This is a suggested way to allow control of the display and clearing of notices. The use case is: 1) A user with minimal page privs (e.g. can just change their password, or access a few status pages or...) should not be automatically able to see notices or clear them. Because notices might contain critical system information which discloses some problem with the system, and clearing them would prevent a full firewall administrator from seeing them.
For this implementation: a) Users with all pages (admin, anyone in the admins group or with pages-all priv) will see notices and can clear them. b) Users with user-view-notices can see the notices but not cleaer them. c) Users with user-view-clear-notices can see the notices and also clear them. d) Other users do not see notices.
In its current implementation, this is not totally backward-compatible. Users who have only a few page privs will see notices prior to upgrade, then after upgrade they will not be able to see notices. The firewall administrator will have to grant them user-view-notices or user-view-clear-notices if they wish these users to see and/or clear notices.
it would be possible to automatically add these privs to existing users as a config upgrade step, but actually I suspect that in 99% of cases the firewall admin would not really want such users to see/clear notices.
Add privs to control display of notices
This is a suggested way to allow control of the display and clearing of
notices. The use case is:
1) A user with minimal page privs (e.g. can just change their password,
or access a few status pages or...) should not be automatically able to
see notices or clear them. Because notices might contain critical system
information which discloses some problem with the system, and clearing
them would prevent a full firewall administrator from seeing them.
For this implementation:
a) Users with all pages (admin, anyone in the admins group or with
pages-all priv) will see notices and can clear them.
b) Users with user-view-notices can see the notices but not cleaer them.
c) Users with user-view-clear-notices can see the notices and also clear
them.
d) Other users do not see notices.
In its current implementation, this is not totally backward-compatible.
Users who have only a few page privs will see notices prior to upgrade,
then after upgrade they will not be able to see notices. The firewall
administrator will have to grant them user-view-notices or
user-view-clear-notices if they wish these users to see and/or clear
notices.
it would be possible to automatically add these privs to existing users
as a config upgrade step, but actually I suspect that in 99% of cases
the firewall admin would not really want such users to see/clear
notices.
Discussion welcome...