enforce a 'deny all' default rule

this ensures that an access list is 'secure by default' and requires the user to create exceptions or holes in the proection instead of building the wall entirely. This also means that we no longer require the user to input any username/passwords or client addressses and can avoid internal errors which generate unhelpful user errors.
2024-08-30 18:22:48 +00:00 · 2020-04-13 19:52:44 -07:00 · 2020-04-13 19:52:44 -07:00 · e2ee2cbf2d
commit e2ee2cbf2d
parent 005e64eb9f
3 changed files with 13 additions and 9 deletions
--- a/backend/internal/access-list.js
+++ b/backend/internal/access-list.js
@ -25,10 +25,6 @@ const internalAccessList = {
 	create: (access, data) => {
 		return access.can('access_lists:create', data)
 			.then((/*access_data*/) => {
-				if ((typeof data.items === 'undefined' || !data.items.length) && (typeof data.clients === 'undefined' || !data.clients.length)) {
-					throw new error.InternalValidationError('At leaste one user/pass or address must be defined');
-				}
-
 				return accessListModel
 					.query()
 					.omit(omissions())
@ -114,10 +110,6 @@ const internalAccessList = {
 	update: (access, data) => {
 		return access.can('access_lists:update', data.id)
 			.then((/*access_data*/) => {
-				if ((typeof data.items === 'undefined' || !data.items.length) && (typeof data.clients === 'undefined' || !data.clients.length)) {
-					throw new error.InternalValidationError('At leaste one user/pass or address must be defined');
-				}
-				
 				return internalAccessList.get(access, {id: data.id});
 			})
 			.then((row) => {
--- a/frontend/js/app/nginx/access/form.ejs
+++ b/frontend/js/app/nginx/access/form.ejs
@ -55,6 +55,18 @@
                <!-- Access -->
                <div class="tab-pane" id="access">
                    <div class="clients"><!-- clients --></div>
+                    <div class="row">
+                        <div class="col-sm-3 col-md-3">
+                            <div class="form-group">
+                                <input type="text" class="form-control disabled" value="deny" disabled>
+                            </div>
+                        </div>
+                        <div class="col-sm-9 col-md-9">
+                            <div class="form-group">
+                                <input type="text" class="form-control disabled" value="all" disabled>
+                            </div>
+                        </div>
+                    </div>
                    <div class="text-muted">Note that the <code>allow</code> and <code>deny</code> directives will be applied in the order they are defined.</div>
                </div>

--- a/frontend/js/app/nginx/access/form.js
+++ b/frontend/js/app/nginx/access/form.js
@ -119,7 +119,7 @@ module.exports = Mn.View.extend({
            }
        }

-        let clients_to_add = 5 - clients.length;
+        let clients_to_add = 4 - clients.length;
        if (clients_to_add) {
            for (let i = 0; i < clients_to_add; i++) {
                clients.push({});