Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
16.1 Legacy Series
»
[SOLVED] Captive Portal - Add user to create/drop vouchers
« previous
next »
Print
Pages: [
1
]
Author
Topic: [SOLVED] Captive Portal - Add user to create/drop vouchers (Read 13875 times)
StP
Jr. Member
Posts: 62
Karma: 2
[SOLVED] Captive Portal - Add user to create/drop vouchers
«
on:
July 28, 2016, 12:13:34 pm »
Hi,
as the topic says: I want to create a user that is allowed nothing but to create vouchers for the Captive Portal.
So I create user "VoucherAdmin" and set only one privilege "WebCfg-Services: Captive Portal".
Now I can login as "VoucherAdmin" and I see a heavily reduced UI.
But I have two problems:
1. The UI is not reduced enough - all the Captive Portal functionality is available. Not only "Vouchers" but "Administration", "Sessions" and "Log File", too. That is more than our office ladies can (and should) handle.
Anything I (or you) can do to further reduce the privilege?
2. In the reduced UI there is no "Logout" button. I see no way to login again as "admin" except waiting for a timeout.
This is not by intention, is it?
Regards
Stefan
«
Last Edit: July 29, 2016, 01:49:12 pm by franco
»
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: Captive Portal - Add user to create/drop vouchers
«
Reply #1 on:
July 29, 2016, 12:13:46 am »
Hi Stefan,
Custom ACLs are possible and fully pluggable so that they persist through firmware updates.
https://forum.opnsense.org/index.php?topic=1355
You could copy /usr/local/opnsense/mvc/app/models/OPNsense/IDS/ACL/ACL.xml and adapt according to your specifications, e.g. a custom entry for your voucher admin with pattern "ui/captiveportal/voucher/*".
The file can be in e.g. /usr/local/opnsense/mvc/app/models/OPNsense/My_Voucher_Admin/ACL/ACL.xml and then afterwards the user privileges should show up in the listing ready for use.
I will see what I can do about the logout problem.
Cheers,
Franco
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: Captive Portal - Add user to create/drop vouchers
«
Reply #2 on:
July 29, 2016, 12:51:16 am »
This should do the trick on 16.1.20 as well as 16.7:
# opnsense-patch 6a089c219
Cheers,
Franco
Logged
StP
Jr. Member
Posts: 62
Karma: 2
Re: Captive Portal - Add user to create/drop vouchers
«
Reply #3 on:
July 29, 2016, 01:16:59 pm »
Thanks Franco!
Adding a custom access rule worked fine.
Newbie question: How do I use opnsense-patch?
Have a nice weekend
Stefan
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: Captive Portal - Add user to create/drop vouchers
«
Reply #4 on:
July 29, 2016, 01:32:01 pm »
Hi Stefan,
opnsense-patch is a command line utility that fetches commits from GitHub and applies them directly to the running system. You'll need a SSH root shell or the console, use option 8) and then simply type the command (minus the "#" prompt symbol).
Cheers,
Franco
Logged
StP
Jr. Member
Posts: 62
Karma: 2
Re: Captive Portal - Add user to create/drop vouchers
«
Reply #5 on:
July 29, 2016, 01:47:37 pm »
OK, found it
Patch works as expected.
Great support, thank you.
Stefan
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: [SOLVED] Captive Portal - Add user to create/drop vouchers
«
Reply #6 on:
July 29, 2016, 01:50:04 pm »
Gern geschehen, schönes Wochenende.
Cheers,
Franco
Logged
StP
Jr. Member
Posts: 62
Karma: 2
Re: [SOLVED] Captive Portal - Add user to create/drop vouchers
«
Reply #7 on:
August 01, 2016, 12:50:57 pm »
Franco,
I need to open this one again.
The custom access rule that I implemented does show the correct UI.
But it does not let me generate vouchers!
The resulting CSV file is empty.
Actually it looks like this:
username,password,vouchergroup,validity
"undefined","undefined","undefined","undefined"
And in the UI no entry is shown for the voucher I tried to create.
Seems there are access rights missing...
Stefan
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: [SOLVED] Captive Portal - Add user to create/drop vouchers
«
Reply #8 on:
August 01, 2016, 01:09:47 pm »
Hi Stefan,
Oh, right, we need API access too! Try adding this second pattern: "/api/captiveportal/voucher/*" to your ACL.
Cheers,
Franco
Logged
StP
Jr. Member
Posts: 62
Karma: 2
Re: [SOLVED] Captive Portal - Add user to create/drop vouchers
«
Reply #9 on:
August 01, 2016, 03:15:38 pm »
Not yet working.
My ACL.xml is now looking like this:
<acl>
<!-- unique acl key, must be globally unique for all acl's -->
<page-services-VoucherAdmin>
<name>WebCfg - Services: Captive Portal Vouchers page</name>
<description>Allow access to the 'Services: CaptivePortal: Vouchers' page.</description>
<patterns>
<pattern>ui/captiveportal/voucher/*</pattern>
<pattern>api/captiveportal/voucher/*</pattern>
</patterns>
</page-services-VoucherAdmin>
</acl>
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: [SOLVED] Captive Portal - Add user to create/drop vouchers
«
Reply #10 on:
August 02, 2016, 08:12:35 am »
Hi Stefan,
Interesting, we do have to extend the ACL logic some more for cherry-picked MVC usage, but for now I think adding these two should solve your issue:
<pattern>ui/index.php*</pattern>
<pattern>api/api.php*</pattern>
Cheers,
Franco
Logged
StP
Jr. Member
Posts: 62
Karma: 2
Re: [SOLVED] Captive Portal - Add user to create/drop vouchers
«
Reply #11 on:
August 02, 2016, 09:23:22 am »
That does it
Thanks Franco!
Stefan
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
16.1 Legacy Series
»
[SOLVED] Captive Portal - Add user to create/drop vouchers