Working on audit
This commit is contained in:
@@ -61,18 +61,20 @@ type Policy struct {
|
||||
userGroups map[string][]string // user → groups they belong to
|
||||
groupNames []string // all configured group names (sorted)
|
||||
logicEditors map[string]bool // users + group names allowed to edit logic
|
||||
auditReaders map[string]bool // users + group names allowed to view the audit log
|
||||
}
|
||||
|
||||
// New builds a Policy. blacklist maps a username to a config level string;
|
||||
// groups maps a group name to its member usernames. logicEditors optionally
|
||||
// restricts who may edit panel/control logic (usernames or group names); empty
|
||||
// means no restriction.
|
||||
func New(defaultUser string, blacklist map[string]string, groups map[string][]string, logicEditors []string) *Policy {
|
||||
func New(defaultUser string, blacklist map[string]string, groups map[string][]string, logicEditors, auditReaders []string) *Policy {
|
||||
p := &Policy{
|
||||
defaultUser: strings.TrimSpace(defaultUser),
|
||||
blacklist: make(map[string]Level),
|
||||
userGroups: make(map[string][]string),
|
||||
logicEditors: make(map[string]bool),
|
||||
auditReaders: make(map[string]bool),
|
||||
}
|
||||
for _, e := range logicEditors {
|
||||
e = strings.TrimSpace(e)
|
||||
@@ -80,6 +82,12 @@ func New(defaultUser string, blacklist map[string]string, groups map[string][]st
|
||||
p.logicEditors[e] = true
|
||||
}
|
||||
}
|
||||
for _, e := range auditReaders {
|
||||
e = strings.TrimSpace(e)
|
||||
if e != "" {
|
||||
p.auditReaders[e] = true
|
||||
}
|
||||
}
|
||||
for user, lvl := range blacklist {
|
||||
u := strings.TrimSpace(user)
|
||||
if u == "" {
|
||||
@@ -165,6 +173,29 @@ func (p *Policy) CanEditLogic(user string) bool {
|
||||
return false
|
||||
}
|
||||
|
||||
// CanViewAudit reports whether a user may view the audit log. When no reader
|
||||
// allowlist is configured everyone with read access qualifies; otherwise the
|
||||
// user (or one of their groups) must be listed. Anonymous/trusted-LAN callers
|
||||
// (user=="") are always permitted.
|
||||
func (p *Policy) CanViewAudit(user string) bool {
|
||||
user = strings.TrimSpace(user)
|
||||
if user == "" {
|
||||
return true
|
||||
}
|
||||
if len(p.auditReaders) == 0 {
|
||||
return true
|
||||
}
|
||||
if p.auditReaders[user] {
|
||||
return true
|
||||
}
|
||||
for _, g := range p.userGroups[user] {
|
||||
if p.auditReaders[g] {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
// GroupsOf returns a copy of the groups a user belongs to.
|
||||
func (p *Policy) GroupsOf(user string) []string {
|
||||
src := p.userGroups[strings.TrimSpace(user)]
|
||||
|
||||
Reference in New Issue
Block a user