From 75a199690c56e997876b17ffb08b394765d77b35 Mon Sep 17 00:00:00 2001
From: Oliver Gorwits <oliver@cpan.org>
Date: Sun, 22 Apr 2018 18:49:15 +0100
Subject: [PATCH] #400 add defanged_admin config to allow disabling of risky
 actions

---
 lib/App/Netdisco/Web/AdminTask.pm              | 2 +-
 lib/App/Netdisco/Web/Plugin/AdminTask/Users.pm | 6 +++---
 share/config.yml                               | 1 +
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/lib/App/Netdisco/Web/AdminTask.pm b/lib/App/Netdisco/Web/AdminTask.pm
index 01db3408..944a5f48 100644
--- a/lib/App/Netdisco/Web/AdminTask.pm
+++ b/lib/App/Netdisco/Web/AdminTask.pm
@@ -44,7 +44,7 @@ foreach my $action (@{ setting('job_prio')->{high} },
     };
 }
 
-ajax qr{/ajax/control/admin/(?:\w+/)?delete} => require_role admin => sub {
+ajax qr{/ajax/control/admin/(?:\w+/)?delete} => require_role setting('defanged_admin') => sub {
     send_error('Missing device', 400) unless param('device');
 
     my $device = NetAddr::IP->new(param('device'));
diff --git a/lib/App/Netdisco/Web/Plugin/AdminTask/Users.pm b/lib/App/Netdisco/Web/Plugin/AdminTask/Users.pm
index a4f6c35a..94893702 100644
--- a/lib/App/Netdisco/Web/Plugin/AdminTask/Users.pm
+++ b/lib/App/Netdisco/Web/Plugin/AdminTask/Users.pm
@@ -31,7 +31,7 @@ sub _make_password {
   }
 }
 
-ajax '/ajax/control/admin/users/add' => require_role admin => sub {
+ajax '/ajax/control/admin/users/add' => require_role setting('defanged_admin') => sub {
     send_error('Bad Request', 400) unless _sanity_ok();
 
     schema('netdisco')->txn_do(sub {
@@ -48,7 +48,7 @@ ajax '/ajax/control/admin/users/add' => require_role admin => sub {
     });
 };
 
-ajax '/ajax/control/admin/users/del' => require_role admin => sub {
+ajax '/ajax/control/admin/users/del' => require_role setting('defanged_admin') => sub {
     send_error('Bad Request', 400) unless _sanity_ok();
 
     schema('netdisco')->txn_do(sub {
@@ -57,7 +57,7 @@ ajax '/ajax/control/admin/users/del' => require_role admin => sub {
     });
 };
 
-ajax '/ajax/control/admin/users/update' => require_role admin => sub {
+ajax '/ajax/control/admin/users/update' => require_role setting('defanged_admin') => sub {
     send_error('Bad Request', 400) unless _sanity_ok();
 
     schema('netdisco')->txn_do(sub {
diff --git a/share/config.yml b/share/config.yml
index 2f8eb9a4..206f8235 100644
--- a/share/config.yml
+++ b/share/config.yml
@@ -193,6 +193,7 @@ port_control_reasons:
 check_userlog: true
 devport_vlan_limit: 150
 login_logo: ""
+defanged_admin: 'admin'
 
 # -------------
 # NETDISCO CORE