OPNsense Forum
Archive => 16.1 Legacy Series => Topic started by: StP on July 28, 2016, 12:13:34 pm
-
Hi,
as the topic says: I want to create a user that is allowed nothing but to create vouchers for the Captive Portal.
So I create user "VoucherAdmin" and set only one privilege "WebCfg-Services: Captive Portal".
Now I can login as "VoucherAdmin" and I see a heavily reduced UI.
But I have two problems:
1. The UI is not reduced enough - all the Captive Portal functionality is available. Not only "Vouchers" but "Administration", "Sessions" and "Log File", too. That is more than our office ladies can (and should) handle.
Anything I (or you) can do to further reduce the privilege?
2. In the reduced UI there is no "Logout" button. I see no way to login again as "admin" except waiting for a timeout.
This is not by intention, is it?
Regards
Stefan
-
Hi Stefan,
Custom ACLs are possible and fully pluggable so that they persist through firmware updates.
https://forum.opnsense.org/index.php?topic=1355
You could copy /usr/local/opnsense/mvc/app/models/OPNsense/IDS/ACL/ACL.xml and adapt according to your specifications, e.g. a custom entry for your voucher admin with pattern "ui/captiveportal/voucher/*".
The file can be in e.g. /usr/local/opnsense/mvc/app/models/OPNsense/My_Voucher_Admin/ACL/ACL.xml and then afterwards the user privileges should show up in the listing ready for use.
I will see what I can do about the logout problem.
Cheers,
Franco
-
This should do the trick on 16.1.20 as well as 16.7:
# opnsense-patch 6a089c219
Cheers,
Franco
-
Thanks Franco!
Adding a custom access rule worked fine.
Newbie question: How do I use opnsense-patch?
Have a nice weekend
Stefan
-
Hi Stefan,
opnsense-patch is a command line utility that fetches commits from GitHub and applies them directly to the running system. You'll need a SSH root shell or the console, use option 8) and then simply type the command (minus the "#" prompt symbol).
Cheers,
Franco
-
OK, found it :)
Patch works as expected.
Great support, thank you.
Stefan
-
Gern geschehen, schönes Wochenende. :D
Cheers,
Franco
-
Franco,
I need to open this one again.
The custom access rule that I implemented does show the correct UI.
But it does not let me generate vouchers!
The resulting CSV file is empty.
Actually it looks like this:
username,password,vouchergroup,validity
"undefined","undefined","undefined","undefined"
And in the UI no entry is shown for the voucher I tried to create.
Seems there are access rights missing...
Stefan
-
Hi Stefan,
Oh, right, we need API access too! Try adding this second pattern: "/api/captiveportal/voucher/*" to your ACL.
Cheers,
Franco
-
Not yet working.
My ACL.xml is now looking like this:
<acl>
<!-- unique acl key, must be globally unique for all acl's -->
<page-services-VoucherAdmin>
<name>WebCfg - Services: Captive Portal Vouchers page</name>
<description>Allow access to the 'Services: CaptivePortal: Vouchers' page.</description>
<patterns>
<pattern>ui/captiveportal/voucher/*</pattern>
<pattern>api/captiveportal/voucher/*</pattern>
</patterns>
</page-services-VoucherAdmin>
</acl>
-
Hi Stefan,
Interesting, we do have to extend the ACL logic some more for cherry-picked MVC usage, but for now I think adding these two should solve your issue:
<pattern>ui/index.php*</pattern>
<pattern>api/api.php*</pattern>
Cheers,
Franco
-
That does it :)
Thanks Franco!
Stefan