Project

General

Profile

Actions
Copy link

Feature #9253

open

RFE: True View-Only WebCFG options

Added by Nicholas Gold over 5 years ago. Updated over 4 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
User Manager / Privileges
Target version:
-
Start date:
01/04/2019
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:

Description

Currently pfSense allows a number of options for WebCfg Status pages to grant access to (e.g. Captive Portal, load, Gateways, Services, Dashboard, etc). While these status pages allow the user to view status, they also appear to allow the user to do things like stop and restart services, make changes to the configured Dashboard (add/remove items as well as stop/start/restart services), disable/delete active captive portal sessions, etc.

Would be very helpful to have the option to define a true view-only class of access which completely removes any access to stop/start/restart of services, editing of Dashboard objects, etc. The goal in mind would be create a view-only environment to hand off to NOC/SOC teams.

Actions
Copy link
 #1

Updated by Joshua Sign over 5 years ago

Actions
Copy link
 #2

Updated by Nicholas Gold over 5 years ago

Joshua Sign wrote:

maybe this can help you : https://redmine.pfsense.org/issues/9252#note-1

Joshua, Thanks for the suggestion!

I did attempt to lock it down with the "Deny Config Write" permission, with mixed but mostly negative results.

Dashboard:

  • Additions or removals of widgets - Clicking a [+] for new widget or [X] to remove existing widget results in a page refresh with no change to Dashboard: Pass
  • Stopping/Starting/Restarting a service via Services Widget - Clicking any option next to any service allowed the user to affect the service: Fail

Status > Services:

  • Stopping/Starting/Restarting Service - Clicking any option next to any service allowed the user to affect the service: Fail
Actions
Copy link
 #3

Updated by Jim Pingle over 5 years ago

Starting and stopping services are not config writes, they are state changes. The "Deny Config Write" privilege does exactly what it was designed to do, nothing more.

There is not currently a privilege that will deny a user from performing actions.

Actions
Copy link
 #4

Updated by Nicholas Gold over 5 years ago

Jim Pingle wrote:

There is not currently a privilege that will deny a user from performing actions.

Thanks, that lines up with the behavior/options I was seeing. I'll keep watching this RFE to see if it's adopted.

Actions
Copy link
 #5

Updated by Jim Pingle over 4 years ago

  • Category changed from Web Interface to User Manager / Privileges
Actions
Copy link

Also available in: Atom PDF