Compare commits
25 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 71807c8815 | |||
| 462a1a3611 | |||
| ee27bee716 | |||
| 429cd44ac5 | |||
| 274f210337 | |||
| c0f12ce931 | |||
| dd4e0ca564 | |||
| f533208b37 | |||
| bb74edf4c1 | |||
| e5cc075938 | |||
| 4ec4a293c0 | |||
| 720e94c54a | |||
| 2be17c70db | |||
| 31686a35d5 | |||
| 8769308dfd | |||
| f5848907f5 | |||
| f953fde2be | |||
| 9a37eda302 | |||
| 4b29f55518 | |||
| e8796d443e | |||
| 24aad5cdc0 | |||
| 27c1584dc3 | |||
| c89adeea97 | |||
| 8f51be8515 | |||
| 0490a1220b |
@@ -1,7 +1,7 @@
|
|||||||
{
|
{
|
||||||
"name": "dashboard/unifi",
|
"name": "dashboard/unifi",
|
||||||
"description": "UniFi network management, WiFi stats, and captive portal authentication for the Dashboard platform",
|
"description": "UniFi network management, WiFi stats, and captive portal authentication for the Dashboard platform",
|
||||||
"version": "1.5.1",
|
"version": "1.13.1",
|
||||||
"type": "library",
|
"type": "library",
|
||||||
"license": "MIT",
|
"license": "MIT",
|
||||||
"autoload": {
|
"autoload": {
|
||||||
@@ -27,7 +27,6 @@
|
|||||||
{ "label": "Devices", "route_name": "unifi.devices", "icon": "cpu-chip", "permission": "unifi.stats", "sort_order": 3 },
|
{ "label": "Devices", "route_name": "unifi.devices", "icon": "cpu-chip", "permission": "unifi.stats", "sort_order": 3 },
|
||||||
{ "label": "Clients", "route_name": "unifi.clients", "icon": "users", "permission": "unifi.stats", "sort_order": 4 },
|
{ "label": "Clients", "route_name": "unifi.clients", "icon": "users", "permission": "unifi.stats", "sort_order": 4 },
|
||||||
{ "label": "WiFi Networks", "route_name": "unifi.wifi", "icon": "wifi", "permission": "unifi.manage", "sort_order": 5 },
|
{ "label": "WiFi Networks", "route_name": "unifi.wifi", "icon": "wifi", "permission": "unifi.manage", "sort_order": 5 },
|
||||||
{ "label": "Portal", "route_name": "unifi.portal.settings", "icon": "shield-check", "permission": "unifi.auth", "sort_order": 6 },
|
|
||||||
{ "label": "Settings", "route_name": "unifi.settings", "icon": "cog-6-tooth", "permission": "unifi.settings", "sort_order": 99 }
|
{ "label": "Settings", "route_name": "unifi.settings", "icon": "cog-6-tooth", "permission": "unifi.settings", "sort_order": 99 }
|
||||||
],
|
],
|
||||||
"permissions": [
|
"permissions": [
|
||||||
|
|||||||
@@ -0,0 +1,32 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
use Illuminate\Database\Migrations\Migration;
|
||||||
|
use Illuminate\Database\Schema\Blueprint;
|
||||||
|
use Illuminate\Support\Facades\Schema;
|
||||||
|
|
||||||
|
return new class extends Migration
|
||||||
|
{
|
||||||
|
public function up(): void
|
||||||
|
{
|
||||||
|
Schema::table('unifi_webhook_configs', function (Blueprint $table) {
|
||||||
|
if (! Schema::hasColumn('unifi_webhook_configs', 'tracked_clients')) {
|
||||||
|
$table->json('tracked_clients')->nullable()->after('device_filter');
|
||||||
|
}
|
||||||
|
if (! Schema::hasColumn('unifi_webhook_configs', 'templates')) {
|
||||||
|
$table->json('templates')->nullable()->after('tracked_clients');
|
||||||
|
}
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
public function down(): void
|
||||||
|
{
|
||||||
|
Schema::table('unifi_webhook_configs', function (Blueprint $table) {
|
||||||
|
if (Schema::hasColumn('unifi_webhook_configs', 'templates')) {
|
||||||
|
$table->dropColumn('templates');
|
||||||
|
}
|
||||||
|
if (Schema::hasColumn('unifi_webhook_configs', 'tracked_clients')) {
|
||||||
|
$table->dropColumn('tracked_clients');
|
||||||
|
}
|
||||||
|
});
|
||||||
|
}
|
||||||
|
};
|
||||||
@@ -0,0 +1,26 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
use Illuminate\Database\Migrations\Migration;
|
||||||
|
use Illuminate\Database\Schema\Blueprint;
|
||||||
|
use Illuminate\Support\Facades\Schema;
|
||||||
|
|
||||||
|
return new class extends Migration
|
||||||
|
{
|
||||||
|
public function up(): void
|
||||||
|
{
|
||||||
|
Schema::table('unifi_device_states', function (Blueprint $table) {
|
||||||
|
if (! Schema::hasColumn('unifi_device_states', 'consecutive_count')) {
|
||||||
|
$table->unsignedSmallInteger('consecutive_count')->default(0)->after('in_alert');
|
||||||
|
}
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
public function down(): void
|
||||||
|
{
|
||||||
|
Schema::table('unifi_device_states', function (Blueprint $table) {
|
||||||
|
if (Schema::hasColumn('unifi_device_states', 'consecutive_count')) {
|
||||||
|
$table->dropColumn('consecutive_count');
|
||||||
|
}
|
||||||
|
});
|
||||||
|
}
|
||||||
|
};
|
||||||
@@ -0,0 +1,62 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
use Illuminate\Database\Migrations\Migration;
|
||||||
|
use Illuminate\Database\Schema\Blueprint;
|
||||||
|
use Illuminate\Support\Facades\DB;
|
||||||
|
use Illuminate\Support\Facades\Schema;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Brings unifi_page_grants to parity with adm_access_grants /
|
||||||
|
* directory_access_grants: widens grantee_type to include 'default' and
|
||||||
|
* 'role', allows a NULL grantee_id (used by the per-page default row),
|
||||||
|
* and adds a can_view column. The default row's can_view carries the
|
||||||
|
* deny/allow fallback for users not matched by a more specific grant
|
||||||
|
* (deny by default — no row means deny).
|
||||||
|
*
|
||||||
|
* Existing user/group rows keep working: adding can_view with a default
|
||||||
|
* of true backfills them as explicit allow grants.
|
||||||
|
*/
|
||||||
|
return new class extends Migration
|
||||||
|
{
|
||||||
|
public function up(): void
|
||||||
|
{
|
||||||
|
if (! Schema::hasTable('unifi_page_grants')) return;
|
||||||
|
|
||||||
|
// Widen the enum and allow NULL grantee_id (default rows). MySQL
|
||||||
|
// enum changes require raw DDL.
|
||||||
|
DB::statement("ALTER TABLE unifi_page_grants MODIFY grantee_type ENUM('default','user','group','role') NOT NULL");
|
||||||
|
DB::statement("ALTER TABLE unifi_page_grants MODIFY grantee_id BIGINT UNSIGNED NULL");
|
||||||
|
|
||||||
|
if (! Schema::hasColumn('unifi_page_grants', 'can_view')) {
|
||||||
|
Schema::table('unifi_page_grants', function (Blueprint $table) {
|
||||||
|
$table->boolean('can_view')->default(true)->after('grantee_id');
|
||||||
|
});
|
||||||
|
|
||||||
|
// Belt and braces: make sure every pre-existing user/group row
|
||||||
|
// is an explicit allow grant.
|
||||||
|
DB::table('unifi_page_grants')->update(['can_view' => true]);
|
||||||
|
}
|
||||||
|
|
||||||
|
// The unique index on (nav_item_id, grantee_type, grantee_id)
|
||||||
|
// already exists from the create migration
|
||||||
|
// ('unifi_page_grants_unique') and still applies — grantee_id is
|
||||||
|
// NULL for default rows, and MySQL treats NULLs as distinct, so
|
||||||
|
// app code enforces one default row per nav_item.
|
||||||
|
}
|
||||||
|
|
||||||
|
public function down(): void
|
||||||
|
{
|
||||||
|
if (! Schema::hasTable('unifi_page_grants')) return;
|
||||||
|
|
||||||
|
if (Schema::hasColumn('unifi_page_grants', 'can_view')) {
|
||||||
|
Schema::table('unifi_page_grants', function (Blueprint $table) {
|
||||||
|
$table->dropColumn('can_view');
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
DB::table('unifi_page_grants')->whereIn('grantee_type', ['default', 'role'])->delete();
|
||||||
|
|
||||||
|
DB::statement("ALTER TABLE unifi_page_grants MODIFY grantee_type ENUM('user','group') NOT NULL");
|
||||||
|
DB::statement("ALTER TABLE unifi_page_grants MODIFY grantee_id BIGINT UNSIGNED NOT NULL");
|
||||||
|
}
|
||||||
|
};
|
||||||
@@ -32,9 +32,16 @@ class RotatePasswords extends Command
|
|||||||
$run = UnifiCronRun::record('rotate-passwords', $triggeredBy, null, function () use ($unifi, $force) {
|
$run = UnifiCronRun::record('rotate-passwords', $triggeredBy, null, function () use ($unifi, $force) {
|
||||||
$wlanIdsJson = Setting::get('unifi.password_rotation.wlan_ids', '[]');
|
$wlanIdsJson = Setting::get('unifi.password_rotation.wlan_ids', '[]');
|
||||||
$wlanIds = json_decode($wlanIdsJson, true);
|
$wlanIds = json_decode($wlanIdsJson, true);
|
||||||
|
if (! is_array($wlanIds)) $wlanIds = [];
|
||||||
|
|
||||||
if (empty($wlanIds) || ! is_array($wlanIds)) {
|
$ppskQuery = UnifiPpsk::where('rotate_password', true)
|
||||||
return ['status' => 'skipped', 'reason' => 'no SSIDs configured for rotation'];
|
->where('state', 'active')
|
||||||
|
->whereNotNull('unifi_id');
|
||||||
|
|
||||||
|
// Skip only if there's nothing at all to rotate — neither
|
||||||
|
// whole-SSID rotation targets nor per-PPSK rotation opt-ins.
|
||||||
|
if (empty($wlanIds) && ! $ppskQuery->exists()) {
|
||||||
|
return ['status' => 'skipped', 'reason' => 'no SSIDs or PPSKs configured for rotation'];
|
||||||
}
|
}
|
||||||
|
|
||||||
$wordlist = Setting::get('unifi.password_rotation.wordlist', '');
|
$wordlist = Setting::get('unifi.password_rotation.wordlist', '');
|
||||||
@@ -61,17 +68,85 @@ class RotatePasswords extends Command
|
|||||||
|
|
||||||
if ($rotated) {
|
if ($rotated) {
|
||||||
Setting::set('unifi.password_rotation.last_rotated_at', now()->toIso8601String());
|
Setting::set('unifi.password_rotation.last_rotated_at', now()->toIso8601String());
|
||||||
|
// Persist the active password so it can be displayed in
|
||||||
|
// the Settings page and exposed via the API endpoint.
|
||||||
|
Setting::set('unifi.password_rotation.last_password', $password);
|
||||||
$this->info('Rotated password for ' . count($rotated) . ' SSID(s).');
|
$this->info('Rotated password for ' . count($rotated) . ' SSID(s).');
|
||||||
}
|
}
|
||||||
|
|
||||||
$rotatedPpsks = [];
|
$rotatedPpsks = [];
|
||||||
$failedPpsks = [];
|
$failedPpsks = [];
|
||||||
foreach (UnifiPpsk::where('rotate_password', true)->where('state', 'active')->whereNotNull('unifi_id')->get() as $ppsk) {
|
foreach ($ppskQuery->get() as $ppsk) {
|
||||||
$newPass = $passwords[array_rand($passwords)];
|
$newPass = $passwords[array_rand($passwords)];
|
||||||
try {
|
try {
|
||||||
|
if (str_starts_with((string) $ppsk->unifi_id, 'emb_')) {
|
||||||
|
// Embedded PPSK: update inside the parent WLAN object,
|
||||||
|
// matched by name (synthetic id changes with the
|
||||||
|
// passphrase, so it's not a stable matcher).
|
||||||
|
$unifi->updateEmbeddedPpsk($ppsk->wlan_id, $ppsk->x_passphrase, $newPass, $ppsk->name);
|
||||||
|
$newUid = 'emb_' . substr(hash('sha256', $ppsk->wlan_id . ':' . $newPass), 0, 32);
|
||||||
|
$ppsk->update(['x_passphrase' => $newPass, 'unifi_id' => $newUid]);
|
||||||
|
|
||||||
|
// Update every grouped sibling (user-defined SSID
|
||||||
|
// groups take precedence; same-name fallback for
|
||||||
|
// installs that haven't grouped manually).
|
||||||
|
foreach ($unifi->getGroupedWlans($ppsk->wlan_id) as $siblingWlanId) {
|
||||||
|
$sibling = UnifiPpsk::where('wlan_id', $siblingWlanId)
|
||||||
|
->where('name', $ppsk->name)
|
||||||
|
->where('state', 'active')
|
||||||
|
->first();
|
||||||
|
try {
|
||||||
|
$unifi->updateEmbeddedPpsk($siblingWlanId, $sibling?->x_passphrase, $newPass, $ppsk->name);
|
||||||
|
if ($sibling) {
|
||||||
|
$sibling->update([
|
||||||
|
'x_passphrase' => $newPass,
|
||||||
|
'unifi_id' => 'emb_' . substr(hash('sha256', $siblingWlanId . ':' . $newPass), 0, 32),
|
||||||
|
]);
|
||||||
|
}
|
||||||
|
} catch (\Throwable $e) {
|
||||||
|
if (str_contains($e->getMessage(), 'not found')) {
|
||||||
|
\Illuminate\Support\Facades\Log::info('unifi.ppsk_sibling_skipped', [
|
||||||
|
'sibling_wlan' => $siblingWlanId,
|
||||||
|
'ppsk_name' => $ppsk->name,
|
||||||
|
]);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
$this->error("Sibling rotate failed for wlan {$siblingWlanId}: {$e->getMessage()}");
|
||||||
|
$failedPpsks[] = ['name' => $ppsk->name . ' (sibling wlan ' . $siblingWlanId . ')', 'error' => $e->getMessage()];
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Verify that the new passphrase actually applied
|
||||||
|
// on every grouped WLAN. UniFi can 200 an update
|
||||||
|
// that doesn't stick (cluster sync race, etc).
|
||||||
|
// Anything we expected to rotate that didn't is a
|
||||||
|
// failure — surface it in the cron log.
|
||||||
|
$allWlanIds = array_merge([$ppsk->wlan_id], $unifi->getGroupedWlans($ppsk->wlan_id));
|
||||||
|
foreach ($allWlanIds as $checkWlanId) {
|
||||||
|
$result = $unifi->verifyEmbeddedPpsk($checkWlanId, $ppsk->name, $newPass);
|
||||||
|
if ($result['ok']) continue;
|
||||||
|
|
||||||
|
// 'not_found' on a sibling = PPSK isn't on that band — ignore
|
||||||
|
// (consistent with the skip in the update loop).
|
||||||
|
if ($result['reason'] === 'not_found' && $checkWlanId !== $ppsk->wlan_id) continue;
|
||||||
|
|
||||||
|
$failedPpsks[] = [
|
||||||
|
'name' => $ppsk->name . ' (verify wlan ' . $checkWlanId . ')',
|
||||||
|
'error' => 'verification ' . $result['reason'] . ($result['error'] ?? null ? ': ' . $result['error'] : ''),
|
||||||
|
];
|
||||||
|
}
|
||||||
|
} else {
|
||||||
$unifi->updatePpsk($ppsk->unifi_id, ['x_passphrase' => $newPass]);
|
$unifi->updatePpsk($ppsk->unifi_id, ['x_passphrase' => $newPass]);
|
||||||
$ppsk->update(['x_passphrase' => $newPass]);
|
$ppsk->update(['x_passphrase' => $newPass]);
|
||||||
|
}
|
||||||
$rotatedPpsks[] = $ppsk->name;
|
$rotatedPpsks[] = $ppsk->name;
|
||||||
|
|
||||||
|
// Save the active password every time a rotation
|
||||||
|
// succeeds — covers PPSK-only rotation setups where
|
||||||
|
// there's no whole-SSID rotation. Last successful
|
||||||
|
// password wins if multiple PPSKs rotate in one run.
|
||||||
|
Setting::set('unifi.password_rotation.last_password', $newPass);
|
||||||
|
Setting::set('unifi.password_rotation.last_rotated_at', now()->toIso8601String());
|
||||||
} catch (\Throwable $e) {
|
} catch (\Throwable $e) {
|
||||||
$this->error("Failed to rotate PPSK \"{$ppsk->name}\": {$e->getMessage()}");
|
$this->error("Failed to rotate PPSK \"{$ppsk->name}\": {$e->getMessage()}");
|
||||||
$failedPpsks[] = ['name' => $ppsk->name, 'error' => $e->getMessage()];
|
$failedPpsks[] = ['name' => $ppsk->name, 'error' => $e->getMessage()];
|
||||||
|
|||||||
@@ -36,6 +36,7 @@ class StatsController extends Controller
|
|||||||
if ($wanIp && str_starts_with($wanIp, '127.')) $wanIp = $gw['connect_request_ip'] ?? null;
|
if ($wanIp && str_starts_with($wanIp, '127.')) $wanIp = $gw['connect_request_ip'] ?? null;
|
||||||
|
|
||||||
return response()->json([
|
return response()->json([
|
||||||
|
'available' => true,
|
||||||
'status' => $wan['status'] ?? 'unknown',
|
'status' => $wan['status'] ?? 'unknown',
|
||||||
'tx_rate' => $wan['tx_bytes-r'] ?? 0,
|
'tx_rate' => $wan['tx_bytes-r'] ?? 0,
|
||||||
'rx_rate' => $wan['rx_bytes-r'] ?? 0,
|
'rx_rate' => $wan['rx_bytes-r'] ?? 0,
|
||||||
@@ -44,7 +45,19 @@ class StatsController extends Controller
|
|||||||
'latency' => $wan['latency'] ?? $gw['wan1']['latency'] ?? null,
|
'latency' => $wan['latency'] ?? $gw['wan1']['latency'] ?? null,
|
||||||
]);
|
]);
|
||||||
} catch (\Throwable $e) {
|
} catch (\Throwable $e) {
|
||||||
return response()->json(['status' => 'error'], 500);
|
// The UniFi controller is unreachable. Degrade gracefully: return 200 with a
|
||||||
|
// friendly "unavailable" payload so the dashboard widget shows an unavailable
|
||||||
|
// state instead of the poll silently failing on a 500.
|
||||||
|
return response()->json([
|
||||||
|
'available' => false,
|
||||||
|
'status' => 'unavailable',
|
||||||
|
'message' => 'UniFi controller is unreachable.',
|
||||||
|
'tx_rate' => 0,
|
||||||
|
'rx_rate' => 0,
|
||||||
|
'isp' => null,
|
||||||
|
'wan_ip' => null,
|
||||||
|
'latency' => null,
|
||||||
|
]);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -296,12 +309,21 @@ class StatsController extends Controller
|
|||||||
->values();
|
->values();
|
||||||
|
|
||||||
return response()->json([
|
return response()->json([
|
||||||
|
'available' => true,
|
||||||
'labels' => $series['labels'],
|
'labels' => $series['labels'],
|
||||||
'traffic_rx' => $rx,
|
'traffic_rx' => $rx,
|
||||||
'traffic_tx' => $tx,
|
'traffic_tx' => $tx,
|
||||||
]);
|
]);
|
||||||
} catch (\Throwable $e) {
|
} catch (\Throwable $e) {
|
||||||
return response()->json(['error' => $e->getMessage()], 500);
|
// UniFi controller unreachable — degrade gracefully (200 with empty series)
|
||||||
|
// so the chart shows an empty/unavailable state rather than erroring on a 500.
|
||||||
|
return response()->json([
|
||||||
|
'available' => false,
|
||||||
|
'message' => 'UniFi controller is unreachable.',
|
||||||
|
'labels' => [],
|
||||||
|
'traffic_rx' => [],
|
||||||
|
'traffic_tx' => [],
|
||||||
|
]);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -5,6 +5,7 @@ namespace Dashboard\Unifi\Http\Controllers;
|
|||||||
use App\Models\DashboardApp;
|
use App\Models\DashboardApp;
|
||||||
use App\Models\Group;
|
use App\Models\Group;
|
||||||
use App\Models\NavItem;
|
use App\Models\NavItem;
|
||||||
|
use App\Models\Role;
|
||||||
use App\Models\User;
|
use App\Models\User;
|
||||||
use Dashboard\Unifi\Models\UnifiPageGrant;
|
use Dashboard\Unifi\Models\UnifiPageGrant;
|
||||||
use Illuminate\Http\Request;
|
use Illuminate\Http\Request;
|
||||||
@@ -21,7 +22,7 @@ class UnifiPagesAccessController extends Controller
|
|||||||
{
|
{
|
||||||
$app = DashboardApp::where('slug', 'unifi')->first();
|
$app = DashboardApp::where('slug', 'unifi')->first();
|
||||||
if (! $app) {
|
if (! $app) {
|
||||||
return response()->json(['pages' => [], 'users' => [], 'groups' => []]);
|
return response()->json(['pages' => [], 'users' => [], 'groups' => [], 'roles' => []]);
|
||||||
}
|
}
|
||||||
|
|
||||||
$pages = NavItem::where('app_id', $app->id)
|
$pages = NavItem::where('app_id', $app->id)
|
||||||
@@ -34,19 +35,109 @@ class UnifiPagesAccessController extends Controller
|
|||||||
->get()
|
->get()
|
||||||
->groupBy('nav_item_id');
|
->groupBy('nav_item_id');
|
||||||
|
|
||||||
|
// Only return users that ALREADY have grants. The full users list
|
||||||
|
// can be enormous (thousands of rows); the operator adds more via
|
||||||
|
// the searchUsers endpoint as needed.
|
||||||
|
$grantedUserIds = $grants->flatten(1)->where('grantee_type', 'user')->pluck('grantee_id')->unique();
|
||||||
|
$users = User::whereIn('id', $grantedUserIds)->orderBy('name')->get(['id', 'name', 'email']);
|
||||||
|
|
||||||
|
// Groups: always include super-admin groups (locked-on across all
|
||||||
|
// pages) plus any group with at least one grant. Other groups are
|
||||||
|
// added via searchGroups.
|
||||||
|
$grantedGroupIds = $grants->flatten(1)->where('grantee_type', 'group')->pluck('grantee_id')->unique();
|
||||||
|
$groups = Group::where(function ($q) use ($grantedGroupIds) {
|
||||||
|
$q->where('is_super', true)
|
||||||
|
->orWhereIn('id', $grantedGroupIds);
|
||||||
|
})->orderBy('name')->get(['id', 'name', 'is_super']);
|
||||||
|
|
||||||
|
// Roles: only ones with at least one grant — more added via searchRoles.
|
||||||
|
$grantedRoleIds = $grants->flatten(1)->where('grantee_type', 'role')->pluck('grantee_id')->unique();
|
||||||
|
$roles = Role::whereIn('id', $grantedRoleIds)->orderBy('label')->get(['id', 'slug', 'label']);
|
||||||
|
|
||||||
return response()->json([
|
return response()->json([
|
||||||
'pages' => $pages->map(fn ($p) => [
|
'pages' => $pages->map(function ($p) use ($grants) {
|
||||||
|
$pageGrants = $grants->get($p->id, collect());
|
||||||
|
$defaultRow = $pageGrants->firstWhere('grantee_type', 'default');
|
||||||
|
return [
|
||||||
'id' => $p->id,
|
'id' => $p->id,
|
||||||
'label' => $p->label,
|
'label' => $p->label,
|
||||||
'route_name' => $p->route_name,
|
'route_name' => $p->route_name,
|
||||||
'user_ids' => $grants->get($p->id, collect())->where('grantee_type', 'user')->pluck('grantee_id')->all(),
|
'default_allow' => (bool) ($defaultRow?->can_view ?? false),
|
||||||
'group_ids' => $grants->get($p->id, collect())->where('grantee_type', 'group')->pluck('grantee_id')->all(),
|
'user_ids' => $pageGrants->where('grantee_type', 'user')->where('can_view', true)->pluck('grantee_id')->values()->all(),
|
||||||
])->values(),
|
'group_ids' => $pageGrants->where('grantee_type', 'group')->where('can_view', true)->pluck('grantee_id')->values()->all(),
|
||||||
'users' => User::orderBy('name')->get(['id', 'name', 'email']),
|
'role_ids' => $pageGrants->where('grantee_type', 'role')->where('can_view', true)->pluck('grantee_id')->values()->all(),
|
||||||
'groups' => Group::orderBy('name')->get(['id', 'name', 'is_super']),
|
];
|
||||||
|
})->values(),
|
||||||
|
'users' => $users,
|
||||||
|
'groups' => $groups,
|
||||||
|
'roles' => $roles,
|
||||||
]);
|
]);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Typeahead-style search for users to add to the access matrix.
|
||||||
|
* Returns up to 20 matches against name or email. Empty query returns
|
||||||
|
* an empty array — caller must enter at least 2 chars.
|
||||||
|
*/
|
||||||
|
public function searchUsers(Request $request)
|
||||||
|
{
|
||||||
|
$q = trim((string) $request->query('q', ''));
|
||||||
|
if (strlen($q) < 2) {
|
||||||
|
return response()->json(['users' => []]);
|
||||||
|
}
|
||||||
|
|
||||||
|
$users = User::where(function ($w) use ($q) {
|
||||||
|
$w->where('name', 'like', '%' . $q . '%')
|
||||||
|
->orWhere('email', 'like', '%' . $q . '%');
|
||||||
|
})
|
||||||
|
->orderBy('name')
|
||||||
|
->limit(20)
|
||||||
|
->get(['id', 'name', 'email']);
|
||||||
|
|
||||||
|
return response()->json(['users' => $users]);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Typeahead-style search for groups to add to the access matrix.
|
||||||
|
* Excludes super-admin groups (they're already in the matrix and
|
||||||
|
* locked-on across every page).
|
||||||
|
*/
|
||||||
|
public function searchGroups(Request $request)
|
||||||
|
{
|
||||||
|
$q = trim((string) $request->query('q', ''));
|
||||||
|
if (strlen($q) < 2) {
|
||||||
|
return response()->json(['groups' => []]);
|
||||||
|
}
|
||||||
|
|
||||||
|
$groups = Group::where('name', 'like', '%' . $q . '%')
|
||||||
|
->where(function ($w) { $w->where('is_super', false)->orWhereNull('is_super'); })
|
||||||
|
->orderBy('name')
|
||||||
|
->limit(20)
|
||||||
|
->get(['id', 'name', 'is_super']);
|
||||||
|
|
||||||
|
return response()->json(['groups' => $groups]);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Typeahead-style search for roles to add to the access matrix.
|
||||||
|
* An empty query returns every role (the role list is small).
|
||||||
|
*/
|
||||||
|
public function searchRoles(Request $request)
|
||||||
|
{
|
||||||
|
$q = trim((string) $request->query('q', ''));
|
||||||
|
if (strlen($q) < 1) {
|
||||||
|
return response()->json(['roles' => Role::orderBy('label')->get(['id', 'slug', 'label'])]);
|
||||||
|
}
|
||||||
|
|
||||||
|
$roles = Role::where('label', 'like', '%' . $q . '%')
|
||||||
|
->orWhere('slug', 'like', '%' . $q . '%')
|
||||||
|
->orderBy('label')
|
||||||
|
->limit(20)
|
||||||
|
->get(['id', 'slug', 'label']);
|
||||||
|
|
||||||
|
return response()->json(['roles' => $roles]);
|
||||||
|
}
|
||||||
|
|
||||||
public function update(Request $request, NavItem $navItem)
|
public function update(Request $request, NavItem $navItem)
|
||||||
{
|
{
|
||||||
$app = DashboardApp::where('slug', 'unifi')->first();
|
$app = DashboardApp::where('slug', 'unifi')->first();
|
||||||
@@ -55,28 +146,62 @@ class UnifiPagesAccessController extends Controller
|
|||||||
}
|
}
|
||||||
|
|
||||||
$data = $request->validate([
|
$data = $request->validate([
|
||||||
|
'default_allow' => 'boolean',
|
||||||
'user_ids' => 'present|array',
|
'user_ids' => 'present|array',
|
||||||
'user_ids.*' => 'integer|exists:users,id',
|
'user_ids.*' => 'integer|exists:users,id',
|
||||||
'group_ids' => 'present|array',
|
'group_ids' => 'present|array',
|
||||||
'group_ids.*' => 'integer|exists:groups,id',
|
'group_ids.*' => 'integer|exists:groups,id',
|
||||||
|
'role_ids' => 'array',
|
||||||
|
'role_ids.*' => 'integer|exists:roles,id',
|
||||||
]);
|
]);
|
||||||
|
|
||||||
$grantedBy = $request->user()?->id;
|
$grantedBy = $request->user()?->id;
|
||||||
|
|
||||||
DB::transaction(function () use ($navItem, $data, $grantedBy) {
|
DB::transaction(function () use ($navItem, $data, $grantedBy) {
|
||||||
UnifiPageGrant::where('nav_item_id', $navItem->id)->delete();
|
// Upsert the default row (one per nav_item). firstOrCreate can't
|
||||||
|
// match on grantee_id=NULL reliably in MySQL, so look it up first.
|
||||||
|
$default = UnifiPageGrant::where('nav_item_id', $navItem->id)
|
||||||
|
->where('grantee_type', 'default')
|
||||||
|
->first();
|
||||||
|
if ($default) {
|
||||||
|
$default->update(['can_view' => (bool) ($data['default_allow'] ?? false)]);
|
||||||
|
} else {
|
||||||
|
UnifiPageGrant::create([
|
||||||
|
'nav_item_id' => $navItem->id,
|
||||||
|
'grantee_type' => 'default',
|
||||||
|
'grantee_id' => null,
|
||||||
|
'can_view' => (bool) ($data['default_allow'] ?? false),
|
||||||
|
'granted_by_user_id' => $grantedBy,
|
||||||
|
]);
|
||||||
|
}
|
||||||
|
|
||||||
$rows = [];
|
$this->syncGrantsOfType($navItem->id, 'user', $data['user_ids'] ?? [], $grantedBy);
|
||||||
$now = now();
|
$this->syncGrantsOfType($navItem->id, 'group', $data['group_ids'] ?? [], $grantedBy);
|
||||||
foreach ($data['user_ids'] as $uid) {
|
$this->syncGrantsOfType($navItem->id, 'role', $data['role_ids'] ?? [], $grantedBy);
|
||||||
$rows[] = ['nav_item_id' => $navItem->id, 'grantee_type' => 'user', 'grantee_id' => $uid, 'granted_by_user_id' => $grantedBy, 'created_at' => $now, 'updated_at' => $now];
|
|
||||||
}
|
|
||||||
foreach ($data['group_ids'] as $gid) {
|
|
||||||
$rows[] = ['nav_item_id' => $navItem->id, 'grantee_type' => 'group', 'grantee_id' => $gid, 'granted_by_user_id' => $grantedBy, 'created_at' => $now, 'updated_at' => $now];
|
|
||||||
}
|
|
||||||
if ($rows) UnifiPageGrant::insert($rows);
|
|
||||||
});
|
});
|
||||||
|
|
||||||
return response()->json(['ok' => true]);
|
return response()->json(['ok' => true]);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private function syncGrantsOfType(int $navItemId, string $type, array $ids, ?int $actorId): void
|
||||||
|
{
|
||||||
|
UnifiPageGrant::where('nav_item_id', $navItemId)
|
||||||
|
->where('grantee_type', $type)
|
||||||
|
->whereNotIn('grantee_id', $ids ?: [0])
|
||||||
|
->delete();
|
||||||
|
|
||||||
|
foreach ($ids as $id) {
|
||||||
|
UnifiPageGrant::updateOrCreate(
|
||||||
|
[
|
||||||
|
'nav_item_id' => $navItemId,
|
||||||
|
'grantee_type' => $type,
|
||||||
|
'grantee_id' => $id,
|
||||||
|
],
|
||||||
|
[
|
||||||
|
'can_view' => true,
|
||||||
|
'granted_by_user_id' => $actorId,
|
||||||
|
],
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -10,9 +10,10 @@ use Inertia\Inertia;
|
|||||||
|
|
||||||
class UnifiSettingsController extends Controller
|
class UnifiSettingsController extends Controller
|
||||||
{
|
{
|
||||||
public function edit()
|
public function edit(?string $tab = null)
|
||||||
{
|
{
|
||||||
return Inertia::render('Unifi/Settings', [
|
return Inertia::render('Unifi/Settings', [
|
||||||
|
'activeTab' => $tab,
|
||||||
'controllerUrl' => Setting::get('unifi.controller_url', ''),
|
'controllerUrl' => Setting::get('unifi.controller_url', ''),
|
||||||
'hasApiKey' => (bool) Setting::get('unifi.api_key'),
|
'hasApiKey' => (bool) Setting::get('unifi.api_key'),
|
||||||
'site' => Setting::get('unifi.site', 'default'),
|
'site' => Setting::get('unifi.site', 'default'),
|
||||||
@@ -31,10 +32,26 @@ class UnifiSettingsController extends Controller
|
|||||||
'rotationMinute' => (int) Setting::get('unifi.password_rotation.minute', 0),
|
'rotationMinute' => (int) Setting::get('unifi.password_rotation.minute', 0),
|
||||||
'rotationWordlist' => Setting::get('unifi.password_rotation.wordlist', ''),
|
'rotationWordlist' => Setting::get('unifi.password_rotation.wordlist', ''),
|
||||||
'rotationLastRotatedAt' => Setting::get('unifi.password_rotation.last_rotated_at', null),
|
'rotationLastRotatedAt' => Setting::get('unifi.password_rotation.last_rotated_at', null),
|
||||||
|
'rotationLastPassword' => Setting::get('unifi.password_rotation.last_password', null),
|
||||||
'ppskSchedulingEnabled' => (bool) Setting::get('unifi.ppsk_scheduling.enabled', false),
|
'ppskSchedulingEnabled' => (bool) Setting::get('unifi.ppsk_scheduling.enabled', false),
|
||||||
|
'apiEnabled' => (bool) Setting::get('unifi.api.enabled', false),
|
||||||
|
'apiToken' => Setting::get('unifi.api_token', null),
|
||||||
]);
|
]);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function regenerateApiToken()
|
||||||
|
{
|
||||||
|
$token = bin2hex(random_bytes(24));
|
||||||
|
Setting::set('unifi.api_token', $token);
|
||||||
|
return response()->json(['token' => $token]);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function clearApiToken()
|
||||||
|
{
|
||||||
|
Setting::set('unifi.api_token', '');
|
||||||
|
return response()->json(['ok' => true]);
|
||||||
|
}
|
||||||
|
|
||||||
public function update(Request $request)
|
public function update(Request $request)
|
||||||
{
|
{
|
||||||
$request->validate([
|
$request->validate([
|
||||||
@@ -56,6 +73,7 @@ class UnifiSettingsController extends Controller
|
|||||||
'rotation_minute' => 'nullable|integer|min:0|max:59',
|
'rotation_minute' => 'nullable|integer|min:0|max:59',
|
||||||
'rotation_wordlist' => 'nullable|string|max:20000',
|
'rotation_wordlist' => 'nullable|string|max:20000',
|
||||||
'ppsk_scheduling_enabled' => 'boolean',
|
'ppsk_scheduling_enabled' => 'boolean',
|
||||||
|
'api_enabled' => 'boolean',
|
||||||
]);
|
]);
|
||||||
|
|
||||||
Setting::set('unifi.controller_url', rtrim($request->controller_url, '/'));
|
Setting::set('unifi.controller_url', rtrim($request->controller_url, '/'));
|
||||||
@@ -82,6 +100,7 @@ class UnifiSettingsController extends Controller
|
|||||||
Setting::set('unifi.password_rotation.minute', $request->input('rotation_minute', 0));
|
Setting::set('unifi.password_rotation.minute', $request->input('rotation_minute', 0));
|
||||||
Setting::set('unifi.password_rotation.wordlist', $request->input('rotation_wordlist', ''));
|
Setting::set('unifi.password_rotation.wordlist', $request->input('rotation_wordlist', ''));
|
||||||
Setting::set('unifi.ppsk_scheduling.enabled', $request->boolean('ppsk_scheduling_enabled') ? '1' : '');
|
Setting::set('unifi.ppsk_scheduling.enabled', $request->boolean('ppsk_scheduling_enabled') ? '1' : '');
|
||||||
|
Setting::set('unifi.api.enabled', $request->boolean('api_enabled') ? '1' : '');
|
||||||
|
|
||||||
\Illuminate\Support\Facades\Cache::forget('unifi:api_prefix:' . md5(rtrim($request->controller_url, '/')));
|
\Illuminate\Support\Facades\Cache::forget('unifi:api_prefix:' . md5(rtrim($request->controller_url, '/')));
|
||||||
|
|
||||||
|
|||||||
@@ -68,20 +68,49 @@ class WebhookController extends Controller
|
|||||||
|
|
||||||
public function test(WebhookConfig $webhook)
|
public function test(WebhookConfig $webhook)
|
||||||
{
|
{
|
||||||
$payload = [
|
return $this->fireTest($webhook->url, $webhook->secret);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Test an arbitrary URL+secret before the webhook is saved. Lets the
|
||||||
|
* operator validate their endpoint from the form without first
|
||||||
|
* committing a row.
|
||||||
|
*/
|
||||||
|
public function testUrl(Request $request)
|
||||||
|
{
|
||||||
|
$data = $request->validate([
|
||||||
|
'url' => 'required|url|max:500',
|
||||||
|
'secret' => 'nullable|string|max:255',
|
||||||
|
]);
|
||||||
|
return $this->fireTest($data['url'], $data['secret'] ?? null);
|
||||||
|
}
|
||||||
|
|
||||||
|
private function fireTest(string $url, ?string $secret)
|
||||||
|
{
|
||||||
|
$message = '✅ Test webhook from ' . config('app.name') . ' — endpoint is reachable.';
|
||||||
|
$genericPayload = [
|
||||||
'event' => 'test',
|
'event' => 'test',
|
||||||
'timestamp' => now()->toIso8601String(),
|
'timestamp' => now()->toIso8601String(),
|
||||||
'data' => ['message' => 'This is a test webhook from ' . config('app.name')],
|
'message' => $message,
|
||||||
|
'data' => ['message' => $message],
|
||||||
];
|
];
|
||||||
|
// Shape the payload to match the target platform (Google Chat,
|
||||||
|
// Slack, Discord, Teams) so the test exercises the same code
|
||||||
|
// path real events use.
|
||||||
|
$payload = \Dashboard\Unifi\Services\WebhookCheckService::buildPlatformPayload($url, $message, $genericPayload);
|
||||||
|
|
||||||
$headers = ['Content-Type' => 'application/json'];
|
$headers = ['Content-Type' => 'application/json'];
|
||||||
if ($webhook->secret) {
|
if ($secret) {
|
||||||
$headers['X-Webhook-Signature'] = hash_hmac('sha256', json_encode($payload), $webhook->secret);
|
$headers['X-Webhook-Signature'] = hash_hmac('sha256', json_encode($payload), $secret);
|
||||||
}
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
$response = \Illuminate\Support\Facades\Http::withHeaders($headers)->timeout(10)->post($webhook->url, $payload);
|
$response = \Illuminate\Support\Facades\Http::withHeaders($headers)->timeout(10)->post($url, $payload);
|
||||||
return response()->json(['ok' => true, 'status' => $response->status()]);
|
return response()->json([
|
||||||
|
'ok' => $response->successful(),
|
||||||
|
'status' => $response->status(),
|
||||||
|
'body' => mb_substr((string) $response->body(), 0, 500),
|
||||||
|
]);
|
||||||
} catch (\Throwable $e) {
|
} catch (\Throwable $e) {
|
||||||
return response()->json(['ok' => false, 'error' => $e->getMessage()], 422);
|
return response()->json(['ok' => false, 'error' => $e->getMessage()], 422);
|
||||||
}
|
}
|
||||||
|
|||||||
44
src/Http/Controllers/WifiApiController.php
Normal file
44
src/Http/Controllers/WifiApiController.php
Normal file
@@ -0,0 +1,44 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
namespace Dashboard\Unifi\Http\Controllers;
|
||||||
|
|
||||||
|
use App\Models\Setting;
|
||||||
|
use Illuminate\Http\Request;
|
||||||
|
use Illuminate\Routing\Controller;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Token-protected JSON endpoints for external integrations (signage,
|
||||||
|
* kiosks, room displays, etc.) that need the current rotating WiFi
|
||||||
|
* password without going through the dashboard UI.
|
||||||
|
*/
|
||||||
|
class WifiApiController extends Controller
|
||||||
|
{
|
||||||
|
public function currentPassword(Request $request)
|
||||||
|
{
|
||||||
|
if (! Setting::get('unifi.api.enabled')) {
|
||||||
|
return response()->json(['error' => 'API disabled'], 503);
|
||||||
|
}
|
||||||
|
|
||||||
|
$expected = Setting::get('unifi.api_token');
|
||||||
|
if (! $expected) {
|
||||||
|
return response()->json(['error' => 'API token not configured'], 503);
|
||||||
|
}
|
||||||
|
|
||||||
|
$provided = $request->bearerToken() ?: $request->query('token');
|
||||||
|
if (! $provided || ! hash_equals($expected, $provided)) {
|
||||||
|
return response()->json(['error' => 'Unauthorized'], 401);
|
||||||
|
}
|
||||||
|
|
||||||
|
$password = Setting::get('unifi.password_rotation.last_password');
|
||||||
|
if (! $password) {
|
||||||
|
return response()->json([
|
||||||
|
'error' => 'No rotated password recorded yet — wait for the next scheduled rotation or run unifi:rotate-passwords --force.',
|
||||||
|
], 404);
|
||||||
|
}
|
||||||
|
|
||||||
|
return response()->json([
|
||||||
|
'password' => $password,
|
||||||
|
'rotated_at' => Setting::get('unifi.password_rotation.last_rotated_at'),
|
||||||
|
]);
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -149,8 +149,18 @@ class WifiController extends Controller
|
|||||||
$name = $networksById[$nconfId]['name'] ?? null;
|
$name = $networksById[$nconfId]['name'] ?? null;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Match by unifi_id, or by passphrase for a held embedded record re-appearing
|
// Match in priority order:
|
||||||
|
// 1. by current unifi_id (already-synced row)
|
||||||
|
// 2. by name within this wlan (catches rotation: passphrase
|
||||||
|
// changed → synthetic id changed → row identity unchanged)
|
||||||
|
// 3. by passphrase among held rows (legacy fallback for
|
||||||
|
// cases where name wasn't ingested)
|
||||||
$record = UnifiPpsk::where('unifi_id', $uid)->first()
|
$record = UnifiPpsk::where('unifi_id', $uid)->first()
|
||||||
|
?? ($name
|
||||||
|
? UnifiPpsk::where('wlan_id', $wlanId)->where('name', $name)
|
||||||
|
->orderByRaw("FIELD(state, 'active', 'held')")
|
||||||
|
->first()
|
||||||
|
: null)
|
||||||
?? UnifiPpsk::where('wlan_id', $wlanId)
|
?? UnifiPpsk::where('wlan_id', $wlanId)
|
||||||
->where('x_passphrase', $pass)
|
->where('x_passphrase', $pass)
|
||||||
->where('state', 'held')
|
->where('state', 'held')
|
||||||
@@ -174,8 +184,8 @@ class WifiController extends Controller
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Only mark as held when we have confirmed live IDs —
|
// Mark non-matching active rows as held — but ONLY if there's no
|
||||||
// never wipe on an empty API response (prevents false-holds on API failures)
|
// other active row with the same name we just reconnected.
|
||||||
if (! empty($liveIds)) {
|
if (! empty($liveIds)) {
|
||||||
UnifiPpsk::where('wlan_id', $wlanId)
|
UnifiPpsk::where('wlan_id', $wlanId)
|
||||||
->where('state', 'active')
|
->where('state', 'active')
|
||||||
@@ -184,6 +194,47 @@ class WifiController extends Controller
|
|||||||
->update(['state' => 'held', 'unifi_id' => null]);
|
->update(['state' => 'held', 'unifi_id' => null]);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// For each active row, salvage any rotate_password / schedule
|
||||||
|
// settings from the held tombstones with the same name BEFORE
|
||||||
|
// we prune them. Otherwise a row that had rotate=on loses the
|
||||||
|
// flag every time a rotation changes its synthetic id.
|
||||||
|
$activeRows = UnifiPpsk::where('wlan_id', $wlanId)
|
||||||
|
->where('state', 'active')
|
||||||
|
->whereNotNull('name')
|
||||||
|
->get();
|
||||||
|
foreach ($activeRows as $active) {
|
||||||
|
$heldWithSettings = UnifiPpsk::where('wlan_id', $wlanId)
|
||||||
|
->where('state', 'held')
|
||||||
|
->where('name', $active->name)
|
||||||
|
->where(fn ($q) => $q
|
||||||
|
->where('rotate_password', true)
|
||||||
|
->orWhereNotNull('schedule'))
|
||||||
|
->orderByDesc('updated_at')
|
||||||
|
->first();
|
||||||
|
if (! $heldWithSettings) continue;
|
||||||
|
|
||||||
|
$patch = [];
|
||||||
|
if ($heldWithSettings->rotate_password && ! $active->rotate_password) {
|
||||||
|
$patch['rotate_password'] = true;
|
||||||
|
}
|
||||||
|
if ($heldWithSettings->schedule && ! $active->schedule) {
|
||||||
|
$patch['schedule'] = $heldWithSettings->schedule;
|
||||||
|
}
|
||||||
|
if ($patch) $active->update($patch);
|
||||||
|
}
|
||||||
|
|
||||||
|
// Prune obsolete held rows: any held row whose name matches an
|
||||||
|
// active row in the same wlan is a stale tombstone — its
|
||||||
|
// settings have been salvaged above, and its data has been
|
||||||
|
// superseded by the active one.
|
||||||
|
$activeNames = $activeRows->pluck('name')->filter()->unique();
|
||||||
|
if ($activeNames->isNotEmpty()) {
|
||||||
|
UnifiPpsk::where('wlan_id', $wlanId)
|
||||||
|
->where('state', 'held')
|
||||||
|
->whereIn('name', $activeNames)
|
||||||
|
->delete();
|
||||||
|
}
|
||||||
|
|
||||||
$dbRecords = UnifiPpsk::where('wlan_id', $wlanId)
|
$dbRecords = UnifiPpsk::where('wlan_id', $wlanId)
|
||||||
->orderByRaw("FIELD(state, 'active', 'held')")
|
->orderByRaw("FIELD(state, 'active', 'held')")
|
||||||
->orderBy('name')
|
->orderBy('name')
|
||||||
@@ -291,11 +342,46 @@ class WifiController extends Controller
|
|||||||
fn ($v) => $v !== null
|
fn ($v) => $v !== null
|
||||||
);
|
);
|
||||||
if (! empty($unifiUpdate)) {
|
if (! empty($unifiUpdate)) {
|
||||||
|
if (str_starts_with($record->unifi_id, 'emb_') && isset($unifiUpdate['x_passphrase'])) {
|
||||||
|
// Embedded PPSK update path — modify the WLAN's embedded array.
|
||||||
|
// Match by name (reliable across drift).
|
||||||
|
$newPass = $unifiUpdate['x_passphrase'];
|
||||||
|
$unifi->updateEmbeddedPpsk($record->wlan_id, $record->x_passphrase, $newPass, $record->name);
|
||||||
|
$data['unifi_id'] = 'emb_' . substr(hash('sha256', $record->wlan_id . ':' . $newPass), 0, 32);
|
||||||
|
|
||||||
|
// Also update grouped WLAN siblings (user-defined
|
||||||
|
// SSID groups, falling back to same-name).
|
||||||
|
foreach ($unifi->getGroupedWlans($record->wlan_id) as $siblingWlanId) {
|
||||||
|
$sibling = UnifiPpsk::where('wlan_id', $siblingWlanId)
|
||||||
|
->where('name', $record->name)
|
||||||
|
->where('state', 'active')
|
||||||
|
->first();
|
||||||
|
try {
|
||||||
|
$unifi->updateEmbeddedPpsk($siblingWlanId, $sibling?->x_passphrase, $newPass, $record->name);
|
||||||
|
if ($sibling) {
|
||||||
|
$sibling->update([
|
||||||
|
'x_passphrase' => $newPass,
|
||||||
|
'unifi_id' => 'emb_' . substr(hash('sha256', $siblingWlanId . ':' . $newPass), 0, 32),
|
||||||
|
]);
|
||||||
|
}
|
||||||
|
} catch (\Throwable $e) {
|
||||||
|
// PPSK absent on this band is fine — just
|
||||||
|
// means it isn't mirrored. Anything else
|
||||||
|
// gets warning-logged.
|
||||||
|
$level = str_contains($e->getMessage(), 'not found') ? 'info' : 'warning';
|
||||||
|
\Illuminate\Support\Facades\Log::log($level, 'unifi.ppsk_sibling_update', [
|
||||||
|
'sibling_wlan' => $siblingWlanId,
|
||||||
|
'error' => $e->getMessage(),
|
||||||
|
]);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} else {
|
||||||
$unifi->updatePpsk($record->unifi_id, $unifiUpdate);
|
$unifi->updatePpsk($record->unifi_id, $unifiUpdate);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
$dbUpdate = array_intersect_key($data, array_flip(['name', 'x_passphrase']));
|
$dbUpdate = array_intersect_key($data, array_flip(['name', 'x_passphrase', 'unifi_id']));
|
||||||
// vlan can be explicitly set to null
|
// vlan can be explicitly set to null
|
||||||
if (array_key_exists('vlan', $data)) $dbUpdate['vlan'] = $data['vlan'];
|
if (array_key_exists('vlan', $data)) $dbUpdate['vlan'] = $data['vlan'];
|
||||||
if (! empty($dbUpdate)) $record->update($dbUpdate);
|
if (! empty($dbUpdate)) $record->update($dbUpdate);
|
||||||
|
|||||||
51
src/Http/Middleware/EnforceUnifiPageGrant.php
Normal file
51
src/Http/Middleware/EnforceUnifiPageGrant.php
Normal file
@@ -0,0 +1,51 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
namespace Dashboard\Unifi\Http\Middleware;
|
||||||
|
|
||||||
|
use App\Models\NavItem;
|
||||||
|
use Closure;
|
||||||
|
use Dashboard\Unifi\Models\UnifiPageGrant;
|
||||||
|
use Dashboard\Unifi\UnifiServiceProvider;
|
||||||
|
use Illuminate\Http\Request;
|
||||||
|
use Symfony\Component\HttpFoundation\Response;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Per-page access for unifi pages. Attached dynamically by the
|
||||||
|
* RouteMatched listener in UnifiServiceProvider — the check cannot
|
||||||
|
* live in the listener because RouteMatched fires before session/auth
|
||||||
|
* middleware, when request->user() is still null.
|
||||||
|
*/
|
||||||
|
class EnforceUnifiPageGrant
|
||||||
|
{
|
||||||
|
public function handle(Request $request, Closure $next): Response
|
||||||
|
{
|
||||||
|
$user = $request->user();
|
||||||
|
$routeName = $request->route()?->getName();
|
||||||
|
|
||||||
|
if (! $routeName || ! $user || $user->is_super_admin) {
|
||||||
|
return $next($request);
|
||||||
|
}
|
||||||
|
|
||||||
|
try {
|
||||||
|
$item = NavItem::where('route_name', $routeName)->first();
|
||||||
|
if ($item) {
|
||||||
|
// Permission holders keep access — grants extend, never revoke.
|
||||||
|
$holdsPermission = $item->required_permission
|
||||||
|
&& UnifiServiceProvider::realPermissionKeysFor($user)->contains($item->required_permission);
|
||||||
|
|
||||||
|
if (! $holdsPermission && ! UnifiPageGrant::userCanAccess($user, $item)) {
|
||||||
|
// 404 instead of 403 — don't leak that the page exists.
|
||||||
|
abort(404);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} catch (\Symfony\Component\HttpKernel\Exception\HttpException $e) {
|
||||||
|
throw $e;
|
||||||
|
} catch (\Throwable) {
|
||||||
|
// unifi_page_grants may not exist yet on first install — fail
|
||||||
|
// open in that narrow window (permission middleware still
|
||||||
|
// guards the route).
|
||||||
|
}
|
||||||
|
|
||||||
|
return $next($request);
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -13,11 +13,16 @@ class UnifiPageGrant extends Model
|
|||||||
|
|
||||||
protected $fillable = [
|
protected $fillable = [
|
||||||
'nav_item_id',
|
'nav_item_id',
|
||||||
'grantee_type',
|
'grantee_type', // default | user | group | role
|
||||||
'grantee_id',
|
'grantee_id', // null for grantee_type=default
|
||||||
|
'can_view',
|
||||||
'granted_by_user_id',
|
'granted_by_user_id',
|
||||||
];
|
];
|
||||||
|
|
||||||
|
protected $casts = [
|
||||||
|
'can_view' => 'boolean',
|
||||||
|
];
|
||||||
|
|
||||||
public function navItem(): BelongsTo
|
public function navItem(): BelongsTo
|
||||||
{
|
{
|
||||||
return $this->belongsTo(NavItem::class);
|
return $this->belongsTo(NavItem::class);
|
||||||
@@ -29,28 +34,32 @@ class UnifiPageGrant extends Model
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* True iff $user is allowed to access $navItem under this grant model.
|
* Grant check with a per-page default fallback. Passes if the user
|
||||||
* Super-admins always pass.
|
* matches an explicit user/group/role grant; otherwise falls back
|
||||||
* If there are NO grants for the page, falls back to "open" (anyone
|
* to the page's `default` row (deny by default — no row or
|
||||||
* who can reach the route can access — same as before grants existed).
|
* can_view=false denies). Permission-based access is checked
|
||||||
|
* separately by the caller — grants extend, never revoke.
|
||||||
*/
|
*/
|
||||||
public static function userCanAccess(User $user, NavItem $navItem): bool
|
public static function userCanAccess(User $user, NavItem $navItem): bool
|
||||||
{
|
{
|
||||||
if ($user->is_super_admin) return true;
|
if ($user->is_super_admin) return true;
|
||||||
|
|
||||||
$hasGrants = static::where('nav_item_id', $navItem->id)->exists();
|
|
||||||
if (! $hasGrants) return true;
|
|
||||||
|
|
||||||
$groupIds = $user->groups()->pluck('groups.id');
|
$groupIds = $user->groups()->pluck('groups.id');
|
||||||
|
$roleIds = $user->roles()->pluck('roles.id');
|
||||||
|
|
||||||
return static::where('nav_item_id', $navItem->id)
|
$hasExplicit = static::where('nav_item_id', $navItem->id)
|
||||||
->where(function ($q) use ($user, $groupIds) {
|
->where('can_view', true)
|
||||||
$q->where(function ($u) use ($user) {
|
->where(function ($q) use ($user, $groupIds, $roleIds) {
|
||||||
$u->where('grantee_type', 'user')->where('grantee_id', $user->id);
|
$q->where(fn ($u) => $u->where('grantee_type', 'user')->where('grantee_id', $user->id))
|
||||||
})->orWhere(function ($g) use ($groupIds) {
|
->orWhere(fn ($g) => $g->where('grantee_type', 'group')->whereIn('grantee_id', $groupIds))
|
||||||
$g->where('grantee_type', 'group')->whereIn('grantee_id', $groupIds);
|
->orWhere(fn ($r) => $r->where('grantee_type', 'role')->whereIn('grantee_id', $roleIds));
|
||||||
});
|
|
||||||
})
|
})
|
||||||
->exists();
|
->exists();
|
||||||
|
|
||||||
|
if ($hasExplicit) return true;
|
||||||
|
|
||||||
|
return (bool) static::where('nav_item_id', $navItem->id)
|
||||||
|
->where('grantee_type', 'default')
|
||||||
|
->value('can_view');
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -312,6 +312,122 @@ class UnifiApiClient
|
|||||||
return $this->put("/rest/wlanconf/{$wlanId}", $data);
|
return $this->put("/rest/wlanconf/{$wlanId}", $data);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Find every other WLAN that should rotate/update together with this
|
||||||
|
* one. Authoritative source: the user-defined "SSID groups" setting
|
||||||
|
* (unifi.ssid_groups) from the WiFi Networks page, which lets the
|
||||||
|
* operator manually couple WLANs that may have different SSID names.
|
||||||
|
*
|
||||||
|
* Falls back to same-SSID-name siblings for installs that haven't
|
||||||
|
* configured groups yet.
|
||||||
|
*
|
||||||
|
* Returns an array of sibling wlan IDs (excludes $wlanId itself).
|
||||||
|
*/
|
||||||
|
public function getGroupedWlans(string $wlanId): array
|
||||||
|
{
|
||||||
|
$groupsJson = Setting::get('unifi.ssid_groups', '{}');
|
||||||
|
$groups = json_decode($groupsJson, true);
|
||||||
|
if (is_array($groups)) {
|
||||||
|
foreach ($groups as $wlanIds) {
|
||||||
|
if (! is_array($wlanIds)) continue;
|
||||||
|
if (in_array($wlanId, $wlanIds, true)) {
|
||||||
|
return array_values(array_filter($wlanIds, fn ($id) => $id !== $wlanId));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return $this->getWlanSiblings($wlanId);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Verify an embedded PPSK has the expected passphrase right now.
|
||||||
|
* Used after an update to confirm the change actually applied —
|
||||||
|
* UniFi sometimes 200s an update that didn't stick (cluster sync
|
||||||
|
* race, hot-restart in progress, etc.).
|
||||||
|
*
|
||||||
|
* Returns ['ok' => true] on a clean match, or
|
||||||
|
* ['ok' => false, 'reason' => 'fetch_failed'|'not_found'|'mismatch']
|
||||||
|
* with optional 'error' on fetch failures.
|
||||||
|
*/
|
||||||
|
public function verifyEmbeddedPpsk(string $wlanId, string $name, string $expectedPassphrase): array
|
||||||
|
{
|
||||||
|
try {
|
||||||
|
$entries = $this->getPpskEntries($wlanId);
|
||||||
|
} catch (\Throwable $e) {
|
||||||
|
return ['ok' => false, 'reason' => 'fetch_failed', 'error' => $e->getMessage()];
|
||||||
|
}
|
||||||
|
|
||||||
|
$networkconfId = $this->findNetworkconfIdByName($name);
|
||||||
|
|
||||||
|
foreach ($entries as $e) {
|
||||||
|
$entryName = $e['name'] ?? $e['label'] ?? $e['username'] ?? $e['privatePskName'] ?? null;
|
||||||
|
$entryNetId = $e['networkconf_id'] ?? null;
|
||||||
|
$entryMatches = ($networkconfId !== null && $entryNetId === $networkconfId)
|
||||||
|
|| ($entryName !== null && $entryName === $name);
|
||||||
|
if (! $entryMatches) continue;
|
||||||
|
|
||||||
|
$entryPass = $e['x_passphrase'] ?? $e['password'] ?? $e['passphrase'] ?? null;
|
||||||
|
return $entryPass === $expectedPassphrase
|
||||||
|
? ['ok' => true]
|
||||||
|
: ['ok' => false, 'reason' => 'mismatch'];
|
||||||
|
}
|
||||||
|
return ['ok' => false, 'reason' => 'not_found'];
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Look up a networkconf (VLAN/network) by its display name. Embedded
|
||||||
|
* PPSKs on this controller use networkconf_id as their stable
|
||||||
|
* identifier — the human "name" the operator sees is actually the
|
||||||
|
* network's name.
|
||||||
|
*/
|
||||||
|
private function findNetworkconfIdByName(string $name): ?string
|
||||||
|
{
|
||||||
|
try {
|
||||||
|
$networks = $this->getNetworkConfs();
|
||||||
|
} catch (\Throwable) {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
foreach ($networks as $n) {
|
||||||
|
if (($n['name'] ?? null) === $name) {
|
||||||
|
return $n['_id'] ?? null;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Find sibling WLAN configs — same SSID name, different _id. UniFi
|
||||||
|
* splits a "banded" SSID (band-steering disabled) into one wlanconf
|
||||||
|
* per band, each with its own _id and its own embedded PPSK array.
|
||||||
|
* A rotation that updates one band must also update the others, or
|
||||||
|
* the SSID's two halves drift out of sync.
|
||||||
|
*
|
||||||
|
* Returns an array of sibling wlan IDs (excludes $wlanId itself).
|
||||||
|
* Empty array if the target WLAN is unique or can't be found.
|
||||||
|
*/
|
||||||
|
public function getWlanSiblings(string $wlanId): array
|
||||||
|
{
|
||||||
|
try {
|
||||||
|
$all = $this->get('/rest/wlanconf');
|
||||||
|
} catch (\Throwable) {
|
||||||
|
return [];
|
||||||
|
}
|
||||||
|
|
||||||
|
$target = null;
|
||||||
|
foreach ($all as $w) {
|
||||||
|
if (($w['_id'] ?? null) === $wlanId) { $target = $w; break; }
|
||||||
|
}
|
||||||
|
if (! $target || empty($target['name'])) return [];
|
||||||
|
|
||||||
|
$siblings = [];
|
||||||
|
foreach ($all as $w) {
|
||||||
|
if (($w['_id'] ?? null) === $wlanId) continue;
|
||||||
|
if (($w['name'] ?? null) === $target['name']) {
|
||||||
|
$siblings[] = $w['_id'];
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return $siblings;
|
||||||
|
}
|
||||||
|
|
||||||
// ── PPSK ─────────────────────────────────────────────────────────────────
|
// ── PPSK ─────────────────────────────────────────────────────────────────
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -496,6 +612,103 @@ class UnifiApiClient
|
|||||||
return $this->normalizePpsk(is_array($result) && isset($result[0]) ? $result : [$result]);
|
return $this->normalizePpsk(is_array($result) && isset($result[0]) ? $result : [$result]);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Update an embedded PPSK (one that lives inside a WLAN's
|
||||||
|
* private_preshared_keys array rather than as its own REST resource).
|
||||||
|
*
|
||||||
|
* Matching is done by current passphrase since embedded entries have
|
||||||
|
* no controller-side ID. Only changes the entry's passphrase; name
|
||||||
|
* isn't separately addressable on embedded PPSKs.
|
||||||
|
*/
|
||||||
|
public function updateEmbeddedPpsk(string $wlanId, ?string $oldPassphrase, string $newPassphrase, ?string $name = null): array
|
||||||
|
{
|
||||||
|
$wlanResp = $this->get("/rest/wlanconf/{$wlanId}");
|
||||||
|
$wlan = $wlanResp[0] ?? $wlanResp;
|
||||||
|
$entries = $wlan['private_preshared_keys'] ?? [];
|
||||||
|
|
||||||
|
if (! is_array($entries) || empty($entries)) {
|
||||||
|
throw new \RuntimeException('WLAN has no embedded PPSKs to update.');
|
||||||
|
}
|
||||||
|
|
||||||
|
// Embedded PPSKs on this controller don't carry a name field —
|
||||||
|
// the human label ("GUEST", "3DPrinters", …) is the *network's*
|
||||||
|
// name, and each entry references it via networkconf_id. So when
|
||||||
|
// the caller passes a name, first resolve it to a networkconf_id
|
||||||
|
// and match on that. Falls back to entry-level name (other
|
||||||
|
// controller versions DO put a name on the entry) and finally
|
||||||
|
// to current passphrase.
|
||||||
|
$applyUpdate = function (array &$e) use ($newPassphrase) {
|
||||||
|
if (array_key_exists('x_passphrase', $e)) $e['x_passphrase'] = $newPassphrase;
|
||||||
|
if (array_key_exists('password', $e)) $e['password'] = $newPassphrase;
|
||||||
|
if (array_key_exists('passphrase', $e)) $e['passphrase'] = $newPassphrase;
|
||||||
|
if (! isset($e['x_passphrase']) && ! isset($e['password']) && ! isset($e['passphrase'])) {
|
||||||
|
$e['password'] = $newPassphrase;
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
$networkconfId = ($name !== null && $name !== '') ? $this->findNetworkconfIdByName($name) : null;
|
||||||
|
|
||||||
|
$matched = false;
|
||||||
|
if ($networkconfId !== null) {
|
||||||
|
foreach ($entries as &$e) {
|
||||||
|
if (($e['networkconf_id'] ?? null) === $networkconfId) {
|
||||||
|
$applyUpdate($e);
|
||||||
|
$matched = true;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
unset($e);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (! $matched && $name !== null && $name !== '') {
|
||||||
|
foreach ($entries as &$e) {
|
||||||
|
$entryName = $e['name'] ?? $e['label'] ?? $e['username'] ?? $e['privatePskName'] ?? null;
|
||||||
|
if ($entryName === $name) {
|
||||||
|
$applyUpdate($e);
|
||||||
|
$matched = true;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
unset($e);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (! $matched && $oldPassphrase !== null && $oldPassphrase !== '') {
|
||||||
|
foreach ($entries as &$e) {
|
||||||
|
$current = $e['x_passphrase'] ?? $e['password'] ?? $e['passphrase'] ?? null;
|
||||||
|
if ($current === $oldPassphrase) {
|
||||||
|
$applyUpdate($e);
|
||||||
|
$matched = true;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
unset($e);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (! $matched) {
|
||||||
|
throw new \RuntimeException(
|
||||||
|
'Embedded PPSK not found' .
|
||||||
|
($name !== null ? " for network \"{$name}\"" : '') .
|
||||||
|
' or by current passphrase.'
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
// UniFi REST expects the full WLAN object on PUT — send what we
|
||||||
|
// got back, with the mutated PPSK array.
|
||||||
|
$payload = $wlan;
|
||||||
|
$payload['private_preshared_keys'] = $entries;
|
||||||
|
// Strip internal fields the controller rejects on PUT.
|
||||||
|
unset($payload['_id'], $payload['site_id']);
|
||||||
|
|
||||||
|
$this->put("/rest/wlanconf/{$wlanId}", $payload);
|
||||||
|
|
||||||
|
// Return a normalized record so callers can read the new state.
|
||||||
|
return $this->normalizePpsk([[
|
||||||
|
'_id' => 'emb_' . substr(hash('sha256', $wlanId . ':' . $newPassphrase), 0, 32),
|
||||||
|
'wlan_id' => $wlanId,
|
||||||
|
'x_passphrase' => $newPassphrase,
|
||||||
|
]]);
|
||||||
|
}
|
||||||
|
|
||||||
public function deletePpsk(string $ppskId): void
|
public function deletePpsk(string $ppskId): void
|
||||||
{
|
{
|
||||||
// Try v2 hotspot endpoint first
|
// Try v2 hotspot endpoint first
|
||||||
|
|||||||
@@ -181,7 +181,11 @@ class WebhookCheckService
|
|||||||
$prev = DeviceState::where('device_mac', $mac)->first();
|
$prev = DeviceState::where('device_mac', $mac)->first();
|
||||||
if (! $prev) continue;
|
if (! $prev) continue;
|
||||||
|
|
||||||
// Skip planned reboots — these are intentional, not alerts
|
// Skip planned reboots — these are intentional, not alerts.
|
||||||
|
// Two layers: a global suppression window set by RebootAllAps
|
||||||
|
// (Setting, survives any cache driver), plus the per-MAC
|
||||||
|
// cache keys for finer granularity.
|
||||||
|
if ($this->inGlobalRebootSuppression()) continue;
|
||||||
if (Cache::has('unifi:planned_reboot:' . strtolower($mac))) continue;
|
if (Cache::has('unifi:planned_reboot:' . strtolower($mac))) continue;
|
||||||
|
|
||||||
if ($comingOnline) {
|
if ($comingOnline) {
|
||||||
@@ -509,6 +513,8 @@ class WebhookCheckService
|
|||||||
private function checkReboot($aps, array $filter): array
|
private function checkReboot($aps, array $filter): array
|
||||||
{
|
{
|
||||||
$alerts = [];
|
$alerts = [];
|
||||||
|
if ($this->inGlobalRebootSuppression()) return $alerts;
|
||||||
|
|
||||||
foreach ($aps as $ap) {
|
foreach ($aps as $ap) {
|
||||||
if (! empty($filter) && ! in_array($ap['mac'], $filter)) continue;
|
if (! empty($filter) && ! in_array($ap['mac'], $filter)) continue;
|
||||||
if (Cache::has('unifi:planned_reboot:' . strtolower($ap['mac']))) continue;
|
if (Cache::has('unifi:planned_reboot:' . strtolower($ap['mac']))) continue;
|
||||||
@@ -580,6 +586,33 @@ class WebhookCheckService
|
|||||||
}
|
}
|
||||||
|
|
||||||
private function formatPayloadForPlatform(string $url, string $message, array $fullPayload): array
|
private function formatPayloadForPlatform(string $url, string $message, array $fullPayload): array
|
||||||
|
{
|
||||||
|
return self::buildPlatformPayload($url, $message, $fullPayload);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Is a fleet reboot in progress right now? RebootAllAps stamps a
|
||||||
|
* suppression-until timestamp as a Setting; while that timestamp
|
||||||
|
* is in the future, we skip all device-offline / device-online /
|
||||||
|
* unexpected-reboot alerts to avoid flooding webhooks during the
|
||||||
|
* known maintenance window.
|
||||||
|
*/
|
||||||
|
private function inGlobalRebootSuppression(): bool
|
||||||
|
{
|
||||||
|
$until = \App\Models\Setting::get('unifi.reboot_suppression_until');
|
||||||
|
if (! $until) return false;
|
||||||
|
try {
|
||||||
|
return \Carbon\Carbon::parse($until)->isFuture();
|
||||||
|
} catch (\Throwable) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Public/static helper so the test-webhook endpoint produces the
|
||||||
|
* same per-platform payload shape that real events do.
|
||||||
|
*/
|
||||||
|
public static function buildPlatformPayload(string $url, string $message, array $fullPayload): array
|
||||||
{
|
{
|
||||||
if (str_contains($url, 'chat.googleapis.com')) return ['text' => $message];
|
if (str_contains($url, 'chat.googleapis.com')) return ['text' => $message];
|
||||||
if (str_contains($url, 'hooks.slack.com')) return ['text' => $message];
|
if (str_contains($url, 'hooks.slack.com')) return ['text' => $message];
|
||||||
|
|||||||
@@ -2,7 +2,6 @@
|
|||||||
|
|
||||||
namespace Dashboard\Unifi;
|
namespace Dashboard\Unifi;
|
||||||
|
|
||||||
use App\Models\DashboardApp;
|
|
||||||
use App\Models\NavItem;
|
use App\Models\NavItem;
|
||||||
use Dashboard\Unifi\Models\UnifiPageGrant;
|
use Dashboard\Unifi\Models\UnifiPageGrant;
|
||||||
use Illuminate\Routing\Events\RouteMatched;
|
use Illuminate\Routing\Events\RouteMatched;
|
||||||
@@ -25,32 +24,34 @@ class UnifiServiceProvider extends ServiceProvider
|
|||||||
$this->loadRoutesFrom(__DIR__ . '/routes/unifi.php');
|
$this->loadRoutesFrom(__DIR__ . '/routes/unifi.php');
|
||||||
$this->loadMigrationsFrom(__DIR__ . '/../database/migrations');
|
$this->loadMigrationsFrom(__DIR__ . '/../database/migrations');
|
||||||
|
|
||||||
// Per-page access enforcement for unifi routes. If a unifi page has
|
// Tell the shell's nav sidebar which unifi nav items the user
|
||||||
// any UnifiPageGrant rows, only super-admins and granted users/
|
// can see: pages whose required_permission the user holds through
|
||||||
// groups can hit it; otherwise (no grants) it's open per the existing
|
// groups, plus pages granted via the Settings → Access tab. The
|
||||||
// permission middleware. Super-admins always bypass.
|
// shell also folds these grants back into User::can()/allPermissions
|
||||||
|
// so the route-level permission middleware passes for grantees.
|
||||||
|
try {
|
||||||
|
app(\App\Support\NavVisibilityRegistry::class)->register(
|
||||||
|
'unifi.',
|
||||||
|
fn (\App\Models\User $user) => $this->visibleUnifiNavItemIdsFor($user),
|
||||||
|
);
|
||||||
|
} catch (\Throwable) {
|
||||||
|
// Shell may not have the registry yet (older shell version).
|
||||||
|
// Sidebar will fall back to legacy permission filter.
|
||||||
|
}
|
||||||
|
|
||||||
|
// Per-page enforcement for unifi pages. Settings stays on its
|
||||||
|
// permission:unifi.settings route middleware (the Access tab
|
||||||
|
// itself lives there and must not be able to lock itself out).
|
||||||
|
// The user-dependent check lives in middleware appended to the
|
||||||
|
// matched route: RouteMatched fires before the session/auth
|
||||||
|
// middleware run, so request->user() is null here and any check
|
||||||
|
// at this point silently fails open.
|
||||||
Event::listen(RouteMatched::class, function (RouteMatched $event) {
|
Event::listen(RouteMatched::class, function (RouteMatched $event) {
|
||||||
$routeName = $event->route->getName();
|
$routeName = $event->route->getName();
|
||||||
if (! $routeName || ! str_starts_with($routeName, 'unifi.')) return;
|
if (! $routeName || ! str_starts_with($routeName, 'unifi.')) return;
|
||||||
|
if (str_starts_with($routeName, 'unifi.settings')) return;
|
||||||
|
|
||||||
$user = $event->request->user();
|
$event->route->middleware(\Dashboard\Unifi\Http\Middleware\EnforceUnifiPageGrant::class);
|
||||||
if (! $user || $user->is_super_admin) return;
|
|
||||||
|
|
||||||
try {
|
|
||||||
$appId = DashboardApp::where('slug', 'unifi')->value('id');
|
|
||||||
$item = NavItem::where('route_name', $routeName)
|
|
||||||
->where('app_id', $appId)
|
|
||||||
->first();
|
|
||||||
if (! $item) return;
|
|
||||||
|
|
||||||
if (! UnifiPageGrant::userCanAccess($user, $item)) {
|
|
||||||
abort(403, 'You do not have access to this page.');
|
|
||||||
}
|
|
||||||
} catch (\Throwable) {
|
|
||||||
// unifi_page_grants table may not exist yet on a fresh
|
|
||||||
// install before this snap-in's migrations have run —
|
|
||||||
// fail open in that narrow window.
|
|
||||||
}
|
|
||||||
});
|
});
|
||||||
|
|
||||||
if ($this->app->runningInConsole()) {
|
if ($this->app->runningInConsole()) {
|
||||||
@@ -67,4 +68,58 @@ class UnifiServiceProvider extends ServiceProvider
|
|||||||
], 'unifi-config');
|
], 'unifi-config');
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/** Collect every unifi nav_item_id this user is allowed to see. */
|
||||||
|
protected function visibleUnifiNavItemIdsFor(\App\Models\User $user): \Illuminate\Support\Collection
|
||||||
|
{
|
||||||
|
$ids = collect();
|
||||||
|
|
||||||
|
// Pages whose required_permission the user already holds through
|
||||||
|
// groups keep showing, independent of the access-grant matrix.
|
||||||
|
$permittedIds = NavItem::where('route_name', 'like', 'unifi.%')
|
||||||
|
->whereIn('required_permission', static::realPermissionKeysFor($user))
|
||||||
|
->pluck('id');
|
||||||
|
$ids = $ids->merge($permittedIds);
|
||||||
|
|
||||||
|
if (\Illuminate\Support\Facades\Schema::hasTable('unifi_page_grants')) {
|
||||||
|
$groupIds = $user->groups()->pluck('groups.id');
|
||||||
|
$roleIds = $user->roles()->pluck('roles.id');
|
||||||
|
|
||||||
|
$grantedIds = UnifiPageGrant::query()
|
||||||
|
->where('can_view', true)
|
||||||
|
->where(function ($q) use ($user, $groupIds, $roleIds) {
|
||||||
|
$q->where(fn ($u) => $u->where('grantee_type', 'user')->where('grantee_id', $user->id))
|
||||||
|
->orWhere(fn ($g) => $g->where('grantee_type', 'group')->whereIn('grantee_id', $groupIds))
|
||||||
|
->orWhere(fn ($r) => $r->where('grantee_type', 'role')->whereIn('grantee_id', $roleIds))
|
||||||
|
// Default-allow row makes the page visible to everyone.
|
||||||
|
->orWhere('grantee_type', 'default');
|
||||||
|
})
|
||||||
|
->pluck('nav_item_id');
|
||||||
|
$ids = $ids->merge($grantedIds);
|
||||||
|
}
|
||||||
|
|
||||||
|
return $ids->unique()->values();
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Group + direct permissions only. Deliberately NOT allPermissions():
|
||||||
|
* the shell folds page-grant permissions back into allPermissions/can,
|
||||||
|
* so using it here would turn a single granted page into every page
|
||||||
|
* carrying the same permission.
|
||||||
|
*/
|
||||||
|
public static function realPermissionKeysFor(\App\Models\User $user): \Illuminate\Support\Collection
|
||||||
|
{
|
||||||
|
if ($user->is_super_admin) {
|
||||||
|
return \App\Models\Permission::pluck('key');
|
||||||
|
}
|
||||||
|
|
||||||
|
$direct = $user->directPermissions()->get();
|
||||||
|
|
||||||
|
return \App\Models\Permission::whereHas('groups', fn ($q) => $q->whereIn('group_id', $user->groups()->pluck('groups.id')))
|
||||||
|
->pluck('key')
|
||||||
|
->merge($direct->where('granted', true)->pluck('permission_key'))
|
||||||
|
->diff($direct->where('granted', false)->pluck('permission_key'))
|
||||||
|
->unique()
|
||||||
|
->values();
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -9,6 +9,7 @@ use Dashboard\Unifi\Http\Controllers\UnifiPagesAccessController;
|
|||||||
use Dashboard\Unifi\Http\Controllers\UnifiSettingsController;
|
use Dashboard\Unifi\Http\Controllers\UnifiSettingsController;
|
||||||
use Dashboard\Unifi\Http\Controllers\VlanGroupController;
|
use Dashboard\Unifi\Http\Controllers\VlanGroupController;
|
||||||
use Dashboard\Unifi\Http\Controllers\WebhookController;
|
use Dashboard\Unifi\Http\Controllers\WebhookController;
|
||||||
|
use Dashboard\Unifi\Http\Controllers\WifiApiController;
|
||||||
use Dashboard\Unifi\Http\Controllers\WifiController;
|
use Dashboard\Unifi\Http\Controllers\WifiController;
|
||||||
use Illuminate\Support\Facades\Route;
|
use Illuminate\Support\Facades\Route;
|
||||||
|
|
||||||
@@ -68,29 +69,47 @@ Route::middleware(['web', 'auth', 'app.access:unifi'])
|
|||||||
// ── Settings ─────────────────────────────────────────────────────────
|
// ── Settings ─────────────────────────────────────────────────────────
|
||||||
Route::middleware('permission:unifi.settings')->group(function () {
|
Route::middleware('permission:unifi.settings')->group(function () {
|
||||||
Route::get('/settings', [UnifiSettingsController::class, 'edit']) ->name('settings');
|
Route::get('/settings', [UnifiSettingsController::class, 'edit']) ->name('settings');
|
||||||
|
Route::get('/settings/{tab}', [UnifiSettingsController::class, 'edit'])
|
||||||
|
->where('tab', 'connection|tasks|logs|access')->name('settings.tab');
|
||||||
Route::post('/settings', [UnifiSettingsController::class, 'update']) ->name('settings.update');
|
Route::post('/settings', [UnifiSettingsController::class, 'update']) ->name('settings.update');
|
||||||
Route::post('/settings/test', [UnifiSettingsController::class, 'testConnection'])->name('settings.test');
|
Route::post('/settings/test', [UnifiSettingsController::class, 'testConnection'])->name('settings.test');
|
||||||
Route::post('/settings/sites', [UnifiSettingsController::class, 'fetchSites']) ->name('settings.sites');
|
Route::post('/settings/sites', [UnifiSettingsController::class, 'fetchSites']) ->name('settings.sites');
|
||||||
|
|
||||||
// Page Access — super-admin only. Lists unifi pages and lets
|
// Page Access — super-admin only. Lists unifi pages and lets
|
||||||
// operators assign per-page user/group grants.
|
// operators assign per-page user/group/role grants plus the
|
||||||
|
// per-page "everyone else" default row (deny by default).
|
||||||
Route::middleware('super.admin')->group(function () {
|
Route::middleware('super.admin')->group(function () {
|
||||||
Route::get('/settings/pages-access', [UnifiPagesAccessController::class, 'index']) ->name('settings.pages-access.index');
|
Route::get('/settings/pages-access', [UnifiPagesAccessController::class, 'index']) ->name('settings.pages-access.index');
|
||||||
|
Route::get('/settings/pages-access/users/search', [UnifiPagesAccessController::class, 'searchUsers'])->name('settings.pages-access.users.search');
|
||||||
|
Route::get('/settings/pages-access/groups/search', [UnifiPagesAccessController::class, 'searchGroups'])->name('settings.pages-access.groups.search');
|
||||||
|
Route::get('/settings/pages-access/roles/search', [UnifiPagesAccessController::class, 'searchRoles'])->name('settings.pages-access.roles.search');
|
||||||
Route::put('/settings/pages-access/{navItem}', [UnifiPagesAccessController::class, 'update']) ->name('settings.pages-access.update');
|
Route::put('/settings/pages-access/{navItem}', [UnifiPagesAccessController::class, 'update']) ->name('settings.pages-access.update');
|
||||||
});
|
});
|
||||||
|
|
||||||
// Cron logs — read-only history of scheduled-task runs.
|
// Cron logs — read-only history of scheduled-task runs.
|
||||||
Route::get('/settings/cron-logs', [UnifiCronLogsController::class, 'index'])->name('settings.cron-logs.index');
|
Route::get('/settings/cron-logs', [UnifiCronLogsController::class, 'index'])->name('settings.cron-logs.index');
|
||||||
|
|
||||||
// Webhooks
|
// Webhooks — lives under /settings/* so it reads as a settings tab.
|
||||||
Route::get('/webhooks', [WebhookController::class, 'index']) ->name('webhooks.index');
|
Route::get('/settings/webhooks', [WebhookController::class, 'index']) ->name('webhooks.index');
|
||||||
Route::post('/webhooks', [WebhookController::class, 'store']) ->name('webhooks.store');
|
Route::post('/settings/webhooks', [WebhookController::class, 'store']) ->name('webhooks.store');
|
||||||
Route::put('/webhooks/{webhook}', [WebhookController::class, 'update']) ->name('webhooks.update');
|
Route::put('/settings/webhooks/{webhook}', [WebhookController::class, 'update']) ->name('webhooks.update');
|
||||||
Route::delete('/webhooks/{webhook}', [WebhookController::class, 'destroy'])->name('webhooks.destroy');
|
Route::delete('/settings/webhooks/{webhook}', [WebhookController::class, 'destroy'])->name('webhooks.destroy');
|
||||||
Route::post('/webhooks/{webhook}/test', [WebhookController::class, 'test']) ->name('webhooks.test');
|
Route::post('/settings/webhooks/{webhook}/test', [WebhookController::class, 'test']) ->name('webhooks.test');
|
||||||
|
Route::post('/settings/webhooks/test-url', [WebhookController::class, 'testUrl'])->name('webhooks.test-url');
|
||||||
|
|
||||||
|
// API-token management
|
||||||
|
Route::post('/settings/api-token/regenerate', [UnifiSettingsController::class, 'regenerateApiToken'])->name('settings.api-token.regenerate');
|
||||||
|
Route::delete('/settings/api-token', [UnifiSettingsController::class, 'clearApiToken']) ->name('settings.api-token.clear');
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
|
// ── Public API (token-protected) ──────────────────────────────────────────
|
||||||
|
// External integrations (signage, kiosks) hit these without session auth.
|
||||||
|
Route::prefix('api/unifi')->name('unifi.api.')->group(function () {
|
||||||
|
Route::get('/wifi/current-password', [WifiApiController::class, 'currentPassword'])
|
||||||
|
->name('wifi.current-password');
|
||||||
|
});
|
||||||
|
|
||||||
// ── Captive portal callback (public — user redirected here by UniFi) ─────
|
// ── Captive portal callback (public — user redirected here by UniFi) ─────
|
||||||
Route::middleware(['web', 'auth'])
|
Route::middleware(['web', 'auth'])
|
||||||
->get('/portal/wifi/callback', [PortalController::class, 'captiveCallback'])
|
->get('/portal/wifi/callback', [PortalController::class, 'captiveCallback'])
|
||||||
|
|||||||
Reference in New Issue
Block a user