From ffd627f2a1aec456a9f8320a4bc5be6c9d54d7f4 Mon Sep 17 00:00:00 2001
From: Jo-Philipp Wich <jo@mein.io>
Date: Sun, 19 Apr 2020 17:16:44 +0200
Subject: [PATCH] luci-compat: disable legacy cbi forms on insufficient ACLs

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
---
 .../luci-compat/luasrc/view/cbi/footer.htm    |  6 ++---
 .../luci-compat/luasrc/view/cbi/header.htm    |  3 +++
 modules/luci-compat/luasrc/view/cbi/map.htm   | 24 ++++++++++++++++++-
 3 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/modules/luci-compat/luasrc/view/cbi/footer.htm b/modules/luci-compat/luasrc/view/cbi/footer.htm
index fecf1bce7..176f10c5e 100644
--- a/modules/luci-compat/luasrc/view/cbi/footer.htm
+++ b/modules/luci-compat/luasrc/view/cbi/footer.htm
@@ -19,15 +19,15 @@
 		end
 
 		if display_apply then
-			%><input class="btn cbi-button cbi-button-apply" type="button" value="<%:Save & Apply%>" onclick="cbi_submit(this, 'cbi.apply')" /> <%
+			%><input class="btn cbi-button cbi-button-apply" type="button" value="<%:Save & Apply%>" onclick="cbi_submit(this, 'cbi.apply')"<%=ifattr(not has_writeable_map, "disabled")%> /> <%
 		end
 
 		if display_save then
-			%><input class="btn cbi-button cbi-button-save" type="submit" value="<%:Save%>" /> <%
+			%><input class="btn cbi-button cbi-button-save" type="submit" value="<%:Save%>"<%=ifattr(not has_writeable_map, "disabled")%> /> <%
 		end
 
 		if display_reset then
-			%><input class="btn cbi-button cbi-button-reset" type="button" value="<%:Reset%>" onclick="location.href='<%=REQUEST_URI%>'" /> <%
+			%><input class="btn cbi-button cbi-button-reset" type="button" value="<%:Reset%>" onclick="location.href='<%=REQUEST_URI%>'"<%=ifattr(not has_writeable_map, "disabled")%> /> <%
 		end
 
 		%></div><%
diff --git a/modules/luci-compat/luasrc/view/cbi/header.htm b/modules/luci-compat/luasrc/view/cbi/header.htm
index 821fa3efa..9d7ea5079 100644
--- a/modules/luci-compat/luasrc/view/cbi/header.htm
+++ b/modules/luci-compat/luasrc/view/cbi/header.htm
@@ -1,4 +1,7 @@
 <%+header%>
+
+<% local has_writeable_map = false %>
+
 <form method="post" name="cbi" action="<%=REQUEST_URI%>" enctype="multipart/form-data" onreset="return cbi_validate_reset(this)" onsubmit="return cbi_validate_form(this, '<%:Some fields are invalid, cannot save values!%>')"<%=
 	attr("data-strings", luci.util.serialize_json({
 		label = {
diff --git a/modules/luci-compat/luasrc/view/cbi/map.htm b/modules/luci-compat/luasrc/view/cbi/map.htm
index cda4d3530..530d1fec6 100644
--- a/modules/luci-compat/luasrc/view/cbi/map.htm
+++ b/modules/luci-compat/luasrc/view/cbi/map.htm
@@ -2,7 +2,26 @@
 	<div class="alert-message warning"><%=pcdata(msg)%></div>
 <%- end end -%>
 
-<div class="cbi-map" id="cbi-<%=self.config%>">
+<%
+  local function has_access(config, level)
+    local rv = luci.util.ubus("session", "access", {
+		ubus_rpc_session = luci.dispatcher.context.authsession,
+		scope = "uci",
+		object = config,
+		["function"] = level
+    })
+
+    return (type(rv) == "table" and rv.access == true) or false
+  end
+
+  local is_readable = has_access(self.config, "read")
+  local is_writable = has_access(self.config, "write")
+
+  has_writeable_map = has_writeable_map or is_writable
+%>
+
+<% if is_readable then %>
+<div class="cbi-map" id="cbi-<%=self.config%>"<%=ifattr(not is_writable, "style", "opacity:.6; pointer-events:none")%>>
 	<% if self.title and #self.title > 0 then %>
 		<h2 name="content"><%=self.title%></h2>
 	<% end %>
@@ -38,3 +57,6 @@
 		<%- self:render_children() %>
 	<% end %>
 </div>
+<% else %>
+<div class="alert-message warning"><%:Insufficient permissions to read UCI configuration.%></div>
+<% end %>
-- 
2.25.1