Pressing Cancel in Static DHCPv6 Mapping shouldn't return to the DHCPv6 config page

[wget]

Describe the bug

• I'm in a dual WAN (xDSL + DOCIS) environment (although this piece of info is not needed for the current use case).
• LAN: IPv4 in DHCP with static address
• LAN: IPv6 is set to track one of the WAN
• My LAN doesn't have the checkbox Allow manual adjustment of DHCPv6 and Router Advertisements checked.
• When I go on the DHCPv6 lease page (/status_dhcpv6_leases.php), I press on the +, then I press on the Cancelbutton from the mapping edition page, I'm redirected to the DHCPv6 configuration page (/services_dhcpv6.php?if=lan) and I shouldn't be allowed.

To Reproduce Steps to reproduce the behavior:

1. Ensure the checkbox Allow manual adjustment of DHCPv6 and Router Advertisements is unchecked.
2. Go to the DHCPv6 lease page (/status_dhcpv6_leases.php)
3. Click on the '+'
4. Press the Cancel button
5. You are being redirected to the DHCPv6 configuration page (/services_dhcpv6.php?if=lan) (notice the absence of title to this page)

Expected behavior

We shouldn't be allowed.

Screenshots

See above.

Relevant log files

N/A

Additional context

I led an additional test:

• I checked the checkbox Allow manual adjustment of DHCPv6 and Router Advertisements
• Performed some manual modifications to the DHCPv6 range and the Router Advertisements section (I set the Management flag to off by selecting the Stateless option)
• Run radvdump, and noticed AdvManagedFlag off; (my changes were thus taken into consideration)
• I disabled the DHCPv6 on the LAN (otherwise I cannot unchecl the Allow manual adjustment of DHCPv6 and Router Advertisements checkbox)
• I unchecked Allow manual adjustment of DHCPv6 and Router Advertisements
• Rerun radvdump, and noticed AdvManagedFlag on; (the config seems to be reset \o/)

It looks like the config is properly reset when the aforementioned checkbox is unchecked. So this bug is bug is not /that/ bad as this configuration reset process seems not impacted :)

Environment

Software:

• OPNsense 20.7.3-amd64
• FreeBSD 12.1-RELEASE-p10-HBSD
• OpenSSL 1.1.1g 21 Apr 2020

Hardware:

• apu2c4 = 3 i210AT LAN / AMD GX-412TC CPU / 4 GB DRAM

[fichtner]

@wget thanks! so we are avoiding to add the add/delete button now if these things shouldn't be manually configured according to the (most likely) correct menu logic, see 4dbc220490. If you want to try you can do so via:

# opnsense-patch 4dbc220490

Cheers, Franco

[wget]

@fichtner Will definitely check! Thanks :)

[wget]

@fichtner I tried the logic on 21.1 and unfortunately we still can bypass it.

When disabling the Allow manual adjustment of DHCPv6 and Router Advertisements option, reaching a page like:

/services_dhcpv6_edit.php?if=lan&duid=00:03:00:01:6c:c2:17:9b:4e:e0&hostname=

should NOT be allowed. The end user should be redirected to the main (dashboard page).

This actually happens for all the other pages as well. If we are being denied, we should be prevented accessing and be redirected.

[fichtner]

Right, it should be looking for the parent (likely "wan"), but it is looking for "lan"

[fichtner]

No wait that was silly. I'll try to fix it this morning in any case :)

[fichtner]

Did you try the page link manually? The add button should already disappear, no?

[wget]

@fichtner Yes the + button link has already disappeared following your patch :)

And yes, I reached the page manually. This is quite common when you use your browser history a lot. I often see SMB companies documenting things using direct links to the WebUI 😱

What we really want is a patch to avoid configuring things we shouldn't have access to. 🤗

[fichtner]

Ah ok. Now I have all the context :) The question is where would we want to redirect? It's already some sort of parent page. We could move to the dashboard but someone else might interpret it as a bug, too. What do you think?

[wget]

@fichtner In all CMS I have been using like Magento, WordPress, etc., they have implemented this as two solutions: report an in context 404 or a redirection to the dashboard. So maybe this page would be the more common choice and be less perceived as a bug? :) ⤵️