diff options
author | Renato Botelho <renato@netgate.com> | 2016-08-18 18:36:16 -0300 |
---|---|---|
committer | Renato Botelho <renato@netgate.com> | 2016-08-18 18:36:16 -0300 |
commit | fb1234ab7d654f301eafdd4f116038937bc36cf4 (patch) | |
tree | dfc51c6d6a66b702b1f39d7c1d848db80b83e533 /src/usr/local | |
parent | f82f991c47876ee7c6027d6e3f6a4ee2c5630385 (diff) | |
download | pfsense-fb1234ab7d654f301eafdd4f116038937bc36cf4.zip pfsense-fb1234ab7d654f301eafdd4f116038937bc36cf4.tar.gz |
Add specific permission to allow HA XMLRPC sync. It fixes #809
Diffstat (limited to 'src/usr/local')
-rw-r--r-- | src/usr/local/www/xmlrpc.php | 35 |
1 files changed, 29 insertions, 6 deletions
diff --git a/src/usr/local/www/xmlrpc.php b/src/usr/local/www/xmlrpc.php index 7619978..2d4722f 100644 --- a/src/usr/local/www/xmlrpc.php +++ b/src/usr/local/www/xmlrpc.php @@ -44,6 +44,7 @@ class pfsense_xmlrpc_server { private function auth($username, $password) { global $config; + $login_ok = false; if (!empty($username) && !empty($password)) { $attributes = array(); $authcfg = auth_get_authserver( @@ -52,16 +53,38 @@ class pfsense_xmlrpc_server { if (authenticate_user($username, $password, $authcfg, $attributes) || authenticate_user($username, $password)) { - return; + $login_ok = true; } } - log_auth("webConfigurator authentication error for '" . - $username . "' from " . $this->remote_addr); + if (!$login_ok) { + log_auth("webConfigurator authentication error for '" . + $username . "' from " . $this->remote_addr); - require_once("XML/RPC2/Exception.php"); - throw new XML_RPC2_FaultException( - gettext('Authentication failed'), -1); + require_once("XML/RPC2/Exception.php"); + throw new XML_RPC2_FaultException(gettext( + 'Authentication failed: Invalid username or password'), + -1); + } + + $user_entry = getUserEntry($username); + /* + * admin (uid = 0) is allowed + * or regular user with necessary privilege + */ + if (isset($user_entry['uid']) && $user_entry['uid'] != '0' && + !userHasPrivilege($user_entry, 'system-xmlrpc-ha-sync')) { + log_auth("webConfigurator authentication error for '" . + $username . "' from " . $this->remote_addr . + " not enough privileges"); + + require_once("XML/RPC2/Exception.php"); + throw new XML_RPC2_FaultException(gettext( + 'Authentication failed: not enough privileges'), + -2); + } + + return; } private function array_overlay($a1, $a2) { |