Tools not allowed to connect when account twas notools site rights, #2726

2021-06-04 12:46:41 -07:00 · 2021-06-04 12:46:41 -07:00 · 26f289aba7
parent 8f1ce3eb5e
commit 26f289aba7
2 changed files with 51 additions and 15 deletions
--- a/agents/MeshCentralRouter.exe
+++ b/agents/MeshCentralRouter.exe
--- a/webserver.js
+++ b/webserver.js
@ -86,22 +86,42 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
    obj.renderLanguages = [];

    // Mesh Rights
-    const MESHRIGHT_EDITMESH = 1;
-    const MESHRIGHT_MANAGEUSERS = 2;
-    const MESHRIGHT_MANAGECOMPUTERS = 4;
-    const MESHRIGHT_REMOTECONTROL = 8;
-    const MESHRIGHT_AGENTCONSOLE = 16;
-    const MESHRIGHT_SERVERFILES = 32;
-    const MESHRIGHT_WAKEDEVICE = 64;
-    const MESHRIGHT_SETNOTES = 128;
+    const MESHRIGHT_EDITMESH            = 0x00000001;
+    const MESHRIGHT_MANAGEUSERS         = 0x00000002;
+    const MESHRIGHT_MANAGECOMPUTERS     = 0x00000004;
+    const MESHRIGHT_REMOTECONTROL       = 0x00000008;
+    const MESHRIGHT_AGENTCONSOLE        = 0x00000010;
+    const MESHRIGHT_SERVERFILES         = 0x00000020;
+    const MESHRIGHT_WAKEDEVICE          = 0x00000040;
+    const MESHRIGHT_SETNOTES            = 0x00000080;
+    const MESHRIGHT_REMOTEVIEWONLY      = 0x00000100;
+    const MESHRIGHT_NOTERMINAL          = 0x00000200;
+    const MESHRIGHT_NOFILES             = 0x00000400;
+    const MESHRIGHT_NOAMT               = 0x00000800;
+    const MESHRIGHT_DESKLIMITEDINPUT    = 0x00001000;
+    const MESHRIGHT_LIMITEVENTS         = 0x00002000;
+    const MESHRIGHT_CHATNOTIFY          = 0x00004000;
+    const MESHRIGHT_UNINSTALL           = 0x00008000;
+    const MESHRIGHT_NODESKTOP           = 0x00010000;
+    const MESHRIGHT_REMOTECOMMAND       = 0x00020000;
+    const MESHRIGHT_RESETOFF            = 0x00040000;
+    const MESHRIGHT_GUESTSHARING        = 0x00080000;
+    const MESHRIGHT_ADMIN               = 0xFFFFFFFF;

        // Site rights
-    const SITERIGHT_SERVERBACKUP = 1;
-    const SITERIGHT_MANAGEUSERS = 2;
-    const SITERIGHT_SERVERRESTORE = 4;
-    const SITERIGHT_FILEACCESS = 8;
-    const SITERIGHT_SERVERUPDATE = 16;
-    const SITERIGHT_LOCKED = 32;
+    const SITERIGHT_SERVERBACKUP        = 0x00000001;
+    const SITERIGHT_MANAGEUSERS         = 0x00000002;
+    const SITERIGHT_SERVERRESTORE       = 0x00000004;
+    const SITERIGHT_FILEACCESS          = 0x00000008;
+    const SITERIGHT_SERVERUPDATE        = 0x00000010;
+    const SITERIGHT_LOCKED              = 0x00000020;
+    const SITERIGHT_NONEWGROUPS         = 0x00000040;
+    const SITERIGHT_NOMESHCMD           = 0x00000080;
+    const SITERIGHT_USERGROUPS          = 0x00000100;
+    const SITERIGHT_RECORDINGS          = 0x00000200;
+    const SITERIGHT_LOCKSETTINGS        = 0x00000400;
+    const SITERIGHT_ALLEVENTS           = 0x00000800;
+    const SITERIGHT_ADMIN               = 0xFFFFFFFF;

    // Setup SSPI authentication if needed
    if ((obj.parent.platform == 'win32') && (obj.args.nousers != true) && (obj.parent.config != null) && (obj.parent.config.domains != null)) {
@ -6233,6 +6253,14 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
                // A user/pass is provided in URL arguments
                obj.authenticate(req.query.user, req.query.pass, domain, function (err, userid, passhint, loginOptions) {

+                    // Check if user as the "notools" site right. If so, deny this connection as tools are not allowed to connect.
+                    if ((user.siteadmin != 0xFFFFFFFF) && (user.siteadmin & SITERIGHT_NOMESHCMD)) {
+                        // No tools allowed, close the websocket connection
+                        parent.debug('web', 'ERR: Websocket no tools allowed');
+                        try { ws.send(JSON.stringify({ action: 'close', cause: 'notools', msg: 'notools' })); ws.close(); } catch (e) { }
+                        return;
+                    }
+
                    // See if we support two-factor trusted cookies
                    var twoFactorCookieDays = 30;
                    if (typeof domain.twofactorcookiedurationdays == 'number') { twoFactorCookieDays = domain.twofactorcookiedurationdays; }
@ -6349,6 +6377,14 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
                obj.authenticate(s[0], s[1], domain, function (err, userid, passhint, loginOptions) {
                    var user = obj.users[userid];
                    if ((err == null) && (user)) {
+                        // Check if user as the "notools" site right. If so, deny this connection as tools are not allowed to connect.
+                        if ((user.siteadmin != 0xFFFFFFFF) && (user.siteadmin & SITERIGHT_NOMESHCMD)) {
+                            // No tools allowed, close the websocket connection
+                            parent.debug('web', 'ERR: Websocket no tools allowed');
+                            try { ws.send(JSON.stringify({ action: 'close', cause: 'notools', msg: 'notools' })); ws.close(); } catch (e) { }
+                            return;
+                        }
+
                        // Check if a 2nd factor is needed
                        if (checkUserOneTimePasswordRequired(domain, user, req, loginOptions) == true) {