Project

General

Profile

Feature #7051

Allow control of what users can view and/or clear notices

Added by Phillip Davis about 2 months ago. Updated 10 days ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Dashboard
Target version:
Start date:
12/29/2016
Due date:
% Done:

100%


Description

Use case:
A user with minimal page privs (e.g. can just change their password, or access a few status pages or...) should not be automatically able to see notices or clear them. Because notices might contain critical system information which discloses some problem with the system, and clearing them would prevent a full firewall administrator from seeing them.

Users with priv for all pages (which includes the built-in admin) should be able to view and clear notices.

Provide 2 new privs that allow:
a) View notices (but cannot clear)
b) View and clear notices

This is a follow-on from bug #3454

Associated revisions

Revision 8b5cf433
Added by Renato Botelho 7 days ago

Revert "Add privs to control display of notices"

Fix #7051

This reverts commit 04665e78537906f7375668ca665cba17f95a4864.

Revision 80c01e06
Added by Renato Botelho 7 days ago

Revert "Add privs to control display of notices"

Fix #7051

This reverts commit 04665e78537906f7375668ca665cba17f95a4864.

History

#2 Updated by Renato Botelho about 2 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

PR has been merged, thanks!

#3 Updated by Jim Pingle about 1 month ago

  • Status changed from Feedback to Assigned

The notice alert/bell isn't displayed to the admin user when this code is in place. If I revert it, they show up.

#4 Updated by Jim Pingle about 1 month ago

More info: This appears to have happened because the 'admin' user on that VM was somehow not a member of the 'admins' group. Other access code in the GUI still considers the 'admin' user to have 'admin'-level access in that case.

#5 Updated by Phillip Davis about 1 month ago

The code checks for having the specific new privs to view/clear notices or the "all pages" access. If the "root" user called "admin" in the GUI somehow does not have any of those privs then they will not get the notices.
I would have thought there would be a lot of other stuff that "admin" cannot do if it is removed from the "admins" group.

#6 Updated by Jim Pingle about 1 month ago

Ditto, but that VM had apparently been broken in that way for some time and I never noticed until this morning when I expected to see a notice and it wasn't there. Definitely curious.

#7 Updated by Phillip Davis about 1 month ago

This should fix it:
https://github.com/pfsense/pfsense/pull/3359
assuming it should be "fixed"

#8 Updated by Jim Pingle about 1 month ago

  • Status changed from Assigned to Feedback

PR merged

#9 Updated by Jim Pingle about 1 month ago

  • Status changed from Feedback to Resolved

Works well now as far as I can see.

#10 Updated by Jim Pingle 10 days ago

  • Target version changed from 2.4.0 to 2.3.3

Also available in: Atom PDF