From fe9a7d06cec33dc715b8d36ffd750c269288170d Mon Sep 17 00:00:00 2001 From: Ylian Saint-Hilaire Date: Wed, 6 May 2020 11:47:23 -0700 Subject: [PATCH] Fixed device access control when using ManageAllDeviceGroups. --- meshcentral.js | 10 +++++++++- webserver.js | 5 +++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/meshcentral.js b/meshcentral.js index 8131e582..34f08ece 100644 --- a/meshcentral.js +++ b/meshcentral.js @@ -1411,7 +1411,15 @@ function CreateMeshCentralServer(config, args) { // Setup users that can see all device groups obj.config.settings.managealldevicegroups = []; - for (i in obj.config.domains) { if (Array.isArray(obj.config.domains[i].managealldevicegroups)) { for (var j in obj.config.domains[i].managealldevicegroups) { if (typeof obj.config.domains[i].managealldevicegroups[j] == 'string') { obj.config.settings.managealldevicegroups.push('user/' + i + '/' + obj.config.domains[i].managealldevicegroups[j]); } } } } + for (i in obj.config.domains) { + if (Array.isArray(obj.config.domains[i].managealldevicegroups)) { + for (var j in obj.config.domains[i].managealldevicegroups) { + if (typeof obj.config.domains[i].managealldevicegroups[j] == 'string') { + obj.config.settings.managealldevicegroups.push('user/' + i + '/' + obj.config.domains[i].managealldevicegroups[j]); + } + } + } + } }); }); }; diff --git a/webserver.js b/webserver.js index 16006dfc..6522d4de 100644 --- a/webserver.js +++ b/webserver.js @@ -4541,6 +4541,11 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { db.Get(nodeid, function (err, nodes) { if ((nodes == null) || (nodes.length != 1)) { func(null, 0, false); return; } // No such nodeid + // This is a super user that can see all device groups for a given domain + if ((user.siteadmin == 0xFFFFFFFF) && (parent.config.settings.managealldevicegroups.indexOf(user._id) >= 0) && (nodes[0].domain == user.domain)) { + func(nodes[0], 0xFFFFFFFF, true); return; + } + // Check device link var rights = 0, visible = false, r = user.links[nodeid]; if (r != null) {