ngcp-panel

Commit Graph

Author	SHA1	Message	Date
Sipwise Jenkins Builder	30ff93f660	Release new version 10.5.7.1+0~mr10.5.7.1	1 year ago
Kirill Solomko	4f39d4d20c	MT#56301 move lock_provisioning_voip_subscriber before underrun_lock * POST /api/subscribers/ invoke lock_provisioning_voip_subscriber() before underrun_lock(), so that if the subscriber is about to be locked due to customer balance costs, the lock_provisioning_lock_subscriber() invocation will not unlock it back straight after Change-Id: I55020f844c9aa76df2e2f057a88b2ae7c9ebbfcc (cherry picked from commit `c6aaaddd87`)	1 year ago
Rene Krenn	e5ea0bad56	MT#56301 set locklevel of created subscribers only if specified Change-Id: I90f2d68dee50ab240de4eb5af7495ddd551c00d8 (cherry picked from commit `df670f501f`)	1 year ago
Marco Capetta	a31f0f0fba	MT#56301 Fix API creation of an active subscriber with lock Using API is possibile to edit an existing subscriber and set status: active and lock: 2. It is instead impossbile to create a new subscriber with the same configuration because the 'lock' param is not taken into account. The only way to properly setup lock level it is to set the status to 'locked' and this is in fact wrong. The fix address this issue and allow now to create a new subscriber with status: active and lock: 2. Change-Id: Id18e40bc001c5a7de30f5d148231bda93a3b1b3d (cherry picked from commit `8945b8a5ac`)	1 year ago
Kirill Solomko	0d9c469789	MT#59835 /api/billingzones fix HAL ngcp:billingfees relation * billing fees relation was rendering all associated billing fees and that was causing huge data sets to be returned if a billing zones had many fees, now instead a single link is returned /api/billingfees/?billing_zone_id=:id. this is also on par with other links like /api/billingfees/:id Change-Id: Iabb7afb3bf43abf9a22c71750d45a1962a7f16ec (cherry picked from commit `e4cda08bd4`)	1 year ago
Kirill Solomko	46338fb9d1	MT#59797 /api/headerruleconditions (actions) fix reseller role * fix resultset when user role is reseller so that reseller_id is joined correctly and a db error is not produced anymore. Change-Id: I2a1b357037d983f23770bb59519fc2cb8b68a7e4 (cherry picked from commit `bf249f9d96`)	1 year ago
Rene Krenn	0cefd1075f	MT#59748 drop ngcp-provisioning-template test dbhost Change-Id: I7218ed36cff2f51f5a6f862f41e5da94ff0d464b (cherry picked from commit `14e5b918b3`)	1 year ago
Rene Krenn	3d745dc2d1	MT#59025 fix peering groups name filter Change-Id: I329e644c937058069c5932abf8e897dce48a8c10 (cherry picked from commit `1e9f223276`)	1 year ago
Rene Krenn	10f3b93075	MT#58762 adjust restpi tests v2 to harmonized wildcard filters #1 Change-Id: Icdf581f425f5e28ba22480424f04355181b4f3b3 (cherry picked from commit `73a967bfb6`)	1 year ago
Rene Krenn	eb44ad88a0	MT#58762 adjust restpi tests v2 to harmonized wildcard filters Change-Id: Ie100612c9f284e9acad6b305345751bb07adfab9 (cherry picked from commit `bad2e32802`)	1 year ago
Marco Capetta	65a9a52c87	MT#58762 Fix typo in swagger documentation Fix typo of commit `308a974059` that was causing to fail the generation of the the swagger documentation with the message: ngcp-panel: ERROR: Couldn't render template "api/root.tt: file error - parse error - api/root/collection.tt line 112: unexpected token (=)#012 [% IF f.query_type = 'wildcard' %]" Change-Id: I35882b97b2a86a7f54829f017ab1cb19b3b9f6e5 (cherry picked from commit `1474584b60`)	1 year ago
Rene Krenn	6ab7c0b942	MT#58762 adjust restpi tests to harmonized wildcard filters Change-Id: I68b2199a3487fedb388803012c950c3abca1a8b3 (cherry picked from commit `aa2d07ef29`)	1 year ago
Rene Krenn	aacf44c605	MT#58762 harmonize restapi wildcard filters - all standard LIKE search are migrated - will avoid LIKE unless a pattern (* wildcard) is used as a search term. this encourage db index usage, will be faster - supports wildcard escape sequence \\* - harmonize swagger UI descriptions of filters Change-Id: Iea155871c9be6c284e6970a562d4e6af73fedc4b (cherry picked from commit `308a974059`)	1 year ago
Sipwise Jenkins Builder	ce35d341dd	Release new version 10.5.7.0+0~mr10.5.7.0	2 years ago
Rene Krenn	827fbd1cbc	MT#57070 ignore undef enum.default_val while provisioning.voip_preference_enums.default_val is supposed to be a flag variable, it is NULL for some prefs. we prevent a 500 error when editing such value in this case now. Change-Id: Idc5e0f1f0de93f9d0b6645982025c8b45bae1ec4 (cherry picked from commit `dd9d57c33b`)	2 years ago
Rene Krenn	b62da79a0e	MT#56239 avoid ambersand symbol in apidoc descriptions Change-Id: Ic024d16c008648cb4d9cf14ae0e58d1ebe8febe9 (cherry picked from commit `71480acfa3`)	2 years ago
Rene Krenn	c57231de40	MT#56239 api/callrecordings support filtering multiple metakeys filtering an Entity-Attribute-Value model cannot be done as simple conjunctions, but requires either INTERSECT set operation, or joining the same table multiple times. Change-Id: I5ce1ae1ece9406b6610487654f09d768a233b122 (cherry picked from commit `8e82715eb8`)	2 years ago
Kirill Solomko	d9ee558764	MT#57100 avoid where ambiguity for query_types search_eq,search_like * uses prefix 'me.' for query types search_eq and search_like in the where condition to avoid ambiguity if the search_rs has joins that with the same column names Change-Id: I90fef80970aa4415480b00bbed2fb9fbee1f1ccc (cherry picked from commit `c58a8b9b1f`)	2 years ago
Rene Krenn	f9dc78a25e	MT#56239 api general caller/callee wildcard search support various api rails will need to support ?caller= and ?callee= url query parameters. since this involves SQL queries against potentially large database tables, special care is taken with wildcard search to prevent slow queries: - the ?wildcards=true query parameter has to be specified to accept search patterns that contain wildcard symbols, so wildcards are not accepted by default. WARNING: a search string with a leading wildcard will always force a slow full db table scan! - the * symbol is used as a wildcard symbol - \ (backslash) is used as escape character to search for a literal '*' Change-Id: Ie6065b0cfa883f7963e1dc8259fffea9a1edfdfe (cherry picked from commit `9c3a549094`)	2 years ago
Rene Krenn	b1c216ee71	MT#58346 fix conversations voicemail timestamp filter Change-Id: I86fc4db7d5efddf73f6c0b068b1c9e79913fddaf (cherry picked from commit `5eff0601b5`)	2 years ago
Rene Krenn	eb7d5ca2a1	MT#58346 fix panel datatable filtering Change-Id: I4ce2e07a3ffa0715e385d811737f850aacaa5d90 (cherry picked from commit `d546387651`)	2 years ago
Rene Krenn	f5b6615680	MT#58346 caller/callee filters for conversations the conversation list now supports ?caller= and ?callee= url query parameters. since this involves SQL queries against potentially large database tables, special care is taken with wildcard search to prevent slow queries: - the ?wildcard=true query parameter has to be specified to accept search patterns that contain wildcard symbols, so wilddcards are not accepted by default. WARNING: a search string with a leading wildcard will always force a slow full db table scan! - the * symbol is used as a wildcard symbol - \ (backslash) is used as escape character to search for a literal '*' Change-Id: I792d2ea9c649c69c4b5cc98076097cb96467d4bc (cherry picked from commit `ae612eb401`)	2 years ago
Marco Capetta	77232ab1c7	MT#54356 Fix swagger documentation for 'calllist' api The 'duration' field is reported in the documentation as 'number' but in fact it is a string, for example: "0:00:16.495". In the commit the definition of the parameter is changed from PosInteger to Text Change-Id: I317006f5bbb5c4b7ffea0abe29dc0b175d8f95e6 (cherry picked from commit `958e40e2ca`)	2 years ago
Fabricio Santolin da Silva	b2529fb613	MT#58468 Fix special characters incorrectly interpreted by paps Change-Id: I15682d0e3bbe53cc372a5eb1a162e7592e9a3b11 (cherry picked from commit `3c5cf0b537`)	2 years ago
Kirill Solomko	53f28f4b93	MT#58157 escape uri refs in body.tt * URI that comes from c.req.uri must be escaped as Catalyst provides c.req.uri unescaped. * new Catalyst::NGCP::Plugin::EscapeURI with escape_uri() function * new NGCP::Panel::Utils::Generic::escape_uri() that uses URI::Escape::uri::escape_utf8() * c.req.uri and c.req.path occurrences in layout/body.tt are now escaped with c.escape_uri() Change-Id: Id0483fa6e570a0ff8db84b1d470caf5405cc0886 (cherry picked from commit `c826fccb29`)	2 years ago
Sipwise Jenkins Builder	17b756d68f	Release new version 10.5.6.0+0~mr10.5.6.0	2 years ago
Marco Capetta	adf47c1587	MT#56181 Fix link of AutoAttendant edit slots From the very origin of the AA module the link used in panel to create/edit the AA slots were '/preferences/speeddial/edit'. This is wrong and most probably coming from a copy and paste of the speeddial feature. The commit fix the link and it is now chaged to the following '/preferences/autoattendant/edit'. Change-Id: I095b433cad78fb0175b0551fcfdea85815f73cdf (cherry picked from commit `28340ce871`)	2 years ago
Nico Schedel	40909df586	MT#55491 fix tests for mr10.5 point releases Change-Id: Ib34b731edf79c26a38905a7ffa8beabb66df4cca	2 years ago
Marco Capetta	1a6567c648	MT#57469 Fix kamailio lcr reload on PATCH/PUT APIs When calling a PATCH or PUT API on a peering group or outbound rule the reload of the kamailio lcr module was triggered before the update of the database, thus the kamailio status was not updated. Change-Id: I59ed863c85219e62d6f5b5a2af80db8ef952844c (cherry picked from commit `be7193e75b`)	2 years ago
Marco Capetta	51e549b9a5	MT#57342 /api/subscribers fix field role inconsistency When the subscriber preferences API is called by a subscriber admin of a normal (not PBX) customer, then some values are removed from the output. In all the other cases those values are instead returned. This fix let expose the profile_id, domain_id, status and webpassword to all the types of subscribers because necessary in the CSC context. Change-Id: I629475e7f51d747a55ebfbc44232fb94a54fed06 (cherry picked from commit `ce6884ebab`)	2 years ago
Sipwise Jenkins Builder	792339d8b2	Release new version 10.5.5.0+0~mr10.5.5.0	2 years ago
Marco Capetta	1d2b91fb6b	MT#56776 Fix peer deletion when not enabled Deletion of a disabled peer was not working because panel was trying to get the correspondant ID from the LCR table, while the entry is not there because peer was in fact disabled. To fix it an additional check has been added to evaluate if the peer is enabled or not at the moment of the deletion. Change-Id: I3c488a8711c5f7b486b6c0a3950738fb8689bb07 (cherry picked from commit `0274ab04c3`)	2 years ago
Kirill Solomko	afc6a7ed69	MT#56802 fix preferences default values selection * preferences form with enum values now set the default one as selected if no preference is set yet. * disable autocomplete for the preferences table fields. this addresses Firefox using incorrect selected values even though the correct data is sent by the server. Change-Id: I6865eec05c085b89e651b125a7f35724859ccbc2 (cherry picked from commit `3c1842c122`) (cherry picked from commit `33e39cdac5`)	2 years ago
Rene Krenn	4176e8820d	MT#56417 make Provisioning Templates "contract_contact" and "contract" sections optional to better fit the usecase of updating subscribers, we make the contract and contract_contact sections no longer mandatory. Change-Id: If3c34f2cd3a5201cf7da2729369fd6b1003f1a80 (cherry picked from commit `7cbf2f64bd`)	2 years ago
Sipwise Jenkins Builder	1c252518c7	Release new version 10.5.4.0+0~mr10.5.4.0	2 years ago
Rene Krenn	423e084ddc	MT#55694 MT#55419 provide generated datatable search tooltips the search field of admin-panel datatables was tuned/configured over time to allow fastest possible search, "as-you-type". for large tabels it eg. will only include indexed columns, which never was transparent to the users. the UI will now display tooltip texts with detailed hints about included columns, wildcard support, etc. Change-Id: I737732a55003d50068236bb0150a2f47d06deaf5 (cherry picked from commit `ff198cef49`)	2 years ago
Rene Krenn	9d21a5dd87	MT#55972 support wildcard search for customer external_id Change-Id: I8287f7650f68dab2e806259ec00ffad2ba45fe1a (cherry picked from commit `e9367e0cfe`)	2 years ago
Kirill Solomko	1a1fb8f4ff	MT#56087 fix /api/callforwards sets auto creation * with PUT/PATCH data source and bnumber quick sets are correctly automatically created now Change-Id: Ia6f3be8958081f1611a1473b35c73826a9ed8784 (cherry picked from commit `e2afe2ea06`)	2 years ago
Kirill Solomko	c31e221028	MT#55871 /api/subscribers optimise GET alias_numbers * "alias_numbers" array when the resource is prepared is created directly from the resultset, avoiding 'foreach' loops and conditions. This improves performance on ~8000 voip_numbers from ~35 seconds to ~3 seconds. * is_devid is now always present in the "alias_numbers" object, and it's =0 if there is no related entry in provisioning.voip_dbaliases Change-Id: Ia05b26208f3fec3a9b2203aafe9b4c09b98ca44d (cherry picked from commit `0c4deaaad0`)	3 years ago
Kirill Solomko	e19303a7cc	MT#55864 /api/subscribers correctly process administrative flag * administrative flag is now correctl set to false when requested by the client Change-Id: I81a1951f90ce9885bff806d39e11098475d93ac1 (cherry picked from commit `507d088586`)	3 years ago
Kirill Solomko	02dc26d4cd	MT#55618 /api/subscribers fix default contract_sound_set assignment * when a new subscriber is created via POST, if the associated customer has at least one default contract_sound_set, it is correctly assigned to the subscriber as the "contract_sound_set" preference. the logic is now inline with the UI behaviour Change-Id: Ifeb86faf6718648b29e6391bd16752766358ed0f (cherry picked from commit `826d3f1d9f`)	3 years ago
Nico Schedel	59208410fe	MT#55677 fix for "Unstable ngcp-panel-test-selenium-docker runs with failing tests" this fix is for domain tests only. failing admins tests are an aui issue Change-Id: Ief3047eadf65443c42589c1a24e9d6b2d1c5b898	3 years ago
Michael Prokop	aa7c010571	TT#76552 systemd: reduce hardening for sendmail(1) usage If a customer has email templates enabled, adding a subscriber fails due to: \| Failed to create subscriber: error when closing pipe to sendmail: \| Trace begun at /usr/share/perl5/Email/Sender/Transport/Sendmail.pm line 94 \| Email::Sender::Transport::Sendmail::send_email('Email::Sender::Transport::Sendmail=HASH(0x56251dc80e58)', 'Email::Abstract=ARRAY(0x56252f40f0c0)', 'HASH(0x56252f3fd600)') called at /usr/share/perl5/Email/Sender/Role/CommonSending.pm line 45 \| Email::Sender::Role::CommonSending::try {...} at /usr/share/perl5/Try/Tiny.pm line 102 \| eval {...} at /usr/share/perl5/Try/Tiny.pm line 93 \| [...] Similar, sending subscriber reset password mails etc are also failing. When strace-ing ngcp-panel's fcgi process, one can observe: \| 25173 openat(AT_FDCWD, "/var/spool/exim4//input//1ogR98-0006Y1-IA-D", O_RDWR\|O_CREAT\|O_EXCL, 0640) = -1 EACCES (Permission denied) Now, when disabling all of the systemd hardening, it works fine. Comparing such a working with a failing process, the following changes within /proc/$PID/status can be observed: \| diff -urN proc.failing/status proc.working/status \| --- proc.failing/status 2022-10-06 18:06:08.519873211 +0200 \| +++ proc.working/status 2022-10-06 18:08:17.071722642 +0200 \| [...] \| CapInh: 0000000000000000 \| CapPrm: 0000000000000000 \| CapEff: 0000000000000000 \| -CapBnd: 000001fbffffffff \| +CapBnd: 000001ffffffffff \| CapAmb: 0000000000000000 \| -NoNewPrivs: 1 \| -Seccomp: 2 \| -Seccomp_filters: 3 \| +NoNewPrivs: 0 \| +Seccomp: 0 So NoNewPrivs gets enabled, even though we don't explicitly set NoNewPrivileges but e.g. only ProtectClock=yes. This is expected behavior though, quoting from systemd.exec(5) \| NoNewPrivileges= \| \| Takes a boolean argument. If true, ensures that the service \| process and all its children can never gain new privileges through \| execve() (e.g. via setuid or setgid bits, or filesystem capabilities). \| This is the simplest and most effective way to ensure that a process and \| its children can never elevate privileges again. Defaults to false, but \| certain settings override this and ignore the value of this setting. \| This is the case when SystemCallFilter=, SystemCallArchitectures=, \| RestrictAddressFamilies=, RestrictNamespaces=, PrivateDevices=, \| ProtectKernelTunables=, ProtectKernelModules=, ProtectKernelLogs=, \| ProtectClock=, MemoryDenyWriteExecute=, RestrictRealtime=, \| RestrictSUIDSGID=, DynamicUser= or LockPersonality= are specified. Note \| that even if this setting is overridden by them, systemctl show shows \| the original value of this setting. Also see No New Privileges Flag[4]. Also see https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html STR (without having to go through ngcp-panel and a customer/subscriber setup): \| root@spce:~# cat /etc/systemd/system/demo.service \| [Unit] \| Description=sendmail systemd hardening demo \| \| [Service] \| Type=simple \| User=www-data \| Group=www-data \| ExecStart=/usr/bin/perl /usr/bin/send_mail.pl \| \| # this one enough to trigger the problem \| ProtectClock=true \| \| root@spce:~# cat /usr/bin/send_mail.pl \| use strict; \| use Template; \| use Email::Sender::Simple qw(); \| use Email::Simple; \| use Email::Simple::Creator; \| use Email::Sender::Transport::Sendmail qw(); \| \| send_email( \| subject => 'exim test', \| body => 'ohai', \| from => 'root@localhost', \| to => 'foobar@example.org', \| ); \| print "done\n"; \| exit; \| \| sub send_email { \| my %args = @_; \| my $subject = $args{subject}; \| my $body = $args{body}; \| my $from = $args{from}; \| my $to = $args{to}; \| \| my $transport = Email::Sender::Transport::Sendmail->new; \| my $email = Email::Simple->create( \| header => [ \| To => $to, \| From => $from, \| Subject => $subject, \| ], \| body => $body, \| ); \| return Email::Sender::Simple->send($email, { transport => $transport } ); \| } \| \| root@spce:~# systemctl daemon-reload && systemctl restart demo Until we switch the mail interface from sendmail(1) to SMTP or alike (reported as MT#55576), we need to reduce the systemd hardening, to not get the NoNewPrivileges=true (AKA prctl(PR_SET_NO_NEW_PRIVS,...)) behavior through any of the related hardening options. New systemd hardening state of ngcp-panel (as of systemd v247.3-7+deb11u1): \| $ sudo SYSTEMD_COLORS=0 PAGER= COLUMNS=100 unbuffer systemd-analyze security ngcp-panel \| grep -v '✓' \| NAME DESCRIPTION EXPOSURE \| ✗ PrivateNetwork= Service has access to the host's network 0.5 \| ✗ CapabilityBoundingSet=~CAP_SET(UID\|GID\|PCAP) Service may change UID/GID identities/capab… 0.3 \| ✗ CapabilityBoundingSet=~CAP_SYS_ADMIN Service has administrator privileges 0.3 \| ✗ CapabilityBoundingSet=~CAP_SYS_PTRACE Service has ptrace() debugging abilities 0.3 \| ✗ RestrictAddressFamilies=~AF_(INET\|INET6) Service may allocate Internet sockets 0.3 \| ✗ RestrictNamespaces=~CLONE_NEWUSER Service may create user namespaces 0.3 \| ✗ RestrictAddressFamilies=~… Service may allocate exotic sockets 0.3 \| ✗ CapabilityBoundingSet=~CAP_(CHOWN\|FSETID\|SE… Service may change file ownership/access mo… 0.2 \| ✗ CapabilityBoundingSet=~CAP_(DAC_\|FOWNER\|IP… Service may override UNIX file/IPC permissi… 0.2 \| ✗ CapabilityBoundingSet=~CAP_NET_ADMIN Service has network configuration privileges 0.2 \| ✗ CapabilityBoundingSet=~CAP_SYS_MODULE Service may load kernel modules 0.2 \| ✗ CapabilityBoundingSet=~CAP_SYS_RAWIO Service has raw I/O access 0.2 \| ✗ CapabilityBoundingSet=~CAP_SYS_TIME Service processes may change the system clo… 0.2 \| ✗ IPAddressDeny= Service does not define an IP address allow… 0.2 \| ✗ NoNewPrivileges= Service processes may acquire new privileges 0.2 \| ✗ PrivateDevices= Service potentially has access to hardware … 0.2 \| ✗ PrivateUsers= Service has access to other users 0.2 \| ✗ ProtectClock= Service may write to the hardware clock or … 0.2 \| ✗ ProtectKernelLogs= Service may read from or write to the kerne… 0.2 \| ✗ ProtectKernelModules= Service may load or read kernel modules 0.2 \| ✗ ProtectKernelTunables= Service may alter kernel tunables 0.2 \| ✗ RestrictAddressFamilies=~AF_PACKET Service may allocate packet sockets 0.2 \| ✗ RestrictSUIDSGID= Service may create SUID/SGID files 0.2 \| ✗ SystemCallArchitectures= Service may execute system calls with all A… 0.2 \| ✗ SystemCallFilter=~@clock Service does not filter system calls 0.2 \| ✗ SystemCallFilter=~@debug Service does not filter system calls 0.2 \| ✗ SystemCallFilter=~@module Service does not filter system calls 0.2 \| ✗ SystemCallFilter=~@mount Service does not filter system calls 0.2 \| ✗ SystemCallFilter=~@raw-io Service does not filter system calls 0.2 \| ✗ SystemCallFilter=~@reboot Service does not filter system calls 0.2 \| ✗ SystemCallFilter=~@swap Service does not filter system calls 0.2 \| ✗ SystemCallFilter=~@privileged Service does not filter system calls 0.2 \| ✗ SystemCallFilter=~@resources Service does not filter system calls 0.2 \| ✗ CapabilityBoundingSet=~CAP_AUDIT_ Service has audit subsystem access 0.1 \| ✗ CapabilityBoundingSet=~CAP_KILL Service may send UNIX signals to arbitrary … 0.1 \| ✗ CapabilityBoundingSet=~CAP_MKNOD Service may create device nodes 0.1 \| ✗ CapabilityBoundingSet=~CAP_NET_(BIND_SERVIC… Service has elevated networking privileges 0.1 \| ✗ CapabilityBoundingSet=~CAP_SYSLOG Service has access to kernel logging 0.1 \| ✗ CapabilityBoundingSet=~CAP_SYS_(NICE\|RESOUR… Service has privileges to change resource u… 0.1 \| ✗ RestrictNamespaces=~CLONE_NEWCGROUP Service may create cgroup namespaces 0.1 \| ✗ RestrictNamespaces=~CLONE_NEWIPC Service may create IPC namespaces 0.1 \| ✗ RestrictNamespaces=~CLONE_NEWNET Service may create network namespaces 0.1 \| ✗ RestrictNamespaces=~CLONE_NEWNS Service may create file system namespaces 0.1 \| ✗ RestrictNamespaces=~CLONE_NEWPID Service may create process namespaces 0.1 \| ✗ RestrictRealtime= Service may acquire realtime scheduling 0.1 \| ✗ SystemCallFilter=~@cpu-emulation Service does not filter system calls 0.1 \| ✗ SystemCallFilter=~@obsolete Service does not filter system calls 0.1 \| ✗ RestrictAddressFamilies=~AF_NETLINK Service may allocate netlink sockets 0.1 \| ✗ RootDirectory=/RootImage= Service runs within the host's root directo… 0.1 \| ✗ CapabilityBoundingSet=~CAP_MAC_* Service may adjust SMACK MAC 0.1 \| ✗ CapabilityBoundingSet=~CAP_SYS_BOOT Service may issue reboot() 0.1 \| ✗ LockPersonality= Service may change ABI personality 0.1 \| ✗ MemoryDenyWriteExecute= Service may create writable executable memo… 0.1 \| ✗ RestrictNamespaces=~CLONE_NEWUTS Service may create hostname namespaces 0.1 \| ✗ CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE Service may mark files immutable 0.1 \| ✗ CapabilityBoundingSet=~CAP_IPC_LOCK Service may lock memory into RAM 0.1 \| ✗ CapabilityBoundingSet=~CAP_SYS_CHROOT Service may issue chroot() 0.1 \| ✗ ProtectHostname= Service may change system host/domainname 0.1 \| ✗ CapabilityBoundingSet=~CAP_BLOCK_SUSPEND Service may establish wake locks 0.1 \| ✗ CapabilityBoundingSet=~CAP_LEASE Service may create file leases 0.1 \| ✗ CapabilityBoundingSet=~CAP_SYS_PACCT Service may use acct() 0.1 \| ✗ CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG Service may issue vhangup() 0.1 \| ✗ CapabilityBoundingSet=~CAP_WAKE_ALARM Service may program timers that wake up the… 0.1 \| ✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1 \| \| → Overall exposure level for ngcp-panel.service: 7.9 EXPOSED 🙁 Related: MT#31936 Related: MT#55569 Thanks: Thomas Georg on spce-user ml for the bug report, and Victor Seva, Richard Fuchs + Rene Krenn for assistance in tracking this down Change-Id: Ic3be62247bbcae00c99de3b779df838c0daaaf1a (cherry picked from commit `31429319e7`)	3 years ago
Rene Krenn	4cf1f140c8	MT#55551 add ccare roles to /api/callforwards Change-Id: I414e10fca61bc535471a0b2525b7e684ea9d23e5 (cherry picked from commit `67f6063341`)	3 years ago
Rene Krenn	78a62163c5	MT#55436 mark concurrent_* fraudpref fields as readonly Change-Id: I47f3a42163703c57cecdbcf4dd84e9e7a9cbe2e7 (cherry picked from commit `d4d924e146`)	3 years ago
Kirill Solomko	db1b244937	MT#55538 /api/soundsets allow filtering by customer_id=null * when customer_id query param is specified as customer_id=null or customer_id=NULL it now correctly fetches soundsets that do not have customer_id assigned to them Change-Id: I8de3d9615c133c2abd3eb2b5f4fea8de5b652417 (cherry picked from commit `a86e868a6f`)	3 years ago
Rene Krenn	fb05e7b26a	MT#55418 hide billing mappings with terminated profiles in AUI Change-Id: Id480f3c0928d8e3d0a29dd3508c08de68e64ce5a (cherry picked from commit `a9f53cdf82`)	3 years ago
Rene Krenn	2408fa56bb	MT#55421 fix deleting domains xmlrpc request such as domain.reload can fail, when database content was not yet replicated. Change-Id: I769f9470b526ef5175826e6c18cbe28c6c1501ca (cherry picked from commit `afe80f0110`)	3 years ago
Rene Krenn	61f5189cbd	MT#33062 prevent error 500 when deleting registrations Change-Id: I7c9731260b973730702c7380881c71bfdc84fa21 (cherry picked from commit `f75fdcd943`)	3 years ago
Rene Krenn	bc07de7e6e	MT#55419 enable wildcard search for customer.external_id Change-Id: I373006325dd60987634ac348f6c40c2ee393fab7 (cherry picked from commit `7caf33ac84`)	3 years ago

1 2 3 4 5 ...

5249 Commits (30ff93f660d17bd6a4ab6c4e59b70dffbc55ee11) All Branches Search

5249 Commits (30ff93f660d17bd6a4ab6c4e59b70dffbc55ee11)

All Branches