diff --git a/cmd/access.go b/cmd/access.go index 7ffd1608..b3cacfa5 100644 --- a/cmd/access.go +++ b/cmd/access.go @@ -96,17 +96,23 @@ func changeAccess(c *cli.Context, manager auth.Manager, username string, topic s } read := util.InStringList([]string{"read-write", "rw", "read-only", "read", "ro"}, perms) write := util.InStringList([]string{"read-write", "rw", "write-only", "write", "wo"}, perms) + user, err := manager.User(username) + if err == auth.ErrNotFound { + return fmt.Errorf("user %s does not exist", username) + } else if user.Role == auth.RoleAdmin { + return fmt.Errorf("user %s is an admin user, access control entries have no effect", username) + } if err := manager.AllowAccess(username, topic, read, write); err != nil { return err } if read && write { - fmt.Fprintf(c.App.ErrWriter, "Granted read-write access to topic %s\n\n", topic) + fmt.Fprintf(c.App.ErrWriter, "granted read-write access to topic %s\n\n", topic) } else if read { - fmt.Fprintf(c.App.ErrWriter, "Granted read-only access to topic %s\n\n", topic) + fmt.Fprintf(c.App.ErrWriter, "granted read-only access to topic %s\n\n", topic) } else if write { - fmt.Fprintf(c.App.ErrWriter, "Granted write-only access to topic %s\n\n", topic) + fmt.Fprintf(c.App.ErrWriter, "granted write-only access to topic %s\n\n", topic) } else { - fmt.Fprintf(c.App.ErrWriter, "Revoked all access to topic %s\n\n", topic) + fmt.Fprintf(c.App.ErrWriter, "revoked all access to topic %s\n\n", topic) } return showUserAccess(c, manager, username) } @@ -124,7 +130,7 @@ func resetAllAccess(c *cli.Context, manager auth.Manager) error { if err := manager.ResetAccess("", ""); err != nil { return err } - fmt.Fprintln(c.App.ErrWriter, "Reset access for all users") + fmt.Fprintln(c.App.ErrWriter, "reset access for all users") return nil } @@ -132,7 +138,7 @@ func resetUserAccess(c *cli.Context, manager auth.Manager, username string) erro if err := manager.ResetAccess(username, ""); err != nil { return err } - fmt.Fprintf(c.App.ErrWriter, "Reset access for user %s\n\n", username) + fmt.Fprintf(c.App.ErrWriter, "reset access for user %s\n\n", username) return showUserAccess(c, manager, username) } @@ -140,7 +146,7 @@ func resetUserTopicAccess(c *cli.Context, manager auth.Manager, username string, if err := manager.ResetAccess(username, topic); err != nil { return err } - fmt.Fprintf(c.App.ErrWriter, "Reset access for user %s and topic %s\n\n", username, topic) + fmt.Fprintf(c.App.ErrWriter, "reset access for user %s and topic %s\n\n", username, topic) return showUserAccess(c, manager, username) } @@ -171,7 +177,7 @@ func showUserAccess(c *cli.Context, manager auth.Manager, username string) error func showUsers(c *cli.Context, manager auth.Manager, users []*auth.User) error { for _, user := range users { - fmt.Fprintf(c.App.ErrWriter, "User %s (%s)\n", user.Name, user.Role) + fmt.Fprintf(c.App.ErrWriter, "user %s (%s)\n", user.Name, user.Role) if user.Role == auth.RoleAdmin { fmt.Fprintf(c.App.ErrWriter, "- read-write access to all topics (admin role)\n") } else if len(user.Grants) > 0 { diff --git a/cmd/user.go b/cmd/user.go index 62f703b9..cd9c9e87 100644 --- a/cmd/user.go +++ b/cmd/user.go @@ -144,7 +144,7 @@ func execUserAdd(c *cli.Context) error { if user, _ := manager.User(username); user != nil { return fmt.Errorf("user %s already exists", username) } - password, err := readPassword(c) + password, err := readPasswordAndConfirm(c) if err != nil { return err } @@ -190,7 +190,7 @@ func execUserChangePass(c *cli.Context) error { if _, err := manager.User(username); err == auth.ErrNotFound { return fmt.Errorf("user %s does not exist", username) } - password, err := readPassword(c) + password, err := readPasswordAndConfirm(c) if err != nil { return err } @@ -250,13 +250,13 @@ func createAuthManager(c *cli.Context) (auth.Manager, error) { return auth.NewSQLiteAuth(authFile, authDefaultRead, authDefaultWrite) } -func readPassword(c *cli.Context) (string, error) { - fmt.Fprint(c.App.ErrWriter, "Enter Password: ") +func readPasswordAndConfirm(c *cli.Context) (string, error) { + fmt.Fprint(c.App.ErrWriter, "password: ") password, err := util.ReadPassword(c.App.Reader) if err != nil { return "", err } - fmt.Fprintf(c.App.ErrWriter, "\r%s\rConfirm: ", strings.Repeat(" ", 25)) + fmt.Fprintf(c.App.ErrWriter, "\r%s\rconfirm: ", strings.Repeat(" ", 25)) confirm, err := util.ReadPassword(c.App.Reader) if err != nil { return "", err diff --git a/docs/config.md b/docs/config.md index 5b9d45a0..d6b136af 100644 --- a/docs/config.md +++ b/docs/config.md @@ -205,13 +205,13 @@ ntfy access --reset phil mytopic # Reset access for user phil and topic mytopi **Example ACL:** ``` $ ntfy access -User phil (admin) +user phil (admin) - read-write access to all topics (admin role) -User ben (user) +user ben (user) - read-write access to topic garagedoor - read-write access to topic alerts* - read-only access to topic furnace -User * (anonymous) +user * (anonymous) - read-only access to topic announcements - read-only access to topic server-stats - no access to any (other) topics (server config) @@ -235,9 +235,9 @@ After that, simply create an `admin` user: ``` $ ntfy user add --role=admin phil -Password: mypass -Confirm: mypass -User phil added with role admin +password: mypass +confirm: mypass +user phil added with role admin ``` Once you've done that, you can publish and subscribe using [Basic Auth](https://en.wikipedia.org/wiki/Basic_access_authentication)