client/web: add new readonly mode #10999
Conversation
client/web/web.go
Outdated
| @@ -58,6 +58,7 @@ type Server struct { | |||
| devMode bool | |||
| cgiMode bool | |||
| pathPrefix string | |||
| readonly bool | |||
There was a problem hiding this comment.
good catch. That was from before I decided to add a new server mode.
| // ReadOnlyServerMode is identical to LoginServerMode, | ||
| // but does not present a login button to switch to manage mode, | ||
| // even if the management client is running and reachable. | ||
| ReadOnlyServerMode ServerMode = "readonly" |
There was a problem hiding this comment.
nit: maybe add to the docs here why we are adding this
| @@ -94,20 +96,24 @@ func runWeb(ctx context.Context, args []string) error { | |||
| if prefs, err := localClient.GetPrefs(ctx); err == nil { | |||
| existingWebClient = prefs.RunWebClient | |||
| } | |||
| if !existingWebClient { | |||
| if !existingWebClient && !webArgs.readonly { | |||
There was a problem hiding this comment.
I think you also have to check down below in the cleanup on ctx.Done() to not stop it if we were in readonly mode.
Could just add a var here processStartedManagmentClient or something that we can set in this if and just use below.
| @@ -224,7 +229,7 @@ function LoginPopoverContent({ | |||
| ) : ( | |||
| // User is connected over tailscale, but doesn't have permission to manage. | |||
| <p className="text-gray-500 text-xs"> | |||
| You don’t have permission to make changes to this device, but you | |||
| You don't have permission to make changes to this device, but you | |||
There was a problem hiding this comment.
this was intentional. This was using a smart quote, which is typographically correct, but we don't actually use it anywhere else, so this change makes things uniform. I believe this came over from copy/pasting the text from Figma.
There was a problem hiding this comment.
I don't think our linter catches it over here, but on the admin panel we enforce smart quotes I believe.
There was a problem hiding this comment.
oh, interesting! I'll go look at that real quick and potentially update the other way here
There was a problem hiding this comment.
reverted this change. I'll do a follow-up PR to add the curly-quotes linter rule and fix the web client.
| This web interface is running in read-only mode. Use the Tailscale | ||
| CLI or a different client app to manage this device. |
There was a problem hiding this comment.
I like having this snippet here, although I fear it's a little confusing because of how general it is. I think we should leave it at "This web interface is running in read-only mode." and provide a link out to a KB that explains a little more based on platform.
There was a problem hiding this comment.
done. I'm using the existing tailscale.com/s/ KB link for now, since it just goes to the main articles about the web interface. If we do end linking to specific sections of that page, we'll want to switch this for a specific link about readonly mode.
willnorris
force-pushed
the
will/webui-readonly
branch
from
8ab4fcf
to
9c1a393
Compare
| <p className="text-gray-500 text-xs"> | ||
| This web interface is running in read-only mode.{" "} | ||
| <a | ||
| href="https://tailscale.com/s/web-client-connection" |
There was a problem hiding this comment.
Anything set up over there yet?
There was a problem hiding this comment.
Not specific to read-only mode. I'll actually go ahead and make this a dedicated short link for readonly mode, and then work on a PR to add docs before the 1.60 release.
| @@ -224,7 +229,7 @@ function LoginPopoverContent({ | |||
| ) : ( | |||
| // User is connected over tailscale, but doesn't have permission to manage. | |||
| <p className="text-gray-500 text-xs"> | |||
| You don’t have permission to make changes to this device, but you | |||
| You don't have permission to make changes to this device, but you | |||
There was a problem hiding this comment.
I don't think our linter catches it over here, but on the admin panel we enforce smart quotes I believe.
willnorris
force-pushed
the
will/webui-readonly
branch
from
9c1a393
to
f1ea00e
Compare
The new read-only mode is only accessible when running `tailscale web` by passing a new `-readonly` flag. This new mode is identical to the existing login mode with two exceptions: - the management client in tailscaled is not started (though if it is already running, it is left alone) - the client does not prompt the user to login or switch to the management client. Instead, a message is shown instructing the user to use other means to manage the device. Updates #10979 Signed-off-by: Will Norris <will@tailscale.com>
willnorris
force-pushed
the
will/webui-readonly
branch
from
f1ea00e
to
b09b697
Compare
The new read-only mode is only accessible when running
tailscale webby passing a new-readonlyflag. This new mode is identical to the existing login mode with two exceptions:the management client in tailscaled is not started (though if it is already running, it is left alone)
the client does not prompt the user to login or switch to the management client. Instead, a message is shown instructing the user to use other means to manage the device.
I implemented this as a new mode rather than a separate boolean flag on the server, since otherwise it was not obvious to me what it would mean to have a client in manage mode with a read-only flag. Those things are mutually exclusive, so adding a new mode seemed appropriate.
Updates #10979