Project

General

Profile

Feature #9253

RFE: True View-Only WebCFG options

Added by Nicholas Gold 6 months ago. Updated 6 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Web Interface
Target version:
-
Start date:
01/04/2019
Due date:
% Done:

0%

Estimated time:

Description

Currently pfSense allows a number of options for WebCfg Status pages to grant access to (e.g. Captive Portal, load, Gateways, Services, Dashboard, etc). While these status pages allow the user to view status, they also appear to allow the user to do things like stop and restart services, make changes to the configured Dashboard (add/remove items as well as stop/start/restart services), disable/delete active captive portal sessions, etc.

Would be very helpful to have the option to define a true view-only class of access which completely removes any access to stop/start/restart of services, editing of Dashboard objects, etc. The goal in mind would be create a view-only environment to hand off to NOC/SOC teams.

History

#1 Updated by Joshua Sign 6 months ago

#2 Updated by Nicholas Gold 6 months ago

Joshua Sign wrote:

maybe this can help you : https://redmine.pfsense.org/issues/9252#note-1

Joshua, Thanks for the suggestion!

I did attempt to lock it down with the "Deny Config Write" permission, with mixed but mostly negative results.

Dashboard:

  • Additions or removals of widgets - Clicking a [+] for new widget or [X] to remove existing widget results in a page refresh with no change to Dashboard: Pass
  • Stopping/Starting/Restarting a service via Services Widget - Clicking any option next to any service allowed the user to affect the service: Fail

Status > Services:

  • Stopping/Starting/Restarting Service - Clicking any option next to any service allowed the user to affect the service: Fail

#3 Updated by Jim Pingle 6 months ago

Starting and stopping services are not config writes, they are state changes. The "Deny Config Write" privilege does exactly what it was designed to do, nothing more.

There is not currently a privilege that will deny a user from performing actions.

#4 Updated by Nicholas Gold 6 months ago

Jim Pingle wrote:

There is not currently a privilege that will deny a user from performing actions.

Thanks, that lines up with the behavior/options I was seeing. I'll keep watching this RFE to see if it's adopted.

Also available in: Atom PDF