Implement new OpenVPN advanced options privilege. Fixes #9511

(cherry picked from commit 4a1841a1fabcba0100f6a4f505fc1e132c29da20)

5 files changed, 100 insertions, 29 deletions

diff --git a/src/etc/inc/priv.defs.inc b/src/etc/inc/priv.defs.inc
index 12a3c10..48ef5b2 100644
--- a/src/etc/inc/priv.defs.inc
+++ b/src/etc/inc/priv.defs.inc
@@ -1293,21 +1293,18 @@ $priv_list['page-vpn-vpnl2tp-users-edit']['match'][] = "vpn_l2tp_users_edit.php*
 $priv_list['page-openvpn-client'] = array();
 $priv_list['page-openvpn-client']['name'] = gettext("WebCfg - OpenVPN: Clients");
 $priv_list['page-openvpn-client']['descr'] = gettext("Allow access to the 'OpenVPN: Clients' page.");
-$priv_list['page-openvpn-client']['warn'] = "standard-warning-root";
 $priv_list['page-openvpn-client']['match'] = array();
 $priv_list['page-openvpn-client']['match'][] = "vpn_openvpn_client.php*";
 
 $priv_list['page-openvpn-csc'] = array();
 $priv_list['page-openvpn-csc']['name'] = gettext("WebCfg - OpenVPN: Client Specific Override");
 $priv_list['page-openvpn-csc']['descr'] = gettext("Allow access to the 'OpenVPN: Client Specific Override' page.");
-$priv_list['page-openvpn-csc']['warn'] = "standard-warning-root";
 $priv_list['page-openvpn-csc']['match'] = array();
 $priv_list['page-openvpn-csc']['match'][] = "vpn_openvpn_csc.php*";
 
 $priv_list['page-openvpn-server'] = array();
 $priv_list['page-openvpn-server']['name'] = gettext("WebCfg - OpenVPN: Servers");
 $priv_list['page-openvpn-server']['descr'] = gettext("Allow access to the 'OpenVPN: Servers' page.");
-$priv_list['page-openvpn-server']['warn'] = "standard-warning-root";
 $priv_list['page-openvpn-server']['match'] = array();
 $priv_list['page-openvpn-server']['match'][] = "vpn_openvpn_server.php*";
 
diff --git a/src/etc/inc/priv/user.priv.inc b/src/etc/inc/priv/user.priv.inc
index 02d1c0e..d9c1c8f 100644
--- a/src/etc/inc/priv/user.priv.inc
+++ b/src/etc/inc/priv/user.priv.inc
@@ -156,4 +156,19 @@ $priv_list['page-services-upnp']['descr'] = gettext("Allow access to the 'Servic
 $priv_list['page-services-upnp']['match'] = array();
 $priv_list['page-services-upnp']['match'][] = "pkg_edit.php?xml=miniupnpd.xml";
 
+$priv_list['page-openvpn-server-advanced'] = array();
+$priv_list['page-openvpn-server-advanced']['name'] = gettext("WebCfg - OpenVPN: Clients Edit Advanced");
+$priv_list['page-openvpn-server-advanced']['descr'] = gettext("Allow edit access to the 'OpenVPN: Clients' Advanced settings field.");
+$priv_list['page-openvpn-server-advanced']['warn'] = "standard-warning-root";
+
+$priv_list['page-openvpn-csc-advanced'] = array();
+$priv_list['page-openvpn-csc-advanced']['name'] = gettext("WebCfg - OpenVPN: Client Specific Override Edit Advanced");
+$priv_list['page-openvpn-csc-advanced']['descr'] = gettext("Allow edit access to the 'OpenVPN: Client Specific Override' advanced settings field.");
+$priv_list['page-openvpn-csc-advanced']['warn'] = "standard-warning-root";
+
+$priv_list['page-openvpn-client-advanced'] = array();
+$priv_list['page-openvpn-client-advanced']['name'] = gettext("WebCfg - OpenVPN: Servers Edit Advanced");
+$priv_list['page-openvpn-client-advanced']['descr'] = gettext("Allow edit access to the 'OpenVPN: Servers' Advanced settings field.");
+$priv_list['page-openvpn-client-advanced']['warn'] = "standard-warning-root";
+
 ?>
diff --git a/src/usr/local/www/vpn_openvpn_client.php b/src/usr/local/www/vpn_openvpn_client.php
index d10fcc2..33b051e 100644
--- a/src/usr/local/www/vpn_openvpn_client.php
+++ b/src/usr/local/www/vpn_openvpn_client.php
@@ -24,7 +24,6 @@
 ##|*IDENT=page-openvpn-client
 ##|*NAME=OpenVPN: Clients
 ##|*DESCR=Allow access to the 'OpenVPN: Clients' page.
-##|*WARN=standard-warning-root
 ##|*MATCH=vpn_openvpn_client.php*
 ##|-PRIV
 
@@ -59,21 +58,29 @@ if (isset($id) && $a_client[$id]) {
 	$vpnid = 0;
 }
 
+$user_entry = getUserEntry($_SESSION['Username']);
+$user_can_edit_advanced = (isAdminUID($_SESSION['Username']) || userHasPrivilege($user_entry, "page-openvpn-client-advanced") || userHasPrivilege($user_entry, "page-all"));
+
 if ($_POST['act'] == "del") {
 
 	if (!isset($a_client[$id])) {
 		pfSenseHeader("vpn_openvpn_client.php");
 		exit;
 	}
-	if (!empty($a_client[$id])) {
+
+	if (empty($a_client[$id])) {
+		$wc_msg = gettext('Deleted empty OpenVPN client');
+	} elseif (!$user_can_edit_advanced && !empty($a_client[$id]['custom_options'])) {
+		$input_errors[] = gettext("This user does not have sufficient privileges to delete an instance with Advanced options set.");
+	} else {
 		openvpn_delete('client', $a_client[$id]);
 		$wc_msg = sprintf(gettext('Deleted OpenVPN client to server %1$s:%2$s %3$s'), $a_client[$id]['server_addr'], $a_client[$id]['server_port'], $a_client[$id]['description']);
-	} else {
-		$wc_msg = gettext('Deleted empty OpenVPN client');
 	}
-	unset($a_client[$id]);
-	write_config($wc_msg);
-	$savemsg = gettext("Client successfully deleted.");
+	if (!empty($wc_msg)) {
+		unset($a_client[$id]);
+		write_config($wc_msg);
+		$savemsg = gettext("Client successfully deleted.");
+	}
 }
 
 if ($act == "new") {
@@ -186,6 +193,15 @@ if ($_POST['save']) {
 		$vpnid = 0;
 	}
 
+	if (isset($pconfig['custom_options']) &&
+	    ($pconfig['custom_options'] != $a_client[$id]['custom_options']) &&
+	    !$user_can_edit_advanced) {
+		$input_errors[] = gettext("This user does not have sufficient privileges to edit Advanced options on this instance.");
+	}
+	if (!$user_can_edit_advanced && !empty($a_client[$id]['custom_options'])) {
+		$pconfig['custom_options'] = $a_client[$id]['custom_options'];
+	}
+
 	$cipher_validation_list = array_keys(openvpn_get_cipherlist());
 	if (!in_array($pconfig['crypto'], $cipher_validation_list)) {
 		$input_errors[] = gettext("The selected Encryption Algorithm is not valid.");
@@ -887,11 +903,15 @@ if ($act=="new" || $act=="edit"):
 	$section = new Form_Section('Advanced Configuration');
 	$section->addClass('advanced');
 
-	$section->addInput(new Form_Textarea(
+	$custops = new Form_Textarea(
 		'custom_options',
 		'Custom options',
 		$pconfig['custom_options']
-	))->setHelp('Enter any additional options to add to the OpenVPN client configuration here, separated by semicolon.');
+	);
+	if (!$user_can_edit_advanced) {
+		$custops->setDisabled();
+	}
+	$section->addInput($custops)->setHelp('Enter any additional options to add to the OpenVPN client configuration here, separated by semicolon.');
 
 	$section->addInput(new Form_Checkbox(
 		'udp_fast_io',
diff --git a/src/usr/local/www/vpn_openvpn_csc.php b/src/usr/local/www/vpn_openvpn_csc.php
index 07479d5..47f6c06 100644
--- a/src/usr/local/www/vpn_openvpn_csc.php
+++ b/src/usr/local/www/vpn_openvpn_csc.php
@@ -24,7 +24,6 @@
 ##|*IDENT=page-openvpn-csc
 ##|*NAME=OpenVPN: Client Specific Override
 ##|*DESCR=Allow access to the 'OpenVPN: Client Specific Override' page.
-##|*WARN=standard-warning-root
 ##|*MATCH=vpn_openvpn_csc.php*
 ##|-PRIV
 
@@ -46,17 +45,24 @@ if (isset($_REQUEST['act'])) {
 	$act = $_REQUEST['act'];
 }
 
+$user_entry = getUserEntry($_SESSION['Username']);
+$user_can_edit_advanced = (isAdminUID($_SESSION['Username']) || userHasPrivilege($user_entry, "page-openvpn-csc-advanced") || userHasPrivilege($user_entry, "page-all"));
+
 if ($_POST['act'] == "del") {
 	if (!$a_csc[$id]) {
 		pfSenseHeader("vpn_openvpn_csc.php");
 		exit;
 	}
 
-	$wc_msg = sprintf(gettext('Deleted OpenVPN client specific override %1$s %2$s'), $a_csc[$id]['common_name'], $a_csc[$id]['description']);
-	openvpn_delete_csc($a_csc[$id]);
-	unset($a_csc[$id]);
-	write_config($wc_msg);
-	$savemsg = gettext("Client specific override successfully deleted.");
+	if (!$user_can_edit_advanced && !empty($a_csc[$id]['custom_options'])) {
+		$input_errors[] = gettext("This user does not have sufficient privileges to delete an instance with Advanced options set.");
+	} else {
+		$wc_msg = sprintf(gettext('Deleted OpenVPN client specific override %1$s %2$s'), $a_csc[$id]['common_name'], $a_csc[$id]['description']);
+		openvpn_delete_csc($a_csc[$id]);
+		unset($a_csc[$id]);
+		write_config($wc_msg);
+		$savemsg = gettext("Client specific override successfully deleted.");
+	}
 }
 
 if ($act == "edit") {
@@ -128,6 +134,15 @@ if ($_POST['save']) {
 	$pconfig = $_POST;
 
 	/* input validation */
+	if (isset($pconfig['custom_options']) &&
+	    ($pconfig['custom_options'] != $a_csc[$id]['custom_options']) &&
+	    !$user_can_edit_advanced) {
+		$input_errors[] = gettext("This user does not have sufficient privileges to edit Advanced options on this instance.");
+	}
+	if (!$user_can_edit_advanced && !empty($a_csc[$id]['custom_options'])) {
+		$pconfig['custom_options'] = $a_csc[$id]['custom_options'];
+	}
+
 	if ($result = openvpn_validate_cidr($pconfig['tunnel_network'], 'IPv4 Tunnel Network')) {
 		$input_errors[] = $result;
 	}
@@ -574,11 +589,15 @@ if ($act == "new" || $act == "edit"):
 
 	$section->add($group);
 
-	$section->addInput(new Form_Textarea(
+	$custops = new Form_Textarea(
 		'custom_options',
 		'Advanced',
 		$pconfig['custom_options']
-	))->setHelp('Enter any additional options to add for this client specific override, separated by a semicolon. %1$s' .
+	);
+	if (!$user_can_edit_advanced) {
+		$custops->setDisabled();
+	}
+	$section->addInput($custops)->setHelp('Enter any additional options to add for this client specific override, separated by a semicolon. %1$s' .
 				'EXAMPLE: push "route 10.0.0.0 255.255.255.0"; ',
 				'<br />');
 
diff --git a/src/usr/local/www/vpn_openvpn_server.php b/src/usr/local/www/vpn_openvpn_server.php
index 9b0039e..e3e0f50 100644
--- a/src/usr/local/www/vpn_openvpn_server.php
+++ b/src/usr/local/www/vpn_openvpn_server.php
@@ -24,7 +24,6 @@
 ##|*IDENT=page-openvpn-server
 ##|*NAME=OpenVPN: Servers
 ##|*DESCR=Allow access to the 'OpenVPN: Servers' page.
-##|*WARN=standard-warning-root
 ##|*MATCH=vpn_openvpn_server.php*
 ##|-PRIV
 
@@ -61,6 +60,9 @@ if (isset($_REQUEST['act'])) {
 	$act = $_REQUEST['act'];
 }
 
+$user_entry = getUserEntry($_SESSION['Username']);
+$user_can_edit_advanced = (isAdminUID($_SESSION['Username']) || userHasPrivilege($user_entry, "page-openvpn-server-advanced") || userHasPrivilege($user_entry, "page-all"));
+
 if (isset($id) && $a_server[$id]) {
 	$vpnid = $a_server[$id]['vpnid'];
 } else {
@@ -73,15 +75,20 @@ if ($_POST['act'] == "del") {
 		pfSenseHeader("vpn_openvpn_server.php");
 		exit;
 	}
-	if (!empty($a_server[$id])) {
+
+	if (empty($a_server[$id])) {
+		$wc_msg = gettext('Deleted empty OpenVPN server');
+	} elseif (!$user_can_edit_advanced && !empty($a_server[$id]['custom_options'])) {
+		$input_errors[] = gettext("This user does not have sufficient privileges to delete an instance with Advanced options set.");
+	} else {
 		openvpn_delete('server', $a_server[$id]);
 		$wc_msg = sprintf(gettext('Deleted OpenVPN server from %1$s:%2$s %3$s'), convert_friendly_interface_to_friendly_descr($a_server[$id]['interface']), $a_server[$id]['local_port'], $a_server[$id]['description']);
-	} else {
-		$wc_msg = gettext('Deleted empty OpenVPN server');
 	}
-	unset($a_server[$id]);
-	write_config($wc_msg);
-	$savemsg = gettext("Server successfully deleted.");
+	if (!empty($wc_msg)) {
+		unset($a_server[$id]);
+		write_config($wc_msg);
+		$savemsg = gettext("Server successfully deleted.");
+	}
 }
 
 if ($act == "new") {
@@ -257,6 +264,15 @@ if ($_POST['save']) {
 		$vpnid = 0;
 	}
 
+	if (isset($pconfig['custom_options']) &&
+	    ($pconfig['custom_options'] != $a_server[$id]['custom_options']) &&
+	    !$user_can_edit_advanced) {
+		$input_errors[] = gettext("This user does not have sufficient privileges to edit Advanced options on this instance.");
+	}
+	if (!$user_can_edit_advanced && !empty($a_server[$id]['custom_options'])) {
+		$pconfig['custom_options'] = $a_server[$id]['custom_options'];
+	}
+
 	$cipher_validation_list = array_keys(openvpn_get_cipherlist());
 	if (!in_array($pconfig['crypto'], $cipher_validation_list)) {
 		$input_errors[] = gettext("The selected Encryption Algorithm is not valid.");
@@ -1295,11 +1311,15 @@ if ($act=="new" || $act=="edit"):
 
 	$section = new Form_Section('Advanced Configuration');
 
-	$section->addInput(new Form_Textarea(
+	$custops = new Form_Textarea(
 		'custom_options',
 		'Custom options',
 		$pconfig['custom_options']
-	))->setHelp('Enter any additional options to add to the OpenVPN server configuration here, separated by semicolon.%1$s' .
+	);
+	if (!$user_can_edit_advanced) {
+		$custops->setDisabled();
+	}
+	$section->addInput($custops)->setHelp('Enter any additional options to add to the OpenVPN server configuration here, separated by semicolon.%1$s' .
 				'EXAMPLE: push "route 10.0.0.0 255.255.255.0"', '<br />');
 
 	$section->addInput(new Form_Checkbox(