Access Control List¶
Overview¶
The current ACL system is targeted at delivering backwards compatibility for legacy code and being able to extend this a little to add new features without having to reimplement the whole system.
In the legacy system the access control is using the following steps to determine if a page can be accessed by a user:
- The user, stored in the config.xml file at system/user (one item per user)
- One or more groups for that user, stored in system/group which contains priv sections.
- A php file binding the priv section content to a page mask (including wildcards)
Our temporary solution is to keep the user and the group in place and replace the php file with a simple config in the model which uses the same mask construction there was in the old codebase. To bind priv to pages, edit models/OPNsense/Core/ACL_Legacy_Page_Map.txt
Usage from php¶
Using the system from php is rather simple:
$acl = new OPNsense\Core\ACL();
if ( $acl->isPageAccessible("user", "/firewall_rules.php") ) {
print ( "/firewall_rules.php is accessible" ) ;
}
Usage in Volt templates¶
The acl scheme is bound to the default UI controller, and can be used by using the acl keyword:
{% if acl.isPageAccessible(session.get('Username'),subMenuItem.Url) %}
this page is accessible
{% endif %}