Project

General

Profile

Bug #6088

RADIUS WebUI - Deny Config Write is not honored

Added by Phillip Hernandez over 3 years ago. Updated about 3 years ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
Web Interface
Target version:
Start date:
04/07/2016
Due date:
% Done:

100%

Estimated time:
Affected Version:
All
Affected Architecture:

Description

After authenticating with a user that has been put into a group with "Deny Config Write" it is not enforced. If you create a local user in that same group it is enforced as expected.

Associated revisions

Revision 0ef6fddc (diff)
Added by Jim Pingle over 3 years ago

Teach get_user_privileges how to retrieve groups from LDAP/RADIUS, and have getUserEntry fall back to a format that will allow it to function. Net result is that now userHasPrivilege() will respect remote groups as well as local groups, which fixes #6088

Revision 100d0f77 (diff)
Added by Jim Pingle over 3 years ago

Teach get_user_privileges how to retrieve groups from LDAP/RADIUS, and have getUserEntry fall back to a format that will allow it to function. Net result is that now userHasPrivilege() will respect remote groups as well as local groups, which fixes #6088

History

#1 Updated by Phillip Hernandez over 3 years ago

For clarity, when the user is authenticated with RADIUS and the deny config write is set it is not enforced.

#2 Updated by Jim Pingle over 3 years ago

  • Status changed from New to Assigned
  • Assignee set to Jim Pingle
  • Target version set to 2.3
  • Affected Version set to 2.3

Confirmed, working on a fix now.

#3 Updated by Jim Pingle over 3 years ago

  • Target version changed from 2.3 to 2.3.1

Looking at the code, this is not a regression. It will be good to fix, but the fix is non-trivial so it's better to hold it back for the next point release.

#4 Updated by Jim Pingle over 3 years ago

  • Status changed from Assigned to Feedback
  • % Done changed from 0 to 100

#5 Updated by Phillip Hernandez over 3 years ago

I wanted to confirm that this works. I created a custom patch to apply to my pfsense boxes that are running 2.2.6 and Deny Config Write is now honored.

Thanks

#6 Updated by Jim Pingle over 3 years ago

  • Status changed from Feedback to Resolved

Thanks for the additional testing

#7 Updated by Chris Buechler about 3 years ago

  • Affected Version changed from 2.3 to All

Also available in: Atom PDF