From 110eecb9e1a151815fe6b067ae7c068625647887 Mon Sep 17 00:00:00 2001
From: Florian Eckert <fe@dev.tdt.de>
Date: Thu, 30 Oct 2025 16:15:51 +0100
Subject: [PATCH] luci-app-mwan3: split ACL into status and config

With this change, the status of mwan3 can be made available to other users
separately, without them having the rights to change the configuration of
mwan3.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
---
 .../usr/share/luci/menu.d/luci-app-mwan3.json |  2 +-
 .../usr/share/rpcd/acl.d/luci-app-mwan3.json  | 81 ++++++++++++-------
 2 files changed, 55 insertions(+), 28 deletions(-)

diff --git a/applications/luci-app-mwan3/root/usr/share/luci/menu.d/luci-app-mwan3.json b/applications/luci-app-mwan3/root/usr/share/luci/menu.d/luci-app-mwan3.json
index 556083584e..ee142df410 100644
--- a/applications/luci-app-mwan3/root/usr/share/luci/menu.d/luci-app-mwan3.json
+++ b/applications/luci-app-mwan3/root/usr/share/luci/menu.d/luci-app-mwan3.json
@@ -7,7 +7,7 @@
 		},
 		"depends": {
 			"acl": [
-				"luci-app-mwan3"
+				"luci-app-mwan3-status"
 			]
 		}
 	},
diff --git a/applications/luci-app-mwan3/root/usr/share/rpcd/acl.d/luci-app-mwan3.json b/applications/luci-app-mwan3/root/usr/share/rpcd/acl.d/luci-app-mwan3.json
index 72973ed1fe..a50ff19790 100644
--- a/applications/luci-app-mwan3/root/usr/share/rpcd/acl.d/luci-app-mwan3.json
+++ b/applications/luci-app-mwan3/root/usr/share/rpcd/acl.d/luci-app-mwan3.json
@@ -1,7 +1,58 @@
 {
-	"luci-app-mwan3": {
-		"description": "Grant UCI access for luci-app-mwan3",
+	"luci-app-mwan3-status": {
+		"description": "Grant access for luci-app-mwan3 status information",
 		"read": {
+			"cgi-io": [
+				"exec"
+			],
+			"file": {
+				"/usr/sbin/mwan3 status": [
+					"exec"
+				]
+			},
+			"ubus": {
+				"mwan3": [
+					"status"
+				]
+			}
+		},
+		"write": {
+			"file": {
+				"/usr/libexec/luci-mwan3 diag gateway *": [
+					"exec"
+				],
+				"/usr/libexec/luci-mwan3 diag tracking *": [
+					"exec"
+				],
+				"/usr/libexec/luci-mwan3 diag rules *": [
+					"exec"
+				],
+				"/usr/libexec/luci-mwan3 diag routes *": [
+					"exec"
+				],
+				"/usr/sbin/mwan3 internal ipv4": [
+					"exec"
+				],
+				"/usr/sbin/mwan3 ifup *": [
+					"exec"
+				],
+				"/usr/sbin/mwan3 ifdown *": [
+					"exec"
+				]
+			},
+			"ubus": {
+				"file": [
+					"exec"
+				]
+			}
+		}
+	},
+	"luci-app-mwan3": {
+		"description": "Grant access for luci-app-mwan3 configuration",
+		"read": {
+			"cgi-io": [
+				"exec"
+			],
 			"file": {
 				"/etc/mwan3.user": [
 					"read"
@@ -15,25 +66,7 @@
 				"/usr/bin/arping": [
 					"list"
 				],
-				"/usr/sbin/mwan3 status": [
-					"exec"
-				],
-				"/usr/sbin/mwan3 ifup *": [
-					"exec"
-				],
-				"/usr/sbin/mwan3 ifdown *": [
-					"exec"
-				],
-				"/usr/sbin/mwan3 internal ipv4": [
-					"exec"
-				],
-				"/usr/sbin/mwan3 internal ipv6": [
-					"exec"
-				],
-				"/usr/libexec/luci-mwan3 diag * *": [
-					"exec"
-				],
-				"/usr/libexec/luci-mwan3 ipset *": [
+				"/usr/libexec/luci-mwan3 ipset dump": [
 					"exec"
 				]
 			},
@@ -51,12 +84,6 @@
 			"file": {
 				"/etc/mwan3.user": [
 					"write"
-				],
-				"/usr/sbin/mwan3 ifup *": [
-					"exec"
-				],
-				"/usr/sbin/mwan3 ifdown *": [
-					"exec"
 				]
 			},
 			"uci": [