4. Allow access to “Helloworld”¶
Until now we tested our application using the root user, which has the special privilege to access all available without restrictions.
The next step is to allow others to access our interface and api endpoints as well.
Register an ACL to allow access for other users¶
Because we used root to test, we where able to access our application, but if we want other users to access it we need to make sure we can assign the privilege to our users and/or groups.
To do so, we need an ACL (Access Control List) in the designated directory, which we will create first.
mkdir -p /usr/local/opnsense/mvc/app/models/ValueA/Samples/ACL
Our ACL is defined as a single XML file containing the type of access and user readable description.
1<acl>
2 <page-valuea-samples>
3 <name>ValueA Samples</name>
4 <patterns>
5 <pattern>ui/samples/helloworld/*</pattern>
6 <pattern>api/samples/hello/*</pattern>
7 </patterns>
8 </page-valuea-samples>
9</acl>
The layout of our definition is pretty straight forward, line 2 contains the unique key of this list, then there’s a name and a list of URL patterns to allow access to.
For our sample, we will add the two controllers we have created in the previous chapters.
Test your ACL¶
To test our ACL we need a user, which we can create in the gui.
First go to System -> Access -> Users and click on the plus sign ([+]) in the top right corner, fill in the form and save. Next open the user again by clicking the pencil and search “Effective Privileges”, click [+] there and search for “samples”. Last step is to add the privilege and save, then exit the user form by clicking save there as well.
When using groups, assignment functions the same as for a single user.