feat: RBAC multi-user role-based access control
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m14s

- Add rbac.py with User model, LDAP group-to-role mapping, page/write dependencies
- Proxy auth reads Remote-Groups header to resolve role from LDAP groups
- JWT tokens carry role claim, /me returns role + allowed pages
- Per-router page access control and viewer write protection
- Terminal WebSocket RBAC check
- Frontend filters sidebar links and routes by allowed pages
- Admin-only Settings page and RBAC override endpoints
- Mount rbac.json in docker-compose for page config persistence
This commit is contained in:
Gan, Jimmy
2026-03-01 14:13:43 +08:00
parent 15ad628425
commit 9992105b49
10 changed files with 342 additions and 65 deletions
+12 -1
View File
@@ -38,9 +38,20 @@ async def ws_endpoint(websocket: WebSocket, host: str = Query("nas")):
try:
first_msg = await asyncio.wait_for(websocket.receive_text(), timeout=5)
payload = jwt.decode(first_msg, config.SECRET_KEY, algorithms=[config.ALGORITHM])
if payload.get("type") != "access" or payload.get("sub") != config.ADMIN_USER:
if payload.get("type") != "access":
await websocket.close(code=1008, reason="Unauthorized")
return
username = payload.get("sub")
role = payload.get("role", "admin")
if username is None:
await websocket.close(code=1008, reason="Unauthorized")
return
# RBAC: check terminal page access
from rbac import get_pages
pages = get_pages(username, role)
if pages != "*" and "terminal" not in pages:
await websocket.close(code=1008, reason="Access denied")
return
except Exception:
await websocket.close(code=1008, reason="Unauthorized")
return