[asterisk-gui] Opinion, what do you want in the gui for users?

Tzafrir Cohen tzafrir.cohen at xorcom.com
Fri Apr 13 14:34:40 MST 2007 

On Fri, Apr 13, 2007 at 03:58:16PM -0500, Steven Sokol wrote:
> On 4/13/07, Alvaro Oliver <alvaro.oliver at gmail.com> wrote:
> >How about setting profiles?
> >An admin account may have access to every single tab in the GUI, while an
> >user account can just access some selected (by http.conf?) tabs.
> 
> Unfortunately, it's more complex than that.  If you grant a user the
> ability to connect with Asterisk over the Manager API, you can set
> various permissions in their profile in manager.conf.  The problem is
> that if you give someone access to configuration (i.e. enable the
> 'config' option) you are giving them blanket access to the PBX's
> configuration files -- including other user's passwords, the passwords
> for your various ITSP accounts, etc.
> 
> We need to be able to grant a user read/right access on a
> conf-file-by-conf-file basis.   It's also may be better off to move
> the user configuration information out of a flat file and into the
> AstDB -- upgraded to use SQLite3.  That way we could define security
> tables that in turn define what permissions each user has on each
> other table.

"config" is not the only way possible to write configration. try calling
executecommand at asterisk_guitools . This only takes the "call"
permissions.

I really don't like the idea of bending Asterisk just to allow the GUI
to function. The asterisk httpd does too many things already, and does
them badly.

> 
> This, by the way, is ANOTHER reason why it's imperitive that
> getconfig/writeconfig NOT embed #includes when processing files.  If
> we give somebody permission to read user.conf but not passwords.conf,
> but users.conf #includes passwords.conf, then the security is
> violated.

#include / #exec is implemented as a pre-processing before the
configuration is read and hence breaks really badly when you rewrite the
ocnfiguration.

This means that I can't easily keep my custom changes. This should
probably be a cause of major pains when considering how to upgrade
configuration to use a newer version of the GUI.

-- 
               Tzafrir Cohen       
icq#16849755                    jabber:tzafrir at jabber.org
+972-50-7952406           mailto:tzafrir.cohen at xorcom.com       
http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir

More information about the asterisk-gui mailing list