Add initial support for a privilege that denies write access to the config.

NOTE: This only prevents writing to config.xml - it does NOT prevent other changes/execution that do not involve writing to config.xml (e.g. applying settings, exec, killing states, etc)

2 files changed, 9 insertions, 0 deletions

diff --git a/etc/inc/config.lib.inc b/etc/inc/config.lib.inc
index 54a9134..ddefde0 100644
--- a/etc/inc/config.lib.inc
+++ b/etc/inc/config.lib.inc
@@ -494,6 +494,11 @@ function write_config($desc="Unknown", $backup = true) {
 		log_error("WARNING! Configuration written on bootup.  This can cause stray openvpn and load balancing items in config.xml");
 	*/
 
+	if (!empty($_SESSION['Username'])) {
+		$user = getUserEntry($_SESSION['Username']);
+		if (is_array($user) && userHasPrivilege($user, "user-config-readonly"))
+			return false;
+	}
 	$username = empty($_SESSION["Username"]) ? "(system)" : $_SESSION['Username'];
 	if (!empty($_SERVER['REMOTE_ADDR']))
 		$username .= '@' . $_SERVER['REMOTE_ADDR'];
diff --git a/etc/inc/priv/user.priv.inc b/etc/inc/priv/user.priv.inc
index affa218..7c943cd 100644
--- a/etc/inc/priv/user.priv.inc
+++ b/etc/inc/priv/user.priv.inc
@@ -26,6 +26,10 @@ $priv_list['page-dashboard-widgets']['descr'] = "Allow direct access to all Dash
 $priv_list['page-dashboard-widgets']['match'] = array();
 $priv_list['page-dashboard-widgets']['match'][] = "*.widget.php*";
 
+$priv_list['user-config-readonly'] = array();
+$priv_list['user-config-readonly']['name']  = "User - Config - Deny Config Write";
+$priv_list['user-config-readonly']['descr'] = "If present, ignores requests from this user to write config.xml.";
+
 $priv_list['user-shell-access'] = array();
 $priv_list['user-shell-access']['name']  = "User - System - Shell account access";
 $priv_list['user-shell-access']['descr'] = "Indicates whether the user is able to login for ".