jwed/dashboard-unifi
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: jwed:v1.6.3
Branches Tags
jwed:master
jwed:v1.12.1 jwed:v1.12.0 jwed:v1.11.1 jwed:v1.11.0 jwed:v1.10.4 jwed:v1.10.2 jwed:v1.10.1 jwed:v1.10.0 jwed:v1.9.1 jwed:v1.9.0 jwed:v1.8.1 jwed:v1.8.0 jwed:v1.7.1 jwed:v1.7.0 jwed:v1.6.3 jwed:v1.6.2 jwed:v1.6.1 jwed:v1.6.0 jwed:v1.5.5 jwed:v1.5.4 jwed:v1.5.3 jwed:v1.5.2 jwed:v1.5.1 jwed:v1.5.0 jwed:v1.4.0 jwed:v1.3.1 jwed:v1.3.0 jwed:v1.2.0 jwed:v1.1.0
...
compare: jwed:v1.10.1
Branches Tags
jwed:master
jwed:v1.12.1 jwed:v1.12.0 jwed:v1.11.1 jwed:v1.11.0 jwed:v1.10.4 jwed:v1.10.2 jwed:v1.10.1 jwed:v1.10.0 jwed:v1.9.1 jwed:v1.9.0 jwed:v1.8.1 jwed:v1.8.0 jwed:v1.7.1 jwed:v1.7.0 jwed:v1.6.3 jwed:v1.6.2 jwed:v1.6.1 jwed:v1.6.0 jwed:v1.5.5 jwed:v1.5.4 jwed:v1.5.3 jwed:v1.5.2 jwed:v1.5.1 jwed:v1.5.0 jwed:v1.4.0 jwed:v1.3.1 jwed:v1.3.0 jwed:v1.2.0 jwed:v1.1.0

8 Commits
v1.6.3 ... v1.10.1

Author SHA1 Message Date
jwed
e5cc075938 fix(banded ssid): treat "PPSK not on this band" as a quiet skip 
The sibling-rotation path's "Embedded PPSK not found" error was being
surfaced to the operator as a failure, but it's not — it just means
the PPSK isn't mirrored on that band (GUEST was configured on one
band only, which is a perfectly valid setup). Logging this as a
sibling failure also poisoned the cron run status to "partial".

Now: "not found"-style errors from updateEmbeddedPpsk on a sibling
become info-level log entries and the loop continues. Other errors
(API failures, permissions, etc.) still surface as warnings/failures.

v1.10.1.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-24 20:43:10 -04:00
jwed
4ec4a293c0 release: 1.10.0 — rolls up 1.9.1 (banded-SSID PPSK match by name) 
Bundled stable cut for prod. Contents since 1.9.0:

* fix(banded ssid): updateEmbeddedPpsk now matches embedded PPSK
  entries by name first (e.g. "GUEST") and falls back to current
  passphrase. Name-matching survives any passphrase drift caused by
  pre-1.8.1 out-of-band manual edits — the sibling-rotation failure
  reported on prod after upgrading to 1.9.0 no longer happens.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-24 20:40:13 -04:00
jwed
720e94c54a fix(banded ssid): match embedded PPSK by name first, passphrase fallback 
The sibling-update path on prod failed with "Embedded PPSK not found
by current passphrase" because the DB-stored x_passphrase on the
unedited band was stale — earlier manual edits (pre-1.8.1) only
touched one band, leaving the other band's row out of sync. When
rotation then tried to use that stale passphrase to find the entry,
no match.

updateEmbeddedPpsk now takes an optional $name parameter and tries it
first. PPSK names within a WLAN are unique, so name-matching survives
any passphrase drift caused by historical out-of-band edits.
Passphrase matching stays as a fallback for callers that don't have
a name (none currently — both rotation and the manual modal pass it).

v1.9.1.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-24 20:38:10 -04:00
jwed
2be17c70db release: 1.9.0 — rolls up the 1.8.1 patch series 
Bundled stable cut for prod. Contents since 1.8.0:

* fix(rotate): unifi.password_rotation.last_password is now saved on
  successful PPSK rotation as well as whole-SSID rotation. PPSK-only
  setups (typical guest-WiFi configurations) will populate the
  Settings → Tasks "current password" display and the
  /api/unifi/wifi/current-password endpoint after the next rotation.

* fix(banded-ssid): when an SSID is split across 2.4 and 5GHz bands
  (band-steering disabled — two wlanconf rows with the same name),
  rotating or manually editing a PPSK on one band now also updates
  the same-name PPSK on every sibling band. Previously the two halves
  drifted out of sync. Both the rotation scheduler and the WiFi modal
  use the new UnifiApiClient::getWlanSiblings helper.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-24 20:33:48 -04:00
jwed
31686a35d5 fix(rotate): record PPSK rotation password + sync banded-SSID siblings 
Three bugs reported from prod after a PPSK rotation:

1. unifi.password_rotation.last_password was only saved after a
   whole-SSID rotation. PPSK-only setups (the typical guest-WiFi case)
   ran a successful rotation but the setting stayed empty, so the
   Settings → Tasks UI never showed the current password and the
   /api/unifi/wifi/current-password endpoint returned 404
   "no rotated password recorded yet". The PPSK loop now writes
   last_password on every successful PPSK rotation.

2. When an SSID is "banded" (band-steering disabled), UniFi splits it
   into one wlanconf per band — 2.4GHz and 5GHz each get their own _id
   and their own embedded PPSK array. Rotating the PPSK on one band
   left the other band with the old password. New
   UnifiApiClient::getWlanSiblings($wlanId) finds all wlanconfs that
   share an SSID name; both rotation and the manual modal edit now
   call updateEmbeddedPpsk on each sibling and update the matching
   UnifiPpsk DB rows.

3. The manual WiFi modal edit had the same band-blindness as #2 —
   editing the GUEST PPSK on the 2.4GHz half left the 5GHz half stale.
   WifiController::ppskUpdate now walks siblings the same way.

v1.8.1.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-24 20:32:15 -04:00
jwed
8769308dfd release: 1.8.0 — rolls up the 1.7.1 patch series 
Bundled stable cut for prod. Contents since 1.7.0:

* feat(access): strict allowlist enforcement. A unifi page with NO
  grants is now visible only to super-admins — previously it fell back
  to "open for anyone with the route permission". Matches the new
  dashboard-wide access model.
* feat(access): the Access tab now adds groups by typeahead search,
  mirroring the user-search flow. Only granted groups + super-admin
  groups appear in the matrix; other groups are added on demand.
* fix(access): ungranted users hitting a unifi URL get 404 instead of
  403 so the page doesn't leak its existence.

Breaking note: super-admins continue to see everything. Non-super
users that previously accessed a unifi page via permission alone now
need an explicit grant in the Access tab. Configure grants before
relying on existing permission-based access.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-24 20:17:21 -04:00
jwed
f5848907f5 feat(access): strict allowlist + add groups by search 
* UnifiPageGrant::userCanAccess no longer falls back to "open" when a
  page has no grants saved. Pages now require an explicit grant for
  every non-super-admin user — either a direct user grant or via a
  group they belong to. Matches the new dashboard-wide access model.
* Route enforcement returns 404 (was 403) so ungranted users can't even
  confirm the page exists.
* New /settings/pages-access/groups/search endpoint mirrors the
  user typeahead. Groups are no longer all listed by default — only
  super-admin groups (locked-on) and groups with at least one existing
  grant show up in the matrix. Operators add more via search.

v1.7.1.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-24 19:59:28 -04:00
jwed
f953fde2be release: 1.7.0 — rolls up the 1.6.1/1.6.2/1.6.3 patch series 
Bundled cut for the stable channel. Contents since 1.6.0:

* fix(webhooks): test endpoint formats payload per platform (Google
  Chat / Slack / Discord / Teams) so the Test URL button actually
  succeeds against those targets instead of getting a 400 back.
* fix(schema): add missing unifi_device_states.consecutive_count
  column the scheduled snapshot capture was failing to insert.
* feat(rotate): persist the active rotated password as
  unifi.password_rotation.last_password whenever a whole-SSID
  rotation succeeds. Surfaced in Settings → Tasks under the wordlist.
* feat(api): new GET /api/unifi/wifi/current-password JSON endpoint
  for external signage / kiosks. Token-protected via
  Authorization: Bearer or ?token= query. 401 / 503 / 404 on missing
  auth, disabled API, or no rotation yet.
* feat(settings): "Expose WiFi password API" checkbox under the
  rotate-passwords block. Off by default. Generate / Regenerate /
  Clear token controls and a copy-paste curl example.

No breaking changes. Drop-in upgrade from 1.6.0.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-24 19:50:44 -04:00
8 changed files with 195 additions and 32 deletions
Expand all files Collapse all files

2
composer.json
View File

@@ -1,7 +1,7 @@
{ {
"name": "dashboard/unifi", "name": "dashboard/unifi",
"description": "UniFi network management, WiFi stats, and captive portal authentication for the Dashboard platform", "description": "UniFi network management, WiFi stats, and captive portal authentication for the Dashboard platform",
"version": "1.6.3", "version": "1.10.1",
"type": "library", "type": "library",
"license": "MIT", "license": "MIT",
"autoload": { "autoload": {

46
src/Console/RotatePasswords.php
View File

@@ -81,15 +81,57 @@ class RotatePasswords extends Command
try { try {
if (str_starts_with((string) $ppsk->unifi_id, 'emb_')) { if (str_starts_with((string) $ppsk->unifi_id, 'emb_')) {
// Embedded PPSK: update inside the parent WLAN object. // Embedded PPSK: update inside the parent WLAN object.
// Synthetic ID is derived from the new passphrase, so update it too. // Match by name (most reliable) — falls back to
$unifi->updateEmbeddedPpsk($ppsk->wlan_id, $ppsk->x_passphrase, $newPass); // passphrase if name is missing.
$unifi->updateEmbeddedPpsk($ppsk->wlan_id, $ppsk->x_passphrase, $newPass, $ppsk->name);
$newUid = 'emb_' . substr(hash('sha256', $ppsk->wlan_id . ':' . $newPass), 0, 32); $newUid = 'emb_' . substr(hash('sha256', $ppsk->wlan_id . ':' . $newPass), 0, 32);
$ppsk->update(['x_passphrase' => $newPass, 'unifi_id' => $newUid]); $ppsk->update(['x_passphrase' => $newPass, 'unifi_id' => $newUid]);
// Sibling WLANs (same SSID name on a different band):
// rotate the matching-name PPSK in each so the
// SSID's 2.4/5GHz halves stay in sync.
foreach ($unifi->getWlanSiblings($ppsk->wlan_id) as $siblingWlanId) {
$sibling = UnifiPpsk::where('wlan_id', $siblingWlanId)
->where('name', $ppsk->name)
->where('state', 'active')
->first();
try {
$unifi->updateEmbeddedPpsk($siblingWlanId, $sibling?->x_passphrase, $newPass, $ppsk->name);
if ($sibling) {
$sibling->update([
'x_passphrase' => $newPass,
'unifi_id' => 'emb_' . substr(hash('sha256', $siblingWlanId . ':' . $newPass), 0, 32),
]);
}
} catch (\Throwable $e) {
// "Not found" in a sibling just means the
// PPSK isn't mirrored on that band — totally
// normal if GUEST was only configured on one
// band. Skip quietly; don't poison the
// run status.
if (str_contains($e->getMessage(), 'not found')) {
\Illuminate\Support\Facades\Log::info('unifi.ppsk_sibling_skipped', [
'sibling_wlan' => $siblingWlanId,
'ppsk_name' => $ppsk->name,
]);
continue;
}
$this->error("Sibling rotate failed for wlan {$siblingWlanId}: {$e->getMessage()}");
$failedPpsks[] = ['name' => $ppsk->name . ' (sibling wlan ' . $siblingWlanId . ')', 'error' => $e->getMessage()];
}
}
} else { } else {
$unifi->updatePpsk($ppsk->unifi_id, ['x_passphrase' => $newPass]); $unifi->updatePpsk($ppsk->unifi_id, ['x_passphrase' => $newPass]);
$ppsk->update(['x_passphrase' => $newPass]); $ppsk->update(['x_passphrase' => $newPass]);
} }
$rotatedPpsks[] = $ppsk->name; $rotatedPpsks[] = $ppsk->name;
// Save the active password every time a rotation
// succeeds — covers PPSK-only rotation setups where
// there's no whole-SSID rotation. Last successful
// password wins if multiple PPSKs rotate in one run.
Setting::set('unifi.password_rotation.last_password', $newPass);
Setting::set('unifi.password_rotation.last_rotated_at', now()->toIso8601String());
} catch (\Throwable $e) { } catch (\Throwable $e) {
$this->error("Failed to rotate PPSK \"{$ppsk->name}\": {$e->getMessage()}"); $this->error("Failed to rotate PPSK \"{$ppsk->name}\": {$e->getMessage()}");
$failedPpsks[] = ['name' => $ppsk->name, 'error' => $e->getMessage()]; $failedPpsks[] = ['name' => $ppsk->name, 'error' => $e->getMessage()];

32
src/Http/Controllers/UnifiPagesAccessController.php
View File

@@ -40,6 +40,15 @@ class UnifiPagesAccessController extends Controller
$grantedUserIds = $grants->flatten(1)->where('grantee_type', 'user')->pluck('grantee_id')->unique(); $grantedUserIds = $grants->flatten(1)->where('grantee_type', 'user')->pluck('grantee_id')->unique();
$users = User::whereIn('id', $grantedUserIds)->orderBy('name')->get(['id', 'name', 'email']); $users = User::whereIn('id', $grantedUserIds)->orderBy('name')->get(['id', 'name', 'email']);
// Groups: always include super-admin groups (locked-on across all
// pages) plus any group with at least one grant. Other groups are
// added via searchGroups.
$grantedGroupIds = $grants->flatten(1)->where('grantee_type', 'group')->pluck('grantee_id')->unique();
$groups = Group::where(function ($q) use ($grantedGroupIds) {
$q->where('is_super', true)
->orWhereIn('id', $grantedGroupIds);
})->orderBy('name')->get(['id', 'name', 'is_super']);
return response()->json([ return response()->json([
'pages' => $pages->map(fn ($p) => [ 'pages' => $pages->map(fn ($p) => [
'id' => $p->id, 'id' => $p->id,
@@ -49,7 +58,7 @@ class UnifiPagesAccessController extends Controller
'group_ids' => $grants->get($p->id, collect())->where('grantee_type', 'group')->pluck('grantee_id')->all(), 'group_ids' => $grants->get($p->id, collect())->where('grantee_type', 'group')->pluck('grantee_id')->all(),
])->values(), ])->values(),
'users' => $users, 'users' => $users,
'groups' => Group::orderBy('name')->get(['id', 'name', 'is_super']), 'groups' => $groups,
]); ]);
} }
@@ -76,6 +85,27 @@ class UnifiPagesAccessController extends Controller
return response()->json(['users' => $users]); return response()->json(['users' => $users]);
} }
/**
* Typeahead-style search for groups to add to the access matrix.
* Excludes super-admin groups (they're already in the matrix and
* locked-on across every page).
*/
public function searchGroups(Request $request)
{
$q = trim((string) $request->query('q', ''));
if (strlen($q) < 2) {
return response()->json(['groups' => []]);
}
$groups = Group::where('name', 'like', '%' . $q . '%')
->where(function ($w) { $w->where('is_super', false)->orWhereNull('is_super'); })
->orderBy('name')
->limit(20)
->get(['id', 'name', 'is_super']);
return response()->json(['groups' => $groups]);
}
public function update(Request $request, NavItem $navItem) public function update(Request $request, NavItem $navItem)
{ {
$app = DashboardApp::where('slug', 'unifi')->first(); $app = DashboardApp::where('slug', 'unifi')->first();

34
src/Http/Controllers/WifiController.php
View File

@@ -293,9 +293,37 @@ class WifiController extends Controller
if (! empty($unifiUpdate)) { if (! empty($unifiUpdate)) {
if (str_starts_with($record->unifi_id, 'emb_') && isset($unifiUpdate['x_passphrase'])) { if (str_starts_with($record->unifi_id, 'emb_') && isset($unifiUpdate['x_passphrase'])) {
// Embedded PPSK update path — modify the WLAN's embedded array. // Embedded PPSK update path — modify the WLAN's embedded array.
$unifi->updateEmbeddedPpsk($record->wlan_id, $record->x_passphrase, $unifiUpdate['x_passphrase']); // Match by name (reliable across drift).
// Synthetic id is derived from the new passphrase. $newPass = $unifiUpdate['x_passphrase'];
$data['unifi_id'] = 'emb_' . substr(hash('sha256', $record->wlan_id . ':' . $unifiUpdate['x_passphrase']), 0, 32); $unifi->updateEmbeddedPpsk($record->wlan_id, $record->x_passphrase, $newPass, $record->name);
$data['unifi_id'] = 'emb_' . substr(hash('sha256', $record->wlan_id . ':' . $newPass), 0, 32);
// Also update sibling WLANs (banded SSID — same name
// on 2.4 and 5GHz are separate wlanconf rows).
foreach ($unifi->getWlanSiblings($record->wlan_id) as $siblingWlanId) {
$sibling = UnifiPpsk::where('wlan_id', $siblingWlanId)
->where('name', $record->name)
->where('state', 'active')
->first();
try {
$unifi->updateEmbeddedPpsk($siblingWlanId, $sibling?->x_passphrase, $newPass, $record->name);
if ($sibling) {
$sibling->update([
'x_passphrase' => $newPass,
'unifi_id' => 'emb_' . substr(hash('sha256', $siblingWlanId . ':' . $newPass), 0, 32),
]);
}
} catch (\Throwable $e) {
// PPSK absent on this band is fine — just
// means it isn't mirrored. Anything else
// gets warning-logged.
$level = str_contains($e->getMessage(), 'not found') ? 'info' : 'warning';
\Illuminate\Support\Facades\Log::log($level, 'unifi.ppsk_sibling_update', [
'sibling_wlan' => $siblingWlanId,
'error' => $e->getMessage(),
]);
}
}
} else { } else {
$unifi->updatePpsk($record->unifi_id, $unifiUpdate); $unifi->updatePpsk($record->unifi_id, $unifiUpdate);
} }

16
src/Models/UnifiPageGrant.php
View File

@@ -29,18 +29,20 @@ class UnifiPageGrant extends Model
} }
/** /**
* True iff $user is allowed to access $navItem under this grant model. * True iff $user is allowed to access $navItem under strict allowlist
* Super-admins always pass. * semantics:
* If there are NO grants for the page, falls back to "open" (anyone * * super-admins (the model-level flag) always pass
* who can reach the route can access — same as before grants existed). * * otherwise the user must be a direct grantee, OR be in a group
* that is a grantee
*
* A page with NO grants saved is only visible to super-admins —
* the admin must explicitly authorize everyone else via the
* Access tab.
*/ */
public static function userCanAccess(User $user, NavItem $navItem): bool public static function userCanAccess(User $user, NavItem $navItem): bool
{ {
if ($user->is_super_admin) return true; if ($user->is_super_admin) return true;
$hasGrants = static::where('nav_item_id', $navItem->id)->exists();
if (! $hasGrants) return true;
$groupIds = $user->groups()->pluck('groups.id'); $groupIds = $user->groups()->pluck('groups.id');
return static::where('nav_item_id', $navItem->id) return static::where('nav_item_id', $navItem->id)

74
src/Services/UnifiApiClient.php
View File

@@ -312,6 +312,40 @@ class UnifiApiClient
return $this->put("/rest/wlanconf/{$wlanId}", $data); return $this->put("/rest/wlanconf/{$wlanId}", $data);
} }
/**
* Find sibling WLAN configs — same SSID name, different _id. UniFi
* splits a "banded" SSID (band-steering disabled) into one wlanconf
* per band, each with its own _id and its own embedded PPSK array.
* A rotation that updates one band must also update the others, or
* the SSID's two halves drift out of sync.
*
* Returns an array of sibling wlan IDs (excludes $wlanId itself).
* Empty array if the target WLAN is unique or can't be found.
*/
public function getWlanSiblings(string $wlanId): array
{
try {
$all = $this->get('/rest/wlanconf');
} catch (\Throwable) {
return [];
}
$target = null;
foreach ($all as $w) {
if (($w['_id'] ?? null) === $wlanId) { $target = $w; break; }
}
if (! $target || empty($target['name'])) return [];
$siblings = [];
foreach ($all as $w) {
if (($w['_id'] ?? null) === $wlanId) continue;
if (($w['name'] ?? null) === $target['name']) {
$siblings[] = $w['_id'];
}
}
return $siblings;
}
// ── PPSK ───────────────────────────────────────────────────────────────── // ── PPSK ─────────────────────────────────────────────────────────────────
/** /**
@@ -504,7 +538,7 @@ class UnifiApiClient
* no controller-side ID. Only changes the entry's passphrase; name * no controller-side ID. Only changes the entry's passphrase; name
* isn't separately addressable on embedded PPSKs. * isn't separately addressable on embedded PPSKs.
*/ */
public function updateEmbeddedPpsk(string $wlanId, string $oldPassphrase, string $newPassphrase): array public function updateEmbeddedPpsk(string $wlanId, ?string $oldPassphrase, string $newPassphrase, ?string $name = null): array
{ {
$wlanResp = $this->get("/rest/wlanconf/{$wlanId}"); $wlanResp = $this->get("/rest/wlanconf/{$wlanId}");
$wlan = $wlanResp[0] ?? $wlanResp; $wlan = $wlanResp[0] ?? $wlanResp;
@@ -514,26 +548,50 @@ class UnifiApiClient
throw new \RuntimeException('WLAN has no embedded PPSKs to update.'); throw new \RuntimeException('WLAN has no embedded PPSKs to update.');
} }
$matched = false; // Match in this order — most reliable first:
foreach ($entries as &$e) { // 1. by PPSK name (if provided) — survives passphrase drift
$current = $e['x_passphrase'] ?? $e['password'] ?? $e['passphrase'] ?? null; // caused by manual edits or previous out-of-sync rotations.
if ($current === $oldPassphrase) { // 2. by current passphrase (legacy)
// Preserve whichever field name the controller is using. $applyUpdate = function (array &$e) use ($newPassphrase) {
if (array_key_exists('x_passphrase', $e)) $e['x_passphrase'] = $newPassphrase; if (array_key_exists('x_passphrase', $e)) $e['x_passphrase'] = $newPassphrase;
if (array_key_exists('password', $e)) $e['password'] = $newPassphrase; if (array_key_exists('password', $e)) $e['password'] = $newPassphrase;
if (array_key_exists('passphrase', $e)) $e['passphrase'] = $newPassphrase; if (array_key_exists('passphrase', $e)) $e['passphrase'] = $newPassphrase;
// If none of the above existed, default to password (most common on embedded).
if (! isset($e['x_passphrase']) && ! isset($e['password']) && ! isset($e['passphrase'])) { if (! isset($e['x_passphrase']) && ! isset($e['password']) && ! isset($e['passphrase'])) {
$e['password'] = $newPassphrase; $e['password'] = $newPassphrase;
} }
};
$matched = false;
if ($name !== null && $name !== '') {
foreach ($entries as &$e) {
$entryName = $e['name'] ?? $e['label'] ?? $e['username'] ?? $e['privatePskName'] ?? null;
if ($entryName === $name) {
$applyUpdate($e);
$matched = true; $matched = true;
break; break;
} }
} }
unset($e); unset($e);
}
if (! $matched && $oldPassphrase !== null && $oldPassphrase !== '') {
foreach ($entries as &$e) {
$current = $e['x_passphrase'] ?? $e['password'] ?? $e['passphrase'] ?? null;
if ($current === $oldPassphrase) {
$applyUpdate($e);
$matched = true;
break;
}
}
unset($e);
}
if (! $matched) { if (! $matched) {
throw new \RuntimeException('Embedded PPSK not found by current passphrase.'); throw new \RuntimeException(
'Embedded PPSK not found' .
($name !== null ? " by name \"{$name}\"" : '') .
' or by current passphrase.'
);
} }
// UniFi REST expects the full WLAN object on PUT — send what we // UniFi REST expects the full WLAN object on PUT — send what we

4
src/UnifiServiceProvider.php
View File

@@ -44,7 +44,9 @@ class UnifiServiceProvider extends ServiceProvider
if (! $item) return; if (! $item) return;
if (! UnifiPageGrant::userCanAccess($user, $item)) { if (! UnifiPageGrant::userCanAccess($user, $item)) {
abort(403, 'You do not have access to this page.'); // 404 instead of 403 — don't leak that the page
// exists. The Access tab is the only way in.
abort(404);
} }
} catch (\Throwable) { } catch (\Throwable) {
// unifi_page_grants table may not exist yet on a fresh // unifi_page_grants table may not exist yet on a fresh

1
src/routes/unifi.php
View File

@@ -78,6 +78,7 @@ Route::middleware(['web', 'auth', 'app.access:unifi'])
Route::middleware('super.admin')->group(function () { Route::middleware('super.admin')->group(function () {
Route::get('/settings/pages-access', [UnifiPagesAccessController::class, 'index']) ->name('settings.pages-access.index'); Route::get('/settings/pages-access', [UnifiPagesAccessController::class, 'index']) ->name('settings.pages-access.index');
Route::get('/settings/pages-access/users/search', [UnifiPagesAccessController::class, 'searchUsers'])->name('settings.pages-access.users.search'); Route::get('/settings/pages-access/users/search', [UnifiPagesAccessController::class, 'searchUsers'])->name('settings.pages-access.users.search');
Route::get('/settings/pages-access/groups/search', [UnifiPagesAccessController::class, 'searchGroups'])->name('settings.pages-access.groups.search');
Route::put('/settings/pages-access/{navItem}', [UnifiPagesAccessController::class, 'update']) ->name('settings.pages-access.update'); Route::put('/settings/pages-access/{navItem}', [UnifiPagesAccessController::class, 'update']) ->name('settings.pages-access.update');
}); });