:

<acl>
    <!-- unique acl key, must be globally unique for all acl's  -->
    <page-services-VoucherAdmin>
        <name>WebCfg - Services: Captive Portal Vouchers page</name>
        <description>Allow access to the 'Services: CaptivePortal: Vouchers' page.</description>
        <patterns>
            <pattern>ui/captiveportal/voucher/*</pattern>
            <pattern>api/captiveportal/voucher/*</pattern>
        </patterns>
    </page-services-VoucherAdmin>
</acl>

[franco]

Hi Stefan,

Interesting, we do have to extend the ACL logic some more for cherry-picked MVC usage, but for now I think adding these two should solve your issue:

<pattern>ui/index.php*</pattern>
<pattern>api/api.php*</pattern>


Cheers,
Franco

[StP]

That does it 

Thanks Franco!

Stefan