From e2ee2cbf2db518260a93ac06332b04890b58ad03 Mon Sep 17 00:00:00 2001
From: Kyle Klaus <kklaus@indemnity83.com>
Date: Mon, 13 Apr 2020 19:52:44 -0700
Subject: [PATCH] enforce a 'deny all' default rule

this ensures that an access list is 'secure by default' and requires the user to create exceptions or holes in the proection instead of building the wall entirely. This also means that we no longer require the user to input any username/passwords or client addressses and can avoid internal errors which generate unhelpful user errors.
---
 backend/internal/access-list.js       |  8 --------
 frontend/js/app/nginx/access/form.ejs | 12 ++++++++++++
 frontend/js/app/nginx/access/form.js  |  2 +-
 3 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/backend/internal/access-list.js b/backend/internal/access-list.js
index 69e13f4e..a640c1e2 100644
--- a/backend/internal/access-list.js
+++ b/backend/internal/access-list.js
@@ -25,10 +25,6 @@ const internalAccessList = {
 	create: (access, data) => {
 		return access.can('access_lists:create', data)
 			.then((/*access_data*/) => {
-				if ((typeof data.items === 'undefined' || !data.items.length) && (typeof data.clients === 'undefined' || !data.clients.length)) {
-					throw new error.InternalValidationError('At leaste one user/pass or address must be defined');
-				}
-
 				return accessListModel
 					.query()
 					.omit(omissions())
@@ -114,10 +110,6 @@ const internalAccessList = {
 	update: (access, data) => {
 		return access.can('access_lists:update', data.id)
 			.then((/*access_data*/) => {
-				if ((typeof data.items === 'undefined' || !data.items.length) && (typeof data.clients === 'undefined' || !data.clients.length)) {
-					throw new error.InternalValidationError('At leaste one user/pass or address must be defined');
-				}
-				
 				return internalAccessList.get(access, {id: data.id});
 			})
 			.then((row) => {
diff --git a/frontend/js/app/nginx/access/form.ejs b/frontend/js/app/nginx/access/form.ejs
index 40fe8542..3f127cc0 100644
--- a/frontend/js/app/nginx/access/form.ejs
+++ b/frontend/js/app/nginx/access/form.ejs
@@ -55,6 +55,18 @@
                 <!-- Access -->
                 <div class="tab-pane" id="access">
                     <div class="clients"><!-- clients --></div>
+                    <div class="row">
+                        <div class="col-sm-3 col-md-3">
+                            <div class="form-group">
+                                <input type="text" class="form-control disabled" value="deny" disabled>
+                            </div>
+                        </div>
+                        <div class="col-sm-9 col-md-9">
+                            <div class="form-group">
+                                <input type="text" class="form-control disabled" value="all" disabled>
+                            </div>
+                        </div>
+                    </div>
                     <div class="text-muted">Note that the <code>allow</code> and <code>deny</code> directives will be applied in the order they are defined.</div>
                 </div>
 
diff --git a/frontend/js/app/nginx/access/form.js b/frontend/js/app/nginx/access/form.js
index fdfbb65d..8efdb72a 100644
--- a/frontend/js/app/nginx/access/form.js
+++ b/frontend/js/app/nginx/access/form.js
@@ -119,7 +119,7 @@ module.exports = Mn.View.extend({
             }
         }
 
-        let clients_to_add = 5 - clients.length;
+        let clients_to_add = 4 - clients.length;
         if (clients_to_add) {
             for (let i = 0; i < clients_to_add; i++) {
                 clients.push({});