luci-base: use native ubus-rpc authorization protocol

Instead of granting complete ubus access under the active sysauth session,
implement the ubus-rpc authorization mechanism and make the ubus proxy
endpoint unauthenticated.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

1 files changed, 17 insertions, 1 deletions

diff --git a/modules/luci-base/luasrc/controller/admin/index.lua b/modules/luci-base/luasrc/controller/admin/index.lua
index 3f2b465879..b0427d6c05 100644
--- a/modules/luci-base/luasrc/controller/admin/index.lua
+++ b/modules/luci-base/luasrc/controller/admin/index.lua
@@ -96,6 +96,7 @@ function index()
 	page.leaf = true
 
 	page = entry({"admin", "ubus"}, call("action_ubus"), nil)
+	page.sysauth = false
 	page.leaf = true
 
 	-- Logout is last
@@ -165,6 +166,17 @@ local ubus_types = {
 	"double"
 }
 
+local function ubus_access(sid, obj, fun)
+	local res, code = luci.util.ubus("session", "access", {
+		ubus_rpc_session = sid,
+		scope            = "ubus",
+		object           = obj,
+		["function"]     = fun
+	})
+
+	return (type(res) == "table" and res.access == true)
+end
+
 local function ubus_request(req)
 	if type(req) ~= "table" or type(req.method) ~= "string" or type(req.params) ~= "table" or
 	   #req.params < 2 or req.jsonrpc ~= "2.0" or req.id == nil then
@@ -177,10 +189,14 @@ local function ubus_request(req)
 			return ubus_reply(req.id, nil, -32602, "Invalid parameters")
 		end
 
-		if sid == "00000000000000000000000000000000" then
+		if sid == "00000000000000000000000000000000" and luci.dispatcher.context.authsession then
 			sid = luci.dispatcher.context.authsession
 		end
 
+		if not ubus_access(sid, obj, fun) then
+			return ubus_reply(req.id, nil, -32002, "Access denied")
+		end
+
 		arg.ubus_rpc_session = sid
 
 		local res, code = luci.util.ubus(obj, fun, arg)