Closed mremond closed 3 months ago
Until ejabberd 24.02, to use the WebAdmin it was enough that the account had configure
access to login:
acl:
admin: [user: username]
access_rules:
configure:
allow: admin
Since ejabberd 24.06, WebAdmin uses commands to get information to build the pages. If an account does not have permission to execute a command, that command does not appear in the WebAdmin.
In practice: the account must have configure
access in order to login... and must have permission to execute the commands to view the pages contents. At least he should have permission to execute the registered_vhosts
command.
The default ejabberd configuration is something like this. In this example, it allows "username" to login in the WebAdmin, and allows to execute all the commands as long as it connects from localhost; if it connects from outside, then it can login to WebAdmin, but cannot access the content:
acl:
admin: [user: username]
loopback:
ip:
- 127.0.0.0/8
- ::1/128
access_rules:
configure:
allow: admin
trusted_network:
allow: loopback
api_permissions:
"admin access":
who:
access:
allow:
- acl: loopback
- acl: admin
what:
- "*"
Can you access all WebAdmin content when you login from localhost, but WebAdmin is empty when you login from outside? In that case, add the configuration that was mentioned in ejabberd 24.06 release notes: WebAdmin commands permissions configuration, or this one that allows webadmin to access to all commands for admin:
api_permissions:
"webadmin commands":
from:
- ejabberd_web_admin
who:
access:
allow:
- acl: admin
what:
- "*"
I tried @badlop's setup, still not able to access stuff, same log message
@licaon-kter Would you be able to bump log level to debug for a second and do that again? I think this should log information about ejabberd command authentication tags, that may help here.
The other possible reason for WebAdmin to show only an empty webadmin, navigation links, but no actual administrative content:
example.com
, and grant account user
admin rights as explaned previouslyhttp://localhost:5280/admin/
user@example.com
Due to a bug, webadmin uses user@example.com
when checking access to webadmin, but it uses user@localhost
when cheking access to commands!
That bug is solved right now thanks to commit https://github.com/processone/ejabberd/commit/54f5db851defb5f69e75830081c6aad4a991a20e
It seems for some users, the webadmin can be emtpy. It may be related to the way we access vhost are access (URL ?) as the log show the following message: