Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

luci-app-ffwizard-berlin: invalid permission #816

Closed
PolynomialDivision opened this issue Jun 23, 2020 · 8 comments
Closed

luci-app-ffwizard-berlin: invalid permission #816

PolynomialDivision opened this issue Jun 23, 2020 · 8 comments
Assignees
Labels

Comments

@PolynomialDivision
Copy link

PolynomialDivision commented Jun 23, 2020

Using the latest OpenWrt Master to build an Image, the luci-app-ffwizard-berlin can not access important uci configurations and files.

If you add more verbose debug output by placing, e.g.

local profile, err = "profile"..c:get("freifunk","community","name")
local community = "profile_berlin"

if profile ~= false then
		community, err = "profile_"..profile
else
		luci.util.perror(err)
end

E.g. the App can not access the /etc/config/profiles_*. https://github.com/freifunk-berlin/firmware-packages/tree/master/utils/luci-app-ffwizard-berlin/root/usr/share/rpcd/acl.d

@PolynomialDivision PolynomialDivision changed the title luci-lib-freifunk-berlin-wizard: insufficient permissions for uci access luci-app-ffwizard-berlin: insufficient permissions for uci access Jun 23, 2020
@PolynomialDivision
Copy link
Author

I think this is just wrong:
https://github.com/freifunk-berlin/firmware-packages/blob/master/utils/luci-app-ffwizard-berlin/luasrc/model/cbi/freifunk/assistent/generalInfo.lua#L23

It has to be

local name = uci:get("profile_"..n, "profile", "name") or "?"

@PolynomialDivision PolynomialDivision changed the title luci-app-ffwizard-berlin: insufficient permissions for uci access luci-app-ffwizard-berlin: invalid section access Jun 23, 2020
@PolynomialDivision
Copy link
Author

PolynomialDivision commented Jun 23, 2020

Sometimes the ffwizard is accessing config files via the type and sometimes via the name.
Here is an example

config 'community' 'profile'
  • Type: community
  • Name: profile

Now if we do

local name = uci:get("profile_"..n, "profile", "name") or "?"

we access the name of the community via the name and the name of the section is profile.

If we do

local name = uci:get_first("profile_"..n, "community", "name") or "?"

we access the name of the community via the type and the type is community. Since there could be more than one section of the type community (so we get a list back), we need to do get_first instead of get.

Making things very complicated somtimes the type is called community and sometimes the type is used as name.

I really have no clue why

local name = uci:get_first("profile_"..n, "community", "name") or "?"

is not working. I need help with that. ;)

@PolynomialDivision
Copy link
Author

PolynomialDivision commented Jun 23, 2020

We need permission

{ "read": { "uci": [ "profile_*" ] } }

@PolynomialDivision
Copy link
Author

PolynomialDivision commented Jun 23, 2020

We have to add permission in /usr/share/rpcd/acl.d/luci-app-ffwizard-berlin.json

{
        "luci-app-ffwizard-berlin": {
                "description": "Super user access role",
                "read": {
                        "uci": [ "profile_*" ],
                },
                "write": {
                }
        }
}

@PolynomialDivision PolynomialDivision changed the title luci-app-ffwizard-berlin: invalid section access luci-app-ffwizard-berlin: invalid permission Jun 23, 2020
@SvenRoederer
Copy link
Contributor

SvenRoederer commented Jun 23, 2020

Sometimes the ffwizard is accessing config files via the type and sometimes via the name.
Here is an example

To be honest, all this was confusing me too - always.

EDIT: but fixing this "misuse" should be discussed in a separate issue / PR.

@SvenRoederer
Copy link
Contributor

We have to add here a file, otherwise the wizard is not able to access the /etc/config/profiles_*.
https://github.com/freifunk-berlin/firmware-packages/tree/master/utils/luci-app-ffwizard-berlin/root/usr/share/rpcd/acl.d

A bit more verbose problem description would be helpful (for others) to reproduce / verify the problem. I personally have not ran the wizard for some long time. I suggest to use the Bug-template.

I assume the problem you have seen is very similar to freifunk/openwrt-packages#23. The solution provided by you seem to relate to the OpenWrt-Forum thread referenced by freifunk/openwrt-packages#23 (comment).

@PolynomialDivision
Copy link
Author

A bit more verbose problem description would be helpful (for others) to reproduce / verify the problem. I personally have not ran the wizard for some long time. I suggest to use the Bug-template.

I added some useful information and code to debug the luci app.

I assume the problem you have seen is very similar to freifunk/openwrt-packages#23. The solution provided by you seem to relate to the OpenWrt-Forum thread referenced by freifunk/openwrt-packages#23 (comment).

I think my solution in the PR is a better way? :) For me it seems more secure.

@SvenRoederer
Copy link
Contributor

I think my solution in the PR is a better way? :) For me it seems more secure.

Sure, the libuci-lua way might not be able to update uci-settings, as the frontend is not running as root. Also having one lib for reading uci-values and another to write the files via rpc will become really confusing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants