ACLs portctl_no and portctl_only for limiting port control targets

Changes

@@ -1,3 +1,9 @@
+2.049002 - 2021-09-03
+
+  [NEW FEATURES]
+
+  * ACLs portctl_no and portctl_only for limiting port control targets
+
 2.049001 - 2021-08-22
 
   [ENHANCEMENTS]

lib/App/Netdisco/Util/Port.pm

@@ -4,6 +4,7 @@ use Dancer qw/:syntax :script/;
 use Dancer::Plugin::DBIC 'schema';
 
 use App::Netdisco::Util::Device 'get_device';
+use App::Netdisco::Util::Permission qw/check_acl_no check_acl_only/;
 
 use base 'Exporter';
 our @EXPORT = ();
@@ -68,6 +69,10 @@ sub vlan_reconfig_check {
 
 =item *
 
+Permission check that C<portctl_no> and C<portctl_only> pass for the device.
+
+=item *
+
 Permission check that C<portctl_nameonly> is false in Netdisco config.
 
 =item *
@@ -99,6 +104,12 @@ sub port_reconfig_check {
   my $has_phone = port_has_phone($port);
   my $is_vlan   = is_vlan_interface($port);
 
+  # check for limits on devices
+  return "forbidden: device [$ip] is in denied ACL"
+    if check_acl_no($ip, 'portctl_no');
+  return "forbidden: device [$ip] is not in permitted ACL"
+    unless check_acl_only($ip, 'portctl_only');
+
   # only permitted to change interface name
   return "forbidden: not permitted to change port configuration"
     if setting('portctl_nameonly');

share/config.yml

@@ -184,6 +184,8 @@ table_showrecordsmenu:
   - [10, 25, 50, 100, 'All']
 vlanctl: true
 portctl_nameonly: false
+portctl_no: []
+portctl_only: []
 portctl_nophones: false
 portctl_vlans: false
 portctl_uplinks: false