New Access rule webadmin_view for read-only (thanks to Oleg Palij)(EJAB-213)
This commit is contained in:
parent
6ae1f62469
commit
705c5b4c1c
|
@ -3681,7 +3681,8 @@ you will see a page similar to figure <A HREF="#fig:webadmmain">4.1</A>.</P
|
||||||
<DIV CLASS="center"><HR WIDTH="80%" SIZE=2></DIV></DIV></BLOCKQUOTE><P>
|
<DIV CLASS="center"><HR WIDTH="80%" SIZE=2></DIV></DIV></BLOCKQUOTE><P>
|
||||||
Here you can edit access restrictions, manage users, create backups,
|
Here you can edit access restrictions, manage users, create backups,
|
||||||
manage the database, enable/disable ports listened for, view server
|
manage the database, enable/disable ports listened for, view server
|
||||||
statistics,…</P><P>Examples:
|
statistics,…</P><P>The access rule <TT>configure</TT> determines what accounts can access the Web Admin and modify it.
|
||||||
|
The access rule <TT>webadmin_view</TT> is to grant only view access: those accounts can browse the Web Admin with read-only access.</P><P>Example configurations:
|
||||||
</P><UL CLASS="itemize"><LI CLASS="li-itemize">
|
</P><UL CLASS="itemize"><LI CLASS="li-itemize">
|
||||||
You can serve the Web Admin on the same port as the
|
You can serve the Web Admin on the same port as the
|
||||||
HTTP Polling interface. In this example
|
HTTP Polling interface. In this example
|
||||||
|
@ -3695,9 +3696,13 @@ username ‘<TT>admin@example.net</TT>’ to administer all virtual ho
|
||||||
URL). If you log in with ‘<TT>admin@example.com</TT>’ on<BR>
|
URL). If you log in with ‘<TT>admin@example.com</TT>’ on<BR>
|
||||||
<CODE>http://example.org:5280/admin/server/example.com/</CODE> you can only
|
<CODE>http://example.org:5280/admin/server/example.com/</CODE> you can only
|
||||||
administer the virtual host <TT>example.com</TT>.
|
administer the virtual host <TT>example.com</TT>.
|
||||||
|
The account ‘<TT>reviewer@example.com</TT>’ can browse that vhost in read-only mode.
|
||||||
<PRE CLASS="verbatim">{acl, admins, {user, "admin", "example.net"}}.
|
<PRE CLASS="verbatim">{acl, admins, {user, "admin", "example.net"}}.
|
||||||
{host_config, "example.com", [{acl, admins, {user, "admin", "example.com"}}]}.
|
{host_config, "example.com", [{acl, admins, {user, "admin", "example.com"}}]}.
|
||||||
|
{host_config, "example.com", [{acl, viewers, {user, "reviewer", "example.com"}}]}.
|
||||||
|
|
||||||
{access, configure, [{allow, admins}]}.
|
{access, configure, [{allow, admins}]}.
|
||||||
|
{access, webadmin_view, [{allow, viewers}]}.
|
||||||
|
|
||||||
{hosts, ["example.org"]}.
|
{hosts, ["example.org"]}.
|
||||||
|
|
||||||
|
|
|
@ -4675,7 +4675,10 @@ Here you can edit access restrictions, manage users, create backups,
|
||||||
manage the database, enable/disable ports listened for, view server
|
manage the database, enable/disable ports listened for, view server
|
||||||
statistics,\ldots
|
statistics,\ldots
|
||||||
|
|
||||||
Examples:
|
The access rule \term{configure} determines what accounts can access the Web Admin and modify it.
|
||||||
|
The access rule \term{webadmin\_view} is to grant only view access: those accounts can browse the Web Admin with read-only access.
|
||||||
|
|
||||||
|
Example configurations:
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item You can serve the Web Admin on the same port as the
|
\item You can serve the Web Admin on the same port as the
|
||||||
\ind{protocols!XEP-0025: HTTP Polling}HTTP Polling interface. In this example
|
\ind{protocols!XEP-0025: HTTP Polling}HTTP Polling interface. In this example
|
||||||
|
@ -4689,10 +4692,14 @@ Examples:
|
||||||
URL). If you log in with `\jid{admin@example.com}' on \\
|
URL). If you log in with `\jid{admin@example.com}' on \\
|
||||||
\verb|http://example.org:5280/admin/server/example.com/| you can only
|
\verb|http://example.org:5280/admin/server/example.com/| you can only
|
||||||
administer the virtual host \jid{example.com}.
|
administer the virtual host \jid{example.com}.
|
||||||
|
The account `\jid{reviewer@example.com}' can browse that vhost in read-only mode.
|
||||||
\begin{verbatim}
|
\begin{verbatim}
|
||||||
{acl, admins, {user, "admin", "example.net"}}.
|
{acl, admins, {user, "admin", "example.net"}}.
|
||||||
{host_config, "example.com", [{acl, admins, {user, "admin", "example.com"}}]}.
|
{host_config, "example.com", [{acl, admins, {user, "admin", "example.com"}}]}.
|
||||||
|
{host_config, "example.com", [{acl, viewers, {user, "reviewer", "example.com"}}]}.
|
||||||
|
|
||||||
{access, configure, [{allow, admins}]}.
|
{access, configure, [{allow, admins}]}.
|
||||||
|
{access, webadmin_view, [{allow, viewers}]}.
|
||||||
|
|
||||||
{hosts, ["example.org"]}.
|
{hosts, ["example.org"]}.
|
||||||
|
|
||||||
|
|
|
@ -50,29 +50,38 @@
|
||||||
%%%==================================
|
%%%==================================
|
||||||
%%%% get_acl_access
|
%%%% get_acl_access
|
||||||
|
|
||||||
%% @spec (Path::[string()]) -> {HostOfRule, AccessRule}
|
%% @spec (Path::[string()]) -> {HostOfRule, [AccessRule]}
|
||||||
|
|
||||||
%% All accounts can access those URLs
|
%% All accounts can access those URLs
|
||||||
get_acl_rule([]) -> {"localhost", all};
|
get_acl_rule([],_) -> {"localhost", [all]};
|
||||||
get_acl_rule(["style.css"]) -> {"localhost", all};
|
get_acl_rule(["style.css"],_) -> {"localhost", [all]};
|
||||||
get_acl_rule(["logo.png"]) -> {"localhost", all};
|
get_acl_rule(["logo.png"],_) -> {"localhost", [all]};
|
||||||
get_acl_rule(["logo-fill.png"]) -> {"localhost", all};
|
get_acl_rule(["logo-fill.png"],_) -> {"localhost", [all]};
|
||||||
get_acl_rule(["favicon.ico"]) -> {"localhost", all};
|
get_acl_rule(["favicon.ico"],_) -> {"localhost", [all]};
|
||||||
get_acl_rule(["additions.js"]) -> {"localhost", all};
|
get_acl_rule(["additions.js"],_) -> {"localhost", [all]};
|
||||||
%% This page only displays vhosts that the user is admin:
|
%% This page only displays vhosts that the user is admin:
|
||||||
get_acl_rule(["vhosts"]) -> {"localhost", all};
|
get_acl_rule(["vhosts"],_) -> {"localhost", [all]};
|
||||||
|
|
||||||
%% The pages of a vhost are only accesible if the user is admin of that vhost:
|
%% The pages of a vhost are only accesible if the user is admin of that vhost:
|
||||||
get_acl_rule(["server", VHost | _RPath]) -> {VHost, configure};
|
get_acl_rule(["server", VHost | _RPath], 'GET') -> {VHost, [configure, webadmin_view]};
|
||||||
|
get_acl_rule(["server", VHost | _RPath], 'POST') -> {VHost, [configure]};
|
||||||
|
|
||||||
%% Default rule: only global admins can access any other random page
|
%% Default rule: only global admins can access any other random page
|
||||||
get_acl_rule(_RPath) -> {global, configure}.
|
get_acl_rule(_RPath, 'GET') -> {global, [configure, webadmin_view]};
|
||||||
|
get_acl_rule(_RPath, 'POST') -> {global, [configure]}.
|
||||||
|
|
||||||
|
is_acl_match(Host, Rules, Jid) ->
|
||||||
|
lists:any(
|
||||||
|
fun(Rule) ->
|
||||||
|
allow == acl:match_rule(Host, Rule, Jid)
|
||||||
|
end,
|
||||||
|
Rules).
|
||||||
|
|
||||||
%%%==================================
|
%%%==================================
|
||||||
%%%% Menu Items Access
|
%%%% Menu Items Access
|
||||||
|
|
||||||
get_jid(Auth, HostHTTP) ->
|
get_jid(Auth, HostHTTP, Method) ->
|
||||||
case get_auth_admin(Auth, HostHTTP, []) of
|
case get_auth_admin(Auth, HostHTTP, [], Method) of
|
||||||
{ok, {User, Server}} ->
|
{ok, {User, Server}} ->
|
||||||
jlib:make_jid(User, Server, "");
|
jlib:make_jid(User, Server, "");
|
||||||
{unauthorized, Error} ->
|
{unauthorized, Error} ->
|
||||||
|
@ -119,8 +128,8 @@ is_allowed_path(BasePath, {Path, _, _}, JID) ->
|
||||||
is_allowed_path(["admin" | Path], JID) ->
|
is_allowed_path(["admin" | Path], JID) ->
|
||||||
is_allowed_path(Path, JID);
|
is_allowed_path(Path, JID);
|
||||||
is_allowed_path(Path, JID) ->
|
is_allowed_path(Path, JID) ->
|
||||||
{HostOfRule, AccessRule} = get_acl_rule(Path),
|
{HostOfRule, AccessRule} = get_acl_rule(Path, 'GET'),
|
||||||
allow == acl:match_rule(HostOfRule, AccessRule, JID).
|
is_acl_match(HostOfRule, AccessRule, JID).
|
||||||
|
|
||||||
%% @spec(Path) -> URL
|
%% @spec(Path) -> URL
|
||||||
%% where Path = [string()]
|
%% where Path = [string()]
|
||||||
|
@ -163,13 +172,13 @@ process(["doc", LocalFile], _Request) ->
|
||||||
end
|
end
|
||||||
end;
|
end;
|
||||||
|
|
||||||
process(["server", SHost | RPath] = Path, #request{auth = Auth, lang = Lang, host = HostHTTP} = Request) ->
|
process(["server", SHost | RPath] = Path, #request{auth = Auth, lang = Lang, host = HostHTTP, method = Method} = Request) ->
|
||||||
Host = jlib:nameprep(SHost),
|
Host = jlib:nameprep(SHost),
|
||||||
case lists:member(Host, ?MYHOSTS) of
|
case lists:member(Host, ?MYHOSTS) of
|
||||||
true ->
|
true ->
|
||||||
case get_auth_admin(Auth, HostHTTP, Path) of
|
case get_auth_admin(Auth, HostHTTP, Path, Method) of
|
||||||
{ok, {User, Server}} ->
|
{ok, {User, Server}} ->
|
||||||
AJID = get_jid(Auth, HostHTTP),
|
AJID = get_jid(Auth, HostHTTP, Method),
|
||||||
process_admin(Host, Request#request{path = RPath,
|
process_admin(Host, Request#request{path = RPath,
|
||||||
auth = {auth_jid, Auth, AJID},
|
auth = {auth_jid, Auth, AJID},
|
||||||
us = {User, Server}});
|
us = {User, Server}});
|
||||||
|
@ -189,10 +198,10 @@ process(["server", SHost | RPath] = Path, #request{auth = Auth, lang = Lang, hos
|
||||||
ejabberd_web:error(not_found)
|
ejabberd_web:error(not_found)
|
||||||
end;
|
end;
|
||||||
|
|
||||||
process(RPath, #request{auth = Auth, lang = Lang, host = HostHTTP} = Request) ->
|
process(RPath, #request{auth = Auth, lang = Lang, host = HostHTTP, method = Method} = Request) ->
|
||||||
case get_auth_admin(Auth, HostHTTP, RPath) of
|
case get_auth_admin(Auth, HostHTTP, RPath, Method) of
|
||||||
{ok, {User, Server}} ->
|
{ok, {User, Server}} ->
|
||||||
AJID = get_jid(Auth, HostHTTP),
|
AJID = get_jid(Auth, HostHTTP, Method),
|
||||||
process_admin(global, Request#request{path = RPath,
|
process_admin(global, Request#request{path = RPath,
|
||||||
auth = {auth_jid, Auth, AJID},
|
auth = {auth_jid, Auth, AJID},
|
||||||
us = {User, Server}});
|
us = {User, Server}});
|
||||||
|
@ -209,10 +218,10 @@ process(RPath, #request{auth = Auth, lang = Lang, host = HostHTTP} = Request) ->
|
||||||
ejabberd_web:make_xhtml([?XCT("h1", "Unauthorized")])}
|
ejabberd_web:make_xhtml([?XCT("h1", "Unauthorized")])}
|
||||||
end.
|
end.
|
||||||
|
|
||||||
get_auth_admin(Auth, HostHTTP, RPath) ->
|
get_auth_admin(Auth, HostHTTP, RPath, Method) ->
|
||||||
case Auth of
|
case Auth of
|
||||||
{SJID, Pass} ->
|
{SJID, Pass} ->
|
||||||
{HostOfRule, AccessRule} = get_acl_rule(RPath),
|
{HostOfRule, AccessRule} = get_acl_rule(RPath, Method),
|
||||||
case jlib:string_to_jid(SJID) of
|
case jlib:string_to_jid(SJID) of
|
||||||
error ->
|
error ->
|
||||||
{unauthorized, "badformed-jid"};
|
{unauthorized, "badformed-jid"};
|
||||||
|
@ -229,11 +238,11 @@ get_auth_admin(Auth, HostHTTP, RPath) ->
|
||||||
get_auth_account(HostOfRule, AccessRule, User, Server, Pass) ->
|
get_auth_account(HostOfRule, AccessRule, User, Server, Pass) ->
|
||||||
case ejabberd_auth:check_password(User, Server, Pass) of
|
case ejabberd_auth:check_password(User, Server, Pass) of
|
||||||
true ->
|
true ->
|
||||||
case acl:match_rule(HostOfRule, AccessRule,
|
case is_acl_match(HostOfRule, AccessRule,
|
||||||
jlib:make_jid(User, Server, "")) of
|
jlib:make_jid(User, Server, "")) of
|
||||||
deny ->
|
false ->
|
||||||
{unauthorized, "unprivileged-account"};
|
{unauthorized, "unprivileged-account"};
|
||||||
allow ->
|
true ->
|
||||||
{ok, {User, Server}}
|
{ok, {User, Server}}
|
||||||
end;
|
end;
|
||||||
false ->
|
false ->
|
||||||
|
@ -1427,7 +1436,7 @@ list_vhosts(Lang, JID) ->
|
||||||
Hosts = ?MYHOSTS,
|
Hosts = ?MYHOSTS,
|
||||||
HostsAllowed = lists:filter(
|
HostsAllowed = lists:filter(
|
||||||
fun(Host) ->
|
fun(Host) ->
|
||||||
allow == acl:match_rule(Host, configure, JID)
|
is_acl_match(Host, [configure, webadmin_view], JID)
|
||||||
end,
|
end,
|
||||||
Hosts
|
Hosts
|
||||||
),
|
),
|
||||||
|
|
Loading…
Reference in New Issue