Access Control List

Overview

The current ACL system is targeted at delivering backwards compatibility for legacy code and being able to extend this a little to add new features without having to reimplement the whole system.

In the legacy system the access control is using the following steps to determine if a page can be accessed by a user:

  1. The user, stored in the config.xml file at system/user (one item per user)
  2. One or more groups for that user, stored in system/group which contains priv sections.
  3. A PHP file binding the priv section content to a page mask (including wildcards)

Our temporary solution is to keep the user and the group in place and replace the PHP file with a simple config in the model which uses the same mask construction there was in the old codebase. To bind priv to pages, edit models/OPNsense/Core/ACL_Legacy_Page_Map.txt

Usage from PHP

Using the system from PHP is rather simple:

$acl = new OPNsense\Core\ACL();
if ( $acl->isPageAccessible("user", "/firewall_rules.php") ) {
  print ( "/firewall_rules.php is accessible" ) ;
}

Usage in Volt templates

The ACL scheme is bound to the default UI controller, and can be used by using the acl keyword:

{% if acl.isPageAccessible(session.get('Username'),subMenuItem.Url)  %}
  this page is accessible
{% endif %}