Re: Where to set UI ACLs?

2016-03-10 Thread Lars George 
Indeed, that was my thinking. There is already provisioning for it in
the code, so we just need to wire it in. f no objections I'll create a
JIRA and give it a go.

On Wed, Mar 9, 2016 at 9:25 PM, Andrew Purtell  wrote:
> I think we need an JIRA. We haven't considered access control for the UIs
> before. IMHO, they are inherently unsafe except for operator use ("no user
> serviceable parts inside") so random folks should not be given network
> paths to them.
>
> On Wed, Mar 9, 2016 at 5:31 AM, Lars George  wrote:
>
>> Hi,
>>
>> Reading the whole HttpServer code base, and while this is a copy it
>> seems from HttpServer2, including the ability to set ACLs with users
>> who are allowed to access (admins), I cannot see this ever being set.
>> Am I missing something, or is there a JIRA documenting that this needs
>> adding?
>>
>> Thanks,
>> Lars
>>
>
>
>
> --
> Best regards,
>
>- Andy
>
> Problems worthy of attack prove their worth by hitting back. - Piet Hein
> (via Tom White)

Re: Where to set UI ACLs?

2016-03-09 Thread Andrew Purtell 
I think we need an JIRA. We haven't considered access control for the UIs
before. IMHO, they are inherently unsafe except for operator use ("no user
serviceable parts inside") so random folks should not be given network
paths to them.

On Wed, Mar 9, 2016 at 5:31 AM, Lars George  wrote:

> Hi,
>
> Reading the whole HttpServer code base, and while this is a copy it
> seems from HttpServer2, including the ability to set ACLs with users
> who are allowed to access (admins), I cannot see this ever being set.
> Am I missing something, or is there a JIRA documenting that this needs
> adding?
>
> Thanks,
> Lars
>



-- 
Best regards,

   - Andy

Problems worthy of attack prove their worth by hitting back. - Piet Hein
(via Tom White)

Re: Where to set UI ACLs?

2016-03-09 Thread Stack 
On Wed, Mar 9, 2016 at 5:31 AM, Lars George  wrote:

> Hi,
>
> Reading the whole HttpServer code base, and while this is a copy it
> seems from HttpServer2, including the ability to set ACLs with users
> who are allowed to access (admins), I cannot see this ever being set.
> Am I missing something, or is there a JIRA documenting that this needs
> adding?
>
>
Needs adding I'd say Lars (I don't remember seeing this during review).
St.Ack