Limit visibility into layer2 connections #1216
Description
Found a number of permissions related issues relating to l2 connections. There’s no workgroup_id passed to the following apis, and as they’re read operations on connections, they require checking if the user is in a workgroup that owns one of the interfaces or in the workgroup which owns the connection. We don't have a method to check this atm, so a resolution would involve two things.
- Method to check if user may view the connection
- Application of preceding method to listed apis
---
data.cgi:
get circuit details: bad (requires adding workgroup_id param, or new conn perm check)
generate clr: bad (requires adding workgroup_id param, or new conn perm check)
get circuit details by external identifier: bad (requires adding workgroup_id param, or new conn perm check)
get circuits by interface id: bad (read-only system users. not used by frontend)
get circuit history: bad (read-only users) (requires adding workgroup_id param, or new conn perm check)
get circuit sheduled evnets: bad (read-only users) (requires adding workgroup_id param, or new conn perm check)
measurement.cgi:
get circuit data: bad (read-only users) (requires adding workgroup_id param, or new conn perm check)