Allow each interface to have ACL's so you can assign a user to be able to edit just that interfaces rules.

2 files changed, 23 insertions, 0 deletions

diff --git a/usr/local/www/firewall_rules.php b/usr/local/www/firewall_rules.php
index 94aae51..7fea1d3 100755
--- a/usr/local/www/firewall_rules.php
+++ b/usr/local/www/firewall_rules.php
@@ -64,6 +64,16 @@ if (isset($config['ipsec']['enable']) || isset($config['ipsec']['mobileclients']
 if (!$if || !isset($iflist[$if]))
 	$if = "wan";
 
+$security_url = "firewall_rules.php?if=". strtolower($if);
+if (!isSystemAdmin($HTTP_SERVER_VARS['AUTH_USER'])) {
+	if(!in_array($security_url, $allowed)) {
+		// User does not have access
+//		echo "displaying error {$security_url}"; print_r($allowed);
+		echo display_error_form("401", "Unauthorized. You do not have access to the page {$pagereq}");
+		exit;
+	}
+}
+
 if ($_POST) {
 
 	$pconfig = $_POST;
diff --git a/usr/local/www/firewall_rules_edit.php b/usr/local/www/firewall_rules_edit.php
index 7bc020e..a423ee2 100755
--- a/usr/local/www/firewall_rules_edit.php
+++ b/usr/local/www/firewall_rules_edit.php
@@ -55,6 +55,19 @@ if (isset($_GET['dup'])) {
 	$after = $_GET['dup'];
 }
 
+if($id) {
+	$if = $a_filter[$id]['interface'];
+	$security_url = "firewall_rules_edit.php?if=". strtolower($if);
+	if (!isSystemAdmin($HTTP_SERVER_VARS['AUTH_USER'])) {
+		if(!in_array($security_url, $allowed)) {
+			// User does not have access
+	//		echo "displaying error {$security_url}"; print_r($allowed);
+			echo display_error_form("401", "Unauthorized. You do not have access to edit rules on the interface {$if}");
+			exit;
+		}
+	}
+}
+
 if (isset($id) && $a_filter[$id]) {
 	$pconfig['interface'] = $a_filter[$id]['interface'];