Chapril
/
xmpp.chapril.org-ejabberd
mirror of https://github.com/processone/ejabberd.git
24
1
Fork 0
Code Releases Activity

New Access rule webadmin_view for read-only (thanks to Oleg Palij)(EJAB-213)

This commit is contained in:
Badlop 2010-04-27 23:16:48 +02:00
parent 6ae1f62469
commit 705c5b4c1c
3 changed files with 49 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
doc/guide.html
View File

@ -3681,7 +3681,8 @@ you will see a page similar to figure&#XA0;<A HREF="#fig:webadmmain">4.1</A>.</P
<DIV CLASS="center"><HR WIDTH="80%" SIZE=2></DIV></DIV></BLOCKQUOTE><P> <DIV CLASS="center"><HR WIDTH="80%" SIZE=2></DIV></DIV></BLOCKQUOTE><P>
Here you can edit access restrictions, manage users, create backups, Here you can edit access restrictions, manage users, create backups,
manage the database, enable/disable ports listened for, view server manage the database, enable/disable ports listened for, view server
statistics,&#X2026;</P><P>Examples: statistics,&#X2026;</P><P>The access rule <TT>configure</TT> determines what accounts can access the Web Admin and modify it.
The access rule <TT>webadmin_view</TT> is to grant only view access: those accounts can browse the Web Admin with read-only access.</P><P>Example configurations:
</P><UL CLASS="itemize"><LI CLASS="li-itemize"> </P><UL CLASS="itemize"><LI CLASS="li-itemize">
You can serve the Web Admin on the same port as the You can serve the Web Admin on the same port as the
HTTP Polling interface. In this example HTTP Polling interface. In this example
@ -3695,9 +3696,13 @@ username &#X2018;<TT>admin@example.net</TT>&#X2019; to administer all virtual ho
URL). If you log in with &#X2018;<TT>admin@example.com</TT>&#X2019; on<BR> URL). If you log in with &#X2018;<TT>admin@example.com</TT>&#X2019; on<BR>
<CODE>http://example.org:5280/admin/server/example.com/</CODE> you can only <CODE>http://example.org:5280/admin/server/example.com/</CODE> you can only
administer the virtual host <TT>example.com</TT>. administer the virtual host <TT>example.com</TT>.
The account &#X2018;<TT>reviewer@example.com</TT>&#X2019; can browse that vhost in read-only mode.
<PRE CLASS="verbatim">{acl, admins, {user, "admin", "example.net"}}. <PRE CLASS="verbatim">{acl, admins, {user, "admin", "example.net"}}.
{host_config, "example.com", [{acl, admins, {user, "admin", "example.com"}}]}. {host_config, "example.com", [{acl, admins, {user, "admin", "example.com"}}]}.
{host_config, "example.com", [{acl, viewers, {user, "reviewer", "example.com"}}]}.
{access, configure, [{allow, admins}]}. {access, configure, [{allow, admins}]}.
{access, webadmin_view, [{allow, viewers}]}.
{hosts, ["example.org"]}. {hosts, ["example.org"]}.

9
doc/guide.tex
View File

@ -4675,7 +4675,10 @@ Here you can edit access restrictions, manage users, create backups,
manage the database, enable/disable ports listened for, view server manage the database, enable/disable ports listened for, view server
statistics,\ldots statistics,\ldots
Examples: The access rule \term{configure} determines what accounts can access the Web Admin and modify it.
The access rule \term{webadmin\_view} is to grant only view access: those accounts can browse the Web Admin with read-only access.
Example configurations:
\begin{itemize} \begin{itemize}
\item You can serve the Web Admin on the same port as the \item You can serve the Web Admin on the same port as the
\ind{protocols!XEP-0025: HTTP Polling}HTTP Polling interface. In this example \ind{protocols!XEP-0025: HTTP Polling}HTTP Polling interface. In this example
@ -4689,10 +4692,14 @@ Examples:
URL). If you log in with `\jid{admin@example.com}' on \\ URL). If you log in with `\jid{admin@example.com}' on \\
\verb|http://example.org:5280/admin/server/example.com/| you can only \verb|http://example.org:5280/admin/server/example.com/| you can only
administer the virtual host \jid{example.com}. administer the virtual host \jid{example.com}.
The account `\jid{reviewer@example.com}' can browse that vhost in read-only mode.
\begin{verbatim} \begin{verbatim}
{acl, admins, {user, "admin", "example.net"}}. {acl, admins, {user, "admin", "example.net"}}.
{host_config, "example.com", [{acl, admins, {user, "admin", "example.com"}}]}. {host_config, "example.com", [{acl, admins, {user, "admin", "example.com"}}]}.
{host_config, "example.com", [{acl, viewers, {user, "reviewer", "example.com"}}]}.
{access, configure, [{allow, admins}]}. {access, configure, [{allow, admins}]}.
{access, webadmin_view, [{allow, viewers}]}.
{hosts, ["example.org"]}. {hosts, ["example.org"]}.

61
src/web/ejabberd_web_admin.erl
View File

@ -50,29 +50,38 @@
%%%================================== %%%==================================
%%%% get_acl_access %%%% get_acl_access
%% @spec (Path::[string()]) -> {HostOfRule, AccessRule} %% @spec (Path::[string()]) -> {HostOfRule, [AccessRule]}
%% All accounts can access those URLs %% All accounts can access those URLs
get_acl_rule([]) -> {"localhost", all}; get_acl_rule([],_) -> {"localhost", [all]};
get_acl_rule(["style.css"]) -> {"localhost", all}; get_acl_rule(["style.css"],_) -> {"localhost", [all]};
get_acl_rule(["logo.png"]) -> {"localhost", all}; get_acl_rule(["logo.png"],_) -> {"localhost", [all]};
get_acl_rule(["logo-fill.png"]) -> {"localhost", all}; get_acl_rule(["logo-fill.png"],_) -> {"localhost", [all]};
get_acl_rule(["favicon.ico"]) -> {"localhost", all}; get_acl_rule(["favicon.ico"],_) -> {"localhost", [all]};
get_acl_rule(["additions.js"]) -> {"localhost", all}; get_acl_rule(["additions.js"],_) -> {"localhost", [all]};
%% This page only displays vhosts that the user is admin: %% This page only displays vhosts that the user is admin:
get_acl_rule(["vhosts"]) -> {"localhost", all}; get_acl_rule(["vhosts"],_) -> {"localhost", [all]};
%% The pages of a vhost are only accesible if the user is admin of that vhost: %% The pages of a vhost are only accesible if the user is admin of that vhost:
get_acl_rule(["server", VHost | _RPath]) -> {VHost, configure}; get_acl_rule(["server", VHost | _RPath], 'GET') -> {VHost, [configure, webadmin_view]};
get_acl_rule(["server", VHost | _RPath], 'POST') -> {VHost, [configure]};
%% Default rule: only global admins can access any other random page %% Default rule: only global admins can access any other random page
get_acl_rule(_RPath) -> {global, configure}. get_acl_rule(_RPath, 'GET') -> {global, [configure, webadmin_view]};
get_acl_rule(_RPath, 'POST') -> {global, [configure]}.
is_acl_match(Host, Rules, Jid) ->
lists:any(
fun(Rule) ->
allow == acl:match_rule(Host, Rule, Jid)
end,
Rules).
%%%================================== %%%==================================
%%%% Menu Items Access %%%% Menu Items Access
get_jid(Auth, HostHTTP) -> get_jid(Auth, HostHTTP, Method) ->
case get_auth_admin(Auth, HostHTTP, []) of case get_auth_admin(Auth, HostHTTP, [], Method) of
{ok, {User, Server}} -> {ok, {User, Server}} ->
jlib:make_jid(User, Server, ""); jlib:make_jid(User, Server, "");
{unauthorized, Error} -> {unauthorized, Error} ->
@ -119,8 +128,8 @@ is_allowed_path(BasePath, {Path, _, _}, JID) ->
is_allowed_path(["admin" | Path], JID) -> is_allowed_path(["admin" | Path], JID) ->
is_allowed_path(Path, JID); is_allowed_path(Path, JID);
is_allowed_path(Path, JID) -> is_allowed_path(Path, JID) ->
{HostOfRule, AccessRule} = get_acl_rule(Path), {HostOfRule, AccessRule} = get_acl_rule(Path, 'GET'),
allow == acl:match_rule(HostOfRule, AccessRule, JID). is_acl_match(HostOfRule, AccessRule, JID).
%% @spec(Path) -> URL %% @spec(Path) -> URL
%% where Path = [string()] %% where Path = [string()]
@ -163,13 +172,13 @@ process(["doc", LocalFile], _Request) ->
end end
end; end;
process(["server", SHost | RPath] = Path, #request{auth = Auth, lang = Lang, host = HostHTTP} = Request) -> process(["server", SHost | RPath] = Path, #request{auth = Auth, lang = Lang, host = HostHTTP, method = Method} = Request) ->
Host = jlib:nameprep(SHost), Host = jlib:nameprep(SHost),
case lists:member(Host, ?MYHOSTS) of case lists:member(Host, ?MYHOSTS) of
true -> true ->
case get_auth_admin(Auth, HostHTTP, Path) of case get_auth_admin(Auth, HostHTTP, Path, Method) of
{ok, {User, Server}} -> {ok, {User, Server}} ->
AJID = get_jid(Auth, HostHTTP), AJID = get_jid(Auth, HostHTTP, Method),
process_admin(Host, Request#request{path = RPath, process_admin(Host, Request#request{path = RPath,
auth = {auth_jid, Auth, AJID}, auth = {auth_jid, Auth, AJID},
us = {User, Server}}); us = {User, Server}});
@ -189,10 +198,10 @@ process(["server", SHost | RPath] = Path, #request{auth = Auth, lang = Lang, hos
ejabberd_web:error(not_found) ejabberd_web:error(not_found)
end; end;
process(RPath, #request{auth = Auth, lang = Lang, host = HostHTTP} = Request) -> process(RPath, #request{auth = Auth, lang = Lang, host = HostHTTP, method = Method} = Request) ->
case get_auth_admin(Auth, HostHTTP, RPath) of case get_auth_admin(Auth, HostHTTP, RPath, Method) of
{ok, {User, Server}} -> {ok, {User, Server}} ->
AJID = get_jid(Auth, HostHTTP), AJID = get_jid(Auth, HostHTTP, Method),
process_admin(global, Request#request{path = RPath, process_admin(global, Request#request{path = RPath,
auth = {auth_jid, Auth, AJID}, auth = {auth_jid, Auth, AJID},
us = {User, Server}}); us = {User, Server}});
@ -209,10 +218,10 @@ process(RPath, #request{auth = Auth, lang = Lang, host = HostHTTP} = Request) ->
ejabberd_web:make_xhtml([?XCT("h1", "Unauthorized")])} ejabberd_web:make_xhtml([?XCT("h1", "Unauthorized")])}
end. end.
get_auth_admin(Auth, HostHTTP, RPath) -> get_auth_admin(Auth, HostHTTP, RPath, Method) ->
case Auth of case Auth of
{SJID, Pass} -> {SJID, Pass} ->
{HostOfRule, AccessRule} = get_acl_rule(RPath), {HostOfRule, AccessRule} = get_acl_rule(RPath, Method),
case jlib:string_to_jid(SJID) of case jlib:string_to_jid(SJID) of
error -> error ->
{unauthorized, "badformed-jid"}; {unauthorized, "badformed-jid"};
@ -229,11 +238,11 @@ get_auth_admin(Auth, HostHTTP, RPath) ->
get_auth_account(HostOfRule, AccessRule, User, Server, Pass) -> get_auth_account(HostOfRule, AccessRule, User, Server, Pass) ->
case ejabberd_auth:check_password(User, Server, Pass) of case ejabberd_auth:check_password(User, Server, Pass) of
true -> true ->
case acl:match_rule(HostOfRule, AccessRule, case is_acl_match(HostOfRule, AccessRule,
jlib:make_jid(User, Server, "")) of jlib:make_jid(User, Server, "")) of
deny -> false ->
{unauthorized, "unprivileged-account"}; {unauthorized, "unprivileged-account"};
allow -> true ->
{ok, {User, Server}} {ok, {User, Server}}
end; end;
false -> false ->
@ -1427,7 +1436,7 @@ list_vhosts(Lang, JID) ->
Hosts = ?MYHOSTS, Hosts = ?MYHOSTS,
HostsAllowed = lists:filter( HostsAllowed = lists:filter(
fun(Host) -> fun(Host) ->
allow == acl:match_rule(Host, configure, JID) is_acl_match(Host, [configure, webadmin_view], JID)
end, end,
Hosts Hosts
), ),