luci-app-mwan3: split ACL into status and config

With this change, the status of mwan3 can be made available to other users separately, without them having the rights to change the configuration of mwan3. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2026-04-15 10:51:51 +00:00 · 2025-10-30 16:15:51 +01:00
parent 1243d8023a
commit 110eecb9e1
2 changed files with 55 additions and 28 deletions
--- a/applications/luci-app-mwan3/root/usr/share/luci/menu.d/luci-app-mwan3.json
+++ b/applications/luci-app-mwan3/root/usr/share/luci/menu.d/luci-app-mwan3.json
@@ -7,7 +7,7 @@
 		},
 		"depends": {
 			"acl": [
-				"luci-app-mwan3"
+				"luci-app-mwan3-status"
 			]
 		}
 	},
--- a/applications/luci-app-mwan3/root/usr/share/rpcd/acl.d/luci-app-mwan3.json
+++ b/applications/luci-app-mwan3/root/usr/share/rpcd/acl.d/luci-app-mwan3.json
@@ -1,7 +1,58 @@
 {
-	"luci-app-mwan3": {
-		"description": "Grant UCI access for luci-app-mwan3",
+	"luci-app-mwan3-status": {
+		"description": "Grant access for luci-app-mwan3 status information",
 		"read": {
+			"cgi-io": [
+				"exec"
+			],
+			"file": {
+				"/usr/sbin/mwan3 status": [
+					"exec"
+				]
+			},
+			"ubus": {
+				"mwan3": [
+					"status"
+				]
+			}
+		},
+		"write": {
+			"file": {
+				"/usr/libexec/luci-mwan3 diag gateway *": [
+					"exec"
+				],
+				"/usr/libexec/luci-mwan3 diag tracking *": [
+					"exec"
+				],
+				"/usr/libexec/luci-mwan3 diag rules *": [
+					"exec"
+				],
+				"/usr/libexec/luci-mwan3 diag routes *": [
+					"exec"
+				],
+				"/usr/sbin/mwan3 internal ipv4": [
+					"exec"
+				],
+				"/usr/sbin/mwan3 ifup *": [
+					"exec"
+				],
+				"/usr/sbin/mwan3 ifdown *": [
+					"exec"
+				]
+			},
+			"ubus": {
+				"file": [
+					"exec"
+				]
+			}
+		}
+	},
+	"luci-app-mwan3": {
+		"description": "Grant access for luci-app-mwan3 configuration",
+		"read": {
+			"cgi-io": [
+				"exec"
+			],
 			"file": {
 				"/etc/mwan3.user": [
 					"read"
@@ -15,25 +66,7 @@
 				"/usr/bin/arping": [
 					"list"
 				],
-				"/usr/sbin/mwan3 status": [
-					"exec"
-				],
-				"/usr/sbin/mwan3 ifup *": [
-					"exec"
-				],
-				"/usr/sbin/mwan3 ifdown *": [
-					"exec"
-				],
-				"/usr/sbin/mwan3 internal ipv4": [
-					"exec"
-				],
-				"/usr/sbin/mwan3 internal ipv6": [
-					"exec"
-				],
-				"/usr/libexec/luci-mwan3 diag * *": [
-					"exec"
-				],
-				"/usr/libexec/luci-mwan3 ipset *": [
+				"/usr/libexec/luci-mwan3 ipset dump": [
 					"exec"
 				]
 			},
@@ -51,12 +84,6 @@
 			"file": {
 				"/etc/mwan3.user": [
 					"write"
-				],
-				"/usr/sbin/mwan3 ifup *": [
-					"exec"
-				],
-				"/usr/sbin/mwan3 ifdown *": [
-					"exec"
 				]
 			},
 			"uci": [