diff options
author | jim-p <jimp@pfsense.org> | 2012-10-09 10:40:56 -0400 |
---|---|---|
committer | jim-p <jimp@pfsense.org> | 2012-10-09 10:40:56 -0400 |
commit | 170cb2bcbf0def99262f35368a0e474861300306 (patch) | |
tree | c22415328d68ccdc759ee69297e643a35f23bd05 /etc/inc/config.lib.inc | |
parent | 6f3d3a0781556890e3a6158e32374aed2229f2bd (diff) | |
download | pfsense-170cb2bcbf0def99262f35368a0e474861300306.zip pfsense-170cb2bcbf0def99262f35368a0e474861300306.tar.gz |
Add initial support for a privilege that denies write access to the config.
NOTE: This only prevents writing to config.xml - it does NOT prevent other changes/execution that do not involve writing to config.xml (e.g. applying settings, exec, killing states, etc)
Diffstat (limited to 'etc/inc/config.lib.inc')
-rw-r--r-- | etc/inc/config.lib.inc | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/etc/inc/config.lib.inc b/etc/inc/config.lib.inc index 54a9134..ddefde0 100644 --- a/etc/inc/config.lib.inc +++ b/etc/inc/config.lib.inc @@ -494,6 +494,11 @@ function write_config($desc="Unknown", $backup = true) { log_error("WARNING! Configuration written on bootup. This can cause stray openvpn and load balancing items in config.xml"); */ + if (!empty($_SESSION['Username'])) { + $user = getUserEntry($_SESSION['Username']); + if (is_array($user) && userHasPrivilege($user, "user-config-readonly")) + return false; + } $username = empty($_SESSION["Username"]) ? "(system)" : $_SESSION['Username']; if (!empty($_SERVER['REMOTE_ADDR'])) $username .= '@' . $_SERVER['REMOTE_ADDR']; |