Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FIX(server, client): Fix ACL write and traverse permissions #6512

Open
wants to merge 3 commits into
base: master
Choose a base branch
from

Conversation

Hartmnt
Copy link
Member

@Hartmnt Hartmnt commented Jul 17, 2024

FIX(server): Make sure context is applied to traverse and write ACL

Previously, both the traverse and write ACL would be evaluatedwithout taking the "in this channel" and "in sub-channels" context options into account.
This would lead to denying traverse for channels that were actually supposed to be traversable.

This commit refactors the ACL calculation for readability and makes sure the write and traverse checks are actually taking the context into account.

Fixes #3579

FIX(server, client): Remove "Write" ACL parent channel inheritance

Since 2a9dcfd and 62b1536 the Mumble server would overwrite the current channel Write ACL, if the user had Write ACL permission in the parent channel.
Supposedly, this was done because otherwise malicious users could create temporary "ungovernable" channels by locking admins out denying Write ACL for them.
However, this makes ACL management a lot less intuitive with regard to the Write permission.

This commit reverts those commits and instead adds a check to see if the user has Write permission in the root channel instead.
The reasoning being: If the server owner grants Write ACL on root, they probably want those users to be able to moderate every channel.
If instead the server owner only grants Write on part of the channel tree, normal ACL rules apply and users may lock other users out for whatever reason.

FIX(client): Prevent unchecking both ACL context checkboxes

Previously, it was possible to have both context checkboxes disabled in the ACLEditor, leaving the ACL entry in a dangleing inactive state.
This commit makes sure, that at least one of the checkboxes is always enabled.

@Hartmnt Hartmnt added client server acl Everything related to access-control-lists (permission management) bug A bug (error) in the software labels Jul 17, 2024
@Hartmnt Hartmnt force-pushed the fix_traverse branch 3 times, most recently from 057b94d to 3599093 Compare July 18, 2024 11:48
@Hartmnt Hartmnt added the ui label Jul 18, 2024
@Hartmnt Hartmnt changed the title WIP: FIX(server, client): Fix ACL write and traverse permissions FIX(server, client): Fix ACL write and traverse permissions Jul 18, 2024
@Hartmnt Hartmnt marked this pull request as ready for review July 18, 2024 12:39
src/ACL.cpp Outdated Show resolved Hide resolved
src/ACL.cpp Show resolved Hide resolved
src/mumble/ACLEditor.cpp Show resolved Hide resolved
src/murmur/Messages.cpp Show resolved Hide resolved
@Hartmnt
Copy link
Member Author

Hartmnt commented Sep 22, 2024

@Krzmbrzl Do you think backporting this is viable? I think it is and potential breakage is small.

@Hartmnt
Copy link
Member Author

Hartmnt commented Sep 29, 2024

@Krzmbrzl gentle ping :)

src/ACL.cpp Outdated Show resolved Hide resolved
src/ACL.cpp Outdated Show resolved Hide resolved
src/ACL.cpp Outdated Show resolved Hide resolved
src/ACL.cpp Outdated
bool applyFromParent = (ch != chan && acl->bApplySubs);

// Not using applyFromAny will ignore the context flags for the current ACL
bool applyFromAny = applyFromSelf || applyFromParent;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suppose we can short-circuit in case !applyFromAny and just jump to the next loop iteration?

That should make explicit checking of this boolean further down redundant 🤔

@Krzmbrzl
Copy link
Member

Sorry for having taken so long to respond. This ACL stuff is always a bit tricky and messing it up can be rather bad so I didn't want to review without taking a proper look. But that takes time which I didn't find until now 🤷

Do you think backporting this is viable? I think it is and potential breakage is small.

Yeah, I think we can backport this. It fixes a bug after all and as such is eligible for backporting. And as to potentially introducing a new bug, that's a risk we have to live with unless we never release bug fix releases :)

Copy link
Member

@Krzmbrzl Krzmbrzl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't want to be pedantic here but I guess this could improve the overall code quality of this section?

On the functional side of things I am happy with this PR though :)

src/ACL.cpp Outdated Show resolved Hide resolved
src/ACL.cpp Outdated Show resolved Hide resolved
src/ACL.cpp Outdated Show resolved Hide resolved
src/ACL.cpp Outdated Show resolved Hide resolved
src/ACL.cpp Outdated
Comment on lines 180 to 179
if (applyFromAny && (acl->pAllow & Traverse)) {
traverse = true;
if (acl->pDeny & Traverse)
}
if (applyDenyTraverse && (acl->pDeny & Traverse)) {
traverse = false;
if (acl->pAllow & Write)
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can be written as

traverse = applyFromAny && (acl->pAllow & Traverse);
traverse &= !applyDenyTraverse || !(acl->pDeny & Traverse);

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with the write boolean. But writing traverse as two lines of rather hard to follow logical operations seems counterproductive to me.

Previously, both the traverse and write ACL would be evaluated
without taking the "in this channel" and "in sub-channels" context
options into account.
This would lead to denying traverse for channels that were
actually supposed to be traversable.

This commit refactors the ACL calculation for readability
and makes sure the write and traverse checks are actually taking the
context into account.

Fixes mumble-voip#3579
Since 2a9dcfd and 62b1536 the Mumble server
would overwrite the current channel Write ACL, if the user
had Write ACL permission in the parent channel.
Supposedly, this was done because otherwise malicious users
could create temporary "ungovernable" channels by locking admins out
denying Write ACL for them.
However, this makes ACL management a lot less intuitive with regard
to the Write permission.

This commit reverts those commits and instead adds a check to see
if the user has Write permission in the root channel instead.
The reasoning being: If the server owner grants Write ACL on root,
they probably want those users to be able to moderate every channel.
If instead the server owner only grants Write on part of the channel
tree, normal ACL rules apply and users may lock other users out for
whatever reason.
Previously, it was possible to have both context checkboxes
disabled in the ACLEditor, leaving the ACL entry in a dangleing
inactive state.
This commit makes sure, that at least one of the checkboxes is
always enabled.
@Hartmnt
Copy link
Member Author

Hartmnt commented Dec 22, 2024

@Krzmbrzl Gentle ping for a final review. Just implemented your suggestions (except the last one).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
acl Everything related to access-control-lists (permission management) auto-backport-to-1.5.x bug A bug (error) in the software client server ui
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Context checkboxes ignored for traverse permissions
2 participants