luci-app-mwan3: split ACL into status and config

With this change, the status of mwan3 can be made available to other users
separately, without them having the rights to change the configuration of
mwan3.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>

diff --git a/applications/luci-app-mwan3/root/usr/share/luci/menu.d/luci-app-mwan3.json b/applications/luci-app-mwan3/root/usr/share/luci/menu.d/luci-app-mwan3.json
index 556083584ea16d0e5148ae44f3dc94670d24e35e..ee142df4100c05e526f7a96651ac90a952032b26 100644 (file)
--- a/applications/luci-app-mwan3/root/usr/share/luci/menu.d/luci-app-mwan3.json
+++ b/applications/luci-app-mwan3/root/usr/share/luci/menu.d/luci-app-mwan3.json
@@ -7,7 +7,7 @@
                },
                "depends": {
                        "acl": [
-                               "luci-app-mwan3"
+                               "luci-app-mwan3-status"
                        ]
                }
        },

diff --git a/applications/luci-app-mwan3/root/usr/share/rpcd/acl.d/luci-app-mwan3.json b/applications/luci-app-mwan3/root/usr/share/rpcd/acl.d/luci-app-mwan3.json
index 72973ed1fe204d443c881dd804ab4a7436b5becb..a50ff1979053e0d5482e93aa91f82978d2f3beaf 100644 (file)
--- a/applications/luci-app-mwan3/root/usr/share/rpcd/acl.d/luci-app-mwan3.json
+++ b/applications/luci-app-mwan3/root/usr/share/rpcd/acl.d/luci-app-mwan3.json
@@ -1,21 +1,36 @@
 {
-       "luci-app-mwan3": {
-               "description": "Grant UCI access for luci-app-mwan3",
+       "luci-app-mwan3-status": {
+               "description": "Grant access for luci-app-mwan3 status information",
                "read": {
+                       "cgi-io": [
+                               "exec"
+                       ],
                        "file": {
-                               "/etc/mwan3.user": [
-                                       "read"
+                               "/usr/sbin/mwan3 status": [
+                                       "exec"
+                               ]
+                       },
+                       "ubus": {
+                               "mwan3": [
+                                       "status"
+                               ]
+                       }
+               },
+               "write": {
+                       "file": {
+                               "/usr/libexec/luci-mwan3 diag gateway *": [
+                                       "exec"
                                ],
-                               "/usr/bin/httping": [
-                                       "list"
+                               "/usr/libexec/luci-mwan3 diag tracking *": [
+                                       "exec"
                                ],
-                               "/usr/bin/nping": [
-                                       "list"
+                               "/usr/libexec/luci-mwan3 diag rules *": [
+                                       "exec"
                                ],
-                               "/usr/bin/arping": [
-                                       "list"
+                               "/usr/libexec/luci-mwan3 diag routes *": [
+                                       "exec"
                                ],
-                               "/usr/sbin/mwan3 status": [
+                               "/usr/sbin/mwan3 internal ipv4": [
                                        "exec"
                                ],
                                "/usr/sbin/mwan3 ifup *": [
@@ -23,17 +38,35 @@
                                ],
                                "/usr/sbin/mwan3 ifdown *": [
                                        "exec"
-                               ],
-                               "/usr/sbin/mwan3 internal ipv4": [
+                               ]
+                       },
+                       "ubus": {
+                               "file": [
                                        "exec"
+                               ]
+                       }
+               }
+       },
+       "luci-app-mwan3": {
+               "description": "Grant access for luci-app-mwan3 configuration",
+               "read": {
+                       "cgi-io": [
+                               "exec"
+                       ],
+                       "file": {
+                               "/etc/mwan3.user": [
+                                       "read"
                                ],
-                               "/usr/sbin/mwan3 internal ipv6": [
-                                       "exec"
+                               "/usr/bin/httping": [
+                                       "list"
                                ],
-                               "/usr/libexec/luci-mwan3 diag * *": [
-                                       "exec"
+                               "/usr/bin/nping": [
+                                       "list"
+                               ],
+                               "/usr/bin/arping": [
+                                       "list"
                                ],
-                               "/usr/libexec/luci-mwan3 ipset *": [
+                               "/usr/libexec/luci-mwan3 ipset dump": [
                                        "exec"
                                ]
                        },
@@ -51,12 +84,6 @@
                        "file": {
                                "/etc/mwan3.user": [
                                        "write"
-                               ],
-                               "/usr/sbin/mwan3 ifup *": [
-                                       "exec"
-                               ],
-                               "/usr/sbin/mwan3 ifdown *": [
-                                       "exec"
                                ]
                        },
                        "uci": [