diff --git a/lib/NGCP/Panel.pm b/lib/NGCP/Panel.pm index cca74dfee4..c4aaec99f1 100644 --- a/lib/NGCP/Panel.pm +++ b/lib/NGCP/Panel.pm @@ -135,7 +135,7 @@ __PACKAGE__->config( user_model => 'DB::admins', id_field => 'id', store_user_class => 'NGCP::Panel::Authentication::Store::RoleFromRealm', - use_userdata_from_session => 1, + use_userdata_from_session => 0, } }, admin_bcrypt => { @@ -150,7 +150,7 @@ __PACKAGE__->config( user_model => 'DB::admins', id_field => 'id', store_user_class => 'NGCP::Panel::Authentication::Store::RoleFromRealm', - use_userdata_from_session => 1, + use_userdata_from_session => 0, } }, api_admin_cert => { @@ -199,7 +199,7 @@ __PACKAGE__->config( class => 'DBIx::Class', user_model => 'DB::provisioning_voip_subscribers', store_user_class => 'NGCP::Panel::Authentication::Store::RoleFromRealm', - # use_userdata_from_session => 1, + use_userdata_from_session => 0, }, use_session => 0, }, @@ -247,7 +247,7 @@ __PACKAGE__->config( user_model => 'DB::provisioning_voip_subscribers', id_field => 'id', store_user_class => 'NGCP::Panel::Authentication::Store::RoleFromRealm', - use_userdata_from_session => 1, + use_userdata_from_session => 0, } } }, diff --git a/lib/NGCP/Panel/Authentication/Store/SystemRole.pm b/lib/NGCP/Panel/Authentication/Store/SystemRole.pm index 75a949cab8..471766ab5e 100644 --- a/lib/NGCP/Panel/Authentication/Store/SystemRole.pm +++ b/lib/NGCP/Panel/Authentication/Store/SystemRole.pm @@ -10,6 +10,18 @@ sub roles { : $self->{roles}; } +sub id { 0 }; +sub is_active { 1 }; +sub is_system { 1 }; +sub is_master { 1 }; +sub is_superuser { 1 }; +sub is_ccare { 0 }; +sub is_readonly { 0 }; +sub show_passwords { 1 }; +sub call_data { 1 }; +sub billing_data { 1 }; +sub lawful_intercept { 0 }; + 1; # vim ts=4 sw=4 et diff --git a/lib/NGCP/Panel/Controller/Root.pm b/lib/NGCP/Panel/Controller/Root.pm index 0285b20087..18fb1a48e0 100644 --- a/lib/NGCP/Panel/Controller/Root.pm +++ b/lib/NGCP/Panel/Controller/Root.pm @@ -154,7 +154,7 @@ sub auto :Private { return; } $self->api_apply_fake_time($c); - return 1; + return $self->check_user_access($c);; } elsif ($c->req->headers->header("NGCP-UserAgent") && $c->req->headers->header("NGCP-UserAgent") eq "NGCP::API::Client") { $c->log->debug("++++++ Root::auto API request with system auth"); @@ -167,7 +167,7 @@ sub auto :Private { } $self->api_apply_fake_time($c); - return 1; + return $self->check_user_access($c); } elsif ($c->req->headers->header("Authorization") && $c->req->headers->header("Authorization") =~ m/^Bearer /) { $c->log->debug("++++++ Root::auto API request with JWT"); @@ -180,7 +180,7 @@ sub auto :Private { } $self->api_apply_fake_time($c); - return 1; + return $self->check_user_access($c); } elsif ($ngcp_api_realm eq "subscriber") { $c->log->debug("++++++ Root::auto API subscriber request with http auth"); my $realm = "api_subscriber_http"; @@ -212,7 +212,7 @@ sub auto :Private { return; } $self->api_apply_fake_time($c); - return 1; + return $self->check_user_access($c); } else { $c->log->debug("++++++ Root::auto API admin request with http auth"); my $realm = "api_admin_http"; @@ -231,6 +231,7 @@ sub auto :Private { if($c->user->read_only && $c->req->method eq "POST" && $c->req->uri->path =~ m|^/api/admincerts/$|) { $c->log->info("let read-only user '".$c->user->login."' generate admin cert for itself"); + return 1; } elsif($c->user->read_only && !($c->req->method =~ /^(GET|HEAD|OPTIONS)$/)) { $c->log->error("invalid method '".$c->req->method."' for read-only user '".$c->user->login."', rejecting"); $c->user->logout; @@ -243,7 +244,7 @@ sub auto :Private { return; } $self->api_apply_fake_time($c); - return 1; + return $self->check_user_access($c); } } @@ -273,16 +274,6 @@ sub auto :Private { $c->log->debug("*** Root::auto grant access for authenticated user"); - # check for read_only on write operations - if($c->user->read_only && ( - $c->req->uri->path =~ /create/ - || $c->req->uri->path =~ /edit/ - || $c->req->uri->path =~ /delete/ - || !($c->req->method =~ /^(GET|HEAD|OPTIONS)$/) - )) { - $c->detach('/denied_page'); - } - if (exists $c->config->{external_documentation}{link} && 'ARRAY' ne ref $c->config->{external_documentation}{link}) { $c->config->{external_documentation}{link} = [$c->config->{external_documentation}{link}]; } @@ -303,7 +294,7 @@ sub auto :Private { $c->session->{created_objects} = {} unless(defined $c->session->{created_objects}); - return 1; + return $self->check_user_access($c); } sub root_index :Path :Args(0) { @@ -380,13 +371,41 @@ sub denied_page :Private { $c->log->error('Access denied to path ' . $c->request->path ); if($c->request->path =~ /^api\/.+/) { $c->response->content_type('application/json'); - $c->response->body(JSON::to_json({ code => 403, message => 'Path forbidden' })."\n"); + $c->response->body(JSON::to_json({ code => 403, message => 'Forbidden' })."\n"); } else { $c->stash(template => 'denied_page.tt'); } $c->response->status(403); } +sub check_user_access { + my ($self, $c) = @_; + + my $path = $c->req->uri->path; + + if ($path =~ /^\/(login|logout|login_jwt|admin_login_jwt)$/) { + return 1; + } + + # deny access to inactive users + if ($c->user_exists && !$c->user->uuid && !$c->user->is_active) { + $c->detach('/denied_page'); + return; + } + + # deny access to read-only users + if ($c->user_exists && $c->user->read_only && + ($path =~ /create/ || + $path =~ /edit/ || + $path =~ /delete/ || + $c->req->method =~ /^(POST|PUT|PATCH|DELETE)$/)) { + $c->detach('/denied_page'); + return; + } + + return 1; +} + sub emptyajax :Chained('/') :PathPart('emptyajax') :Args(0) { my ($self, $c) = @_;