Project

General

Profile

Bug #3216

PFSense 2.1 - Captive Portal Zone - is not avaible in user effective privileges

Added by Francisco Craviotto about 6 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
User Manager / Privileges
Target version:
Start date:
09/18/2013
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.1
Affected Architecture:

Description

PFsense 2.1. If you configure an user only to access to captive portal, it doesn´t work, I supose why: in user management, adding effective privileges, I add all privileges about services - captive portal and status - captive portal, and only this privileges to an user. When I login as this user, I can´t login pfsense web configurator. In pfsense console I see "successful login" for the user, but web configurator doesn´t work. I supose it is because there is a new level "zones" in captive portal.

Thanks

VoucherManagerUserPermission.png (69.4 KB) VoucherManagerUserPermission.png Davide Cottignoli, 05/26/2016 02:29 AM
ErrorRedirectingPageVoucherManager.png (41.6 KB) ErrorRedirectingPageVoucherManager.png Davide Cottignoli, 05/26/2016 02:30 AM

Associated revisions

Revision 8deaf333 (diff)
Added by Renato Botelho about 6 years ago

Add Captive Portal Zones privileges definition. Fix #3216

Revision 4a913451 (diff)
Added by Renato Botelho about 6 years ago

Add Captive Portal Zones privileges definition. Fix #3216

Revision 7997ed44 (diff)
Added by Renato Botelho about 6 years ago

Many fixes on privileges, ticket #3216:

- Rename some privileges:
page-diag-system-activity => page-diagnostics-system-activity
page-interfacess-groups => page-interfaces-groups
page-interfacess-lagg => page-interfaces-lagg
page-interfacess-qinq => page-interfaces-qinq
- Write an upgrade function to replace above privileges by the new name
- Remove unused privilege page-diagnostics-logs-wireless
- Remove duplicated privileges
- Fix limiter-info, pf-info and system-pftop that were using wrong name
- Add privs for edit pages (interfaces_groups, interfaces_lagg,
interfaces_qinq and services-igmpproxy)
- Fix ID for acptiveportal allowedhostnames and editallowedhostnames
- Fix some wrong matches

Revision 6b1f9a99 (diff)
Added by Renato Botelho about 6 years ago

Many fixes on privileges, ticket #3216:

- Remove unused privilege page-diagnostics-logs-wireless
- Remove duplicated privileges
- Fix limiter-info, pf-info and system-pftop that were using wrong name
- Add privs for services-igmpproxy-edit
- Fix ID for acptiveportal allowedhostnames and editallowedhostnames
- Fix some wrong matches

History

#1 Updated by Joshua Shoemaker about 6 years ago

I was able to work around this.

Add the lines below to /etc/inc/priv.defs.inc (Toward the end but anywhere as long as it is past line 7 ($priv_list = array();)

$priv_list['page-services-captiveportal-zones'] = array();
$priv_list['page-services-captiveportal-zones']['name'] = gettext("WebCfg - Services: Captiveprotal Zones page");
$priv_list['page-services-captiveportal-zones']['descr'] = gettext("Allow access to the 'Services: CaptivePortal Zones' page.");
$priv_list['page-services-captiveportal-zones']['match'] = array();
$priv_list['page-services-captiveportal-zones']['match'][] = "services_captiveportal_zones.php*";

#2 Updated by Renato Botelho about 6 years ago

  • Target version set to 2.1.1

#3 Updated by Renato Botelho about 6 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#5 Updated by Rob Lister about 6 years ago

Thanks. I have applied this fix (nb: less typo "Captiveprotal" and this works, however, have since noticed that it doesn't allow access to the /services_captiveportal_mac.php?zone=xxx page, even though there appear to be entries in the /etc/inc/priv.defs.inc file for this, it doesn't show up in the list of allowed privs for groups.

Also in my case the entries for Allowed IPs and Edit Allowed IPs have become duplicated when assigning to a group:.

WebCfg - Services: Captive portal: Allowed IPs page
WebCfg - Services: Captive portal: Allowed IPs page
WebCfg - Services: Captive portal: Edit Allowed IPs page
WebCfg - Services: Captive portal: Edit Allowed IPs page

Rob

#6 Updated by Rob Lister about 6 years ago

Okay, I think I might have found the glitch: In the array it's defined twice, once for MAC addresses and again underneath it the same var for hostnames pages. Looks like a copypasta error :)

$priv_list['page-services-captiveportal-macaddresses'] = array();
$priv_list['page-services-captiveportal-macaddresses']['name'] = gettext("WebCfg - Services: Captive portal: Mac Addresses page");
$priv_list['page-services-captiveportal-macaddresses']['descr'] = gettext("Allow access to the 'Services: Captive portal: Mac Addresses' page.");
$priv_list['page-services-captiveportal-macaddresses']['match'] = array();
$priv_list['page-services-captiveportal-macaddresses']['match'][] = "services_captiveportal_mac.php*";

$priv_list['page-services-captiveportal-editmacaddresses'] = array();
$priv_list['page-services-captiveportal-editmacaddresses']['name'] = gettext("WebCfg - Services: Captive portal: Edit MAC Addresses page");
$priv_list['page-services-captiveportal-editmacaddresses']['descr'] = gettext("Allow access to the 'Services: Captive portal: Edit MAC Addresses' page.");
$priv_list['page-services-captiveportal-editmacaddresses']['match'] = array();
$priv_list['page-services-captiveportal-editmacaddresses']['match'][] = "services_captiveportal_mac_edit.php*";

$priv_list['page-services-captiveportal-macaddresses'] = array();
$priv_list['page-services-captiveportal-macaddresses']['name'] = gettext("WebCfg - Services: Captive portal: Allowed Hostnames page");
$priv_list['page-services-captiveportal-macaddresses']['descr'] = gettext("Allow access to the 'Services: Captive portal: Allowed Hostnames' page.");
$priv_list['page-services-captiveportal-macaddresses']['match'] = array();
$priv_list['page-services-captiveportal-macaddresses']['match'][] = "services_captiveportal_hostname.php*";

$priv_list['page-services-captiveportal-editmacaddresses'] = array();
$priv_list['page-services-captiveportal-editmacaddresses']['name'] = gettext("WebCfg - Services: Captive portal: Edit Allowed Hostnames page");
$priv_list['page-services-captiveportal-editmacaddresses']['descr'] = gettext("Allow access to the 'Services: Captive portal: Allowed Hostnames' page.");
$priv_list['page-services-captiveportal-editmacaddresses']['match'] = array();
$priv_list['page-services-captiveportal-editmacaddresses']['match'][] = "services_captiveportal_hostname_edit.php*";

#7 Updated by Rob Lister about 6 years ago

And Edit Allowed hostnames is mistakenly defined for Allowed IPs page:

$priv_list['page-services-captiveportal-allowedhostnames'] = array();
$priv_list['page-services-captiveportal-allowedhostnames']['name'] = gettext("WebCfg - Services: Captive portal: Allowed IPs page");
$priv_list['page-services-captiveportal-allowedhostnames']['descr'] = gettext("Allow access to the 'Services: Captive portal: Allowed IPs' page.");
$priv_list['page-services-captiveportal-allowedhostnames']['match'] = array();
$priv_list['page-services-captiveportal-allowedhostnames']['match'][] = "services_captiveportal_ip.php*";
$priv_list['page-services-captiveportal-editallowedhostnames'] = array();
$priv_list['page-services-captiveportal-editallowedhostnames']['name'] = gettext("WebCfg - Services: Captive portal: Edit Allowed IPs page");
$priv_list['page-services-captiveportal-editallowedhostnames']['descr'] = gettext("Allow access to the 'Services: Captive portal: Edit Allowed IPs' page.");
$priv_list['page-services-captiveportal-editallowedhostnames']['match'] = array();
$priv_list['page-services-captiveportal-editallowedhostnames']['match'][] = "services_captiveportal_ip_edit.php*";

Might explain the duplicates that show up in the list.

$priv_list['page-services-captiveportal-allowedhostnames']['name'] = gettext("WebCfg - Services: Captive portal: Allowed IPs page");
$priv_list['page-services-captiveportal-allowedhostnames']['descr'] = gettext("Allow access to the 'Services: Captive portal: Allowed IPs' page.");
$priv_list['page-services-captiveportal-editallowedhostnames']['name'] = gettext("WebCfg - Services: Captive portal: Edit Allowed IPs page");
$priv_list['page-services-captiveportal-editallowedhostnames']['descr'] = gettext("Allow access to the 'Services: Captive portal: Edit Allowed IPs' page.");
$priv_list['page-services-captiveportal-allowedips']['name'] = gettext("WebCfg - Services: Captive portal: Allowed IPs page");
$priv_list['page-services-captiveportal-allowedips']['descr'] = gettext("Allow access to the 'Services: Captive portal: Allowed IPs' page.");
$priv_list['page-services-captiveportal-editallowedips']['name'] = gettext("WebCfg - Services: Captive portal: Edit Allowed IPs page");
$priv_list['page-services-captiveportal-editallowedips']['descr'] = gettext("Allow access to the 'Services: Captive portal: Edit Allowed IPs' page.");

#8 Updated by Renato Botelho over 5 years ago

  • Status changed from Feedback to Resolved

#9 Updated by Davide Cottignoli over 3 years ago

I noticed that in version from 2.2.5 to 2.3.1 which I have tested there is a regression for this bug. If I want to create an user that has only voucher managing permission I need to include CaptivePortalZoneEdit permission which is not desirable.

Also available in: Atom PDF