'read-onéy' access allows reordering rules

Started by GaardenZwerch, August 12, 2022, 01:47:25 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 12, 2022, 01:47:25 PM
Hi All,
I have tried to setup a 'read-only' access to the web-gui, with the intention of allowing to allow a given user to look at the config, but not mess with it.
I find that if I give a user access to the gui pages 'without edit' for rules and NAT, he can still reorder the rules.
He can't edit Aliases or rules, but he can still select a rule, and move it around with the <- icon.
Is this expected/known/wanted?
Thanks a lot in advance,
Frank
August 12, 2022, 01:58:43 PM #1
Can they save/apply?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
August 12, 2022, 02:07:22 PM #2
At first glance moving rules also requires write_config() which fails for read-only users. I don't want to say it's not possible as that could always be the case with hidden bugs, but it needs precise steps to reproduce (and possibly responsible disclosure).


Cheers,
Franco
Print
Go Up Pages1
User actions