Text only | Text with Images

OPNsense Forum

Archive => 22.1 Legacy Series => Topic started by: GaardenZwerch on August 12, 2022, 01:47:25 PM

Title: 'read-onéy' access allows reordering rules
Post by: GaardenZwerch on August 12, 2022, 01:47:25 PM
Hi All,
I have tried to setup a 'read-only' access to the web-gui, with the intention of allowing to allow a given user to look at the config, but not mess with it.
I find that if I give a user access to the gui pages 'without edit' for rules and NAT, he can still reorder the rules.
He can't edit Aliases or rules, but he can still select a rule, and move it around with the <- icon.
Is this expected/known/wanted?
Thanks a lot in advance,
Frank
Title: Re: 'read-onéy' access allows reordering rules
Post by: Patrick M. Hausen on August 12, 2022, 01:58:43 PM
Can they save/apply?
Title: Re: 'read-onéy' access allows reordering rules
Post by: franco on August 12, 2022, 02:07:22 PM
At first glance moving rules also requires write_config() which fails for read-only users. I don't want to say it's not possible as that could always be the case with hidden bugs, but it needs precise steps to reproduce (and possibly responsible disclosure).


Cheers,
Franco
Text only | Text with Images