security: RBAC viewer role, identity label length, error sanitization
- RBAC: Viewer role changed from prefix "system." to explicit allowlist of safe read-only methods. Prevents Viewer access to system.factory-reset, system.shutdown, system.reboot, system.disk-cleanup. - identity.create: Name/label param now enforces max 100 chars. - sanitize_error_message: Changed from contains() to starts_with() for prefix matching, preventing internal errors that happen to contain user-facing keywords from leaking through. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -32,8 +32,13 @@ impl UserRole {
|
||||
match self {
|
||||
UserRole::Admin => true,
|
||||
UserRole::Viewer => {
|
||||
// Read-only methods
|
||||
method.starts_with("system.")
|
||||
// Read-only system methods (explicit allowlist — NOT prefix "system."
|
||||
// which would grant access to system.factory-reset, system.shutdown, etc.)
|
||||
method == "system.stats"
|
||||
|| method == "system.processes"
|
||||
|| method == "system.temperature"
|
||||
|| method == "system.disk-status"
|
||||
|| method == "system.detect-usb-devices"
|
||||
|| method.starts_with("node.")
|
||||
|| method.starts_with("federation.list")
|
||||
|| method.starts_with("dwn.status")
|
||||
|
||||
Reference in New Issue
Block a user