feat: RBAC multi-user role-based access control
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m14s
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m14s
- Add rbac.py with User model, LDAP group-to-role mapping, page/write dependencies - Proxy auth reads Remote-Groups header to resolve role from LDAP groups - JWT tokens carry role claim, /me returns role + allowed pages - Per-router page access control and viewer write protection - Terminal WebSocket RBAC check - Frontend filters sidebar links and routes by allowed pages - Admin-only Settings page and RBAC override endpoints - Mount rbac.json in docker-compose for page config persistence
This commit is contained in:
@@ -38,9 +38,20 @@ async def ws_endpoint(websocket: WebSocket, host: str = Query("nas")):
|
||||
try:
|
||||
first_msg = await asyncio.wait_for(websocket.receive_text(), timeout=5)
|
||||
payload = jwt.decode(first_msg, config.SECRET_KEY, algorithms=[config.ALGORITHM])
|
||||
if payload.get("type") != "access" or payload.get("sub") != config.ADMIN_USER:
|
||||
if payload.get("type") != "access":
|
||||
await websocket.close(code=1008, reason="Unauthorized")
|
||||
return
|
||||
username = payload.get("sub")
|
||||
role = payload.get("role", "admin")
|
||||
if username is None:
|
||||
await websocket.close(code=1008, reason="Unauthorized")
|
||||
return
|
||||
# RBAC: check terminal page access
|
||||
from rbac import get_pages
|
||||
pages = get_pages(username, role)
|
||||
if pages != "*" and "terminal" not in pages:
|
||||
await websocket.close(code=1008, reason="Access denied")
|
||||
return
|
||||
except Exception:
|
||||
await websocket.close(code=1008, reason="Unauthorized")
|
||||
return
|
||||
|
||||
Reference in New Issue
Block a user