Implemented admin pane + user permission
This commit is contained in:
+22
-33
@@ -19,28 +19,27 @@ type Config struct {
|
||||
|
||||
// AuditConfig controls the audit trail. When enabled, every user and automated
|
||||
// action that could affect the controlled system (signal writes, control-logic
|
||||
// changes) is recorded to a SQLite database for later review by audit staff.
|
||||
// changes) is recorded to a SQLite database for later review by audit staff. Who
|
||||
// may *view* the log is governed by the auditor role (see GroupDef).
|
||||
type AuditConfig struct {
|
||||
Enabled bool `toml:"enabled"`
|
||||
DBPath string `toml:"db_path"` // SQLite file; default {storage_dir}/audit.db
|
||||
// Readers lists users or group names allowed to view the audit log. Empty
|
||||
// leaves viewing unrestricted (any caller with read access). Anonymous /
|
||||
// trusted-LAN callers are always permitted.
|
||||
Readers []string `toml:"readers"`
|
||||
}
|
||||
|
||||
// GroupDef is a named set of users defined as [[groups]] in the config file.
|
||||
// GroupDef defines one access group as [[groups]] in the config file. Each group
|
||||
// has an optional parent (for nesting) and lists its members by role. Roles form
|
||||
// a cumulative ladder: viewer < operator < logiceditor < auditor < admin. A user
|
||||
// listed in several role buckets keeps the highest. The built-in "public" group
|
||||
// (every user is an implicit viewer member) may be configured by name to raise
|
||||
// specific users globally.
|
||||
type GroupDef struct {
|
||||
Name string `toml:"name"`
|
||||
Members []string `toml:"members"`
|
||||
}
|
||||
|
||||
// BlacklistEntry downgrades a specific user's global access level. Levels:
|
||||
// "readonly" (no writes) or "noaccess" (denied). Users not listed are trusted
|
||||
// with full access.
|
||||
type BlacklistEntry struct {
|
||||
User string `toml:"user"`
|
||||
Level string `toml:"level"`
|
||||
Name string `toml:"name"`
|
||||
Parent string `toml:"parent"`
|
||||
Viewers []string `toml:"viewers"`
|
||||
Operators []string `toml:"operators"`
|
||||
LogicEditors []string `toml:"logiceditors"`
|
||||
Auditors []string `toml:"auditors"`
|
||||
Admins []string `toml:"admins"`
|
||||
}
|
||||
|
||||
type ServerConfig struct {
|
||||
@@ -58,18 +57,14 @@ type ServerConfig struct {
|
||||
|
||||
// DefaultUser is the identity used when the trusted user header is absent or
|
||||
// empty (e.g. unproxied/dev/LAN deployments). Empty leaves the user anonymous.
|
||||
//
|
||||
// Access levels (write/readonly), logic-edit, audit-view and admin rights are
|
||||
// all granted via group roles (see GroupDef / [[groups]]). A config with no
|
||||
// group roles at all is treated as fully open (everyone is admin), so an
|
||||
// unconfigured deployment behaves like trusted LAN. Once the admin pane writes
|
||||
// {storage_dir}/access.json, that file — not this config — is the source of
|
||||
// truth for access.
|
||||
DefaultUser string `toml:"default_user"`
|
||||
|
||||
// Blacklist downgrades specific users' global access level. Everyone not
|
||||
// listed is trusted with full write access.
|
||||
Blacklist []BlacklistEntry `toml:"blacklist"`
|
||||
|
||||
// LogicEditors optionally restricts who may add or edit panel logic (the
|
||||
// <logic> block of interfaces) and server-side control logic. Entries are
|
||||
// usernames or group names. When empty, no restriction applies (any user
|
||||
// with write access may edit logic). Anonymous/trusted-LAN callers are
|
||||
// always permitted.
|
||||
LogicEditors []string `toml:"logic_editors"`
|
||||
}
|
||||
|
||||
type DatasourceConfig struct {
|
||||
@@ -151,18 +146,12 @@ func applyEnv(cfg *Config) {
|
||||
if v := env("UOPI_SERVER_DEFAULT_USER"); v != "" {
|
||||
cfg.Server.DefaultUser = v
|
||||
}
|
||||
if v := env("UOPI_SERVER_LOGIC_EDITORS"); v != "" {
|
||||
cfg.Server.LogicEditors = strings.Fields(v)
|
||||
}
|
||||
if v := env("UOPI_AUDIT_ENABLED"); v != "" {
|
||||
cfg.Audit.Enabled = (v == "true" || v == "YES")
|
||||
}
|
||||
if v := env("UOPI_AUDIT_DB_PATH"); v != "" {
|
||||
cfg.Audit.DBPath = v
|
||||
}
|
||||
if v := env("UOPI_AUDIT_READERS"); v != "" {
|
||||
cfg.Audit.Readers = strings.Fields(v)
|
||||
}
|
||||
if v := env("UOPI_EPICS_CA_ADDR_LIST"); v != "" {
|
||||
cfg.Datasource.EPICS.CAAddrList = v
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user