WebAdmin is empty since ejabberd 24.06

[badlop]

Problem

I was using ejabberd's WebAdmin perfectly with ejabberd 24.02. Now I've updated to ejabberd 24.06 and

• I can login correctly to the new WebAdmin: it shows the logo, navigation menu, welcome page...
• But there is no content: all the pages are empty, nothing to administer!

This is how the WebAdmin looks right now:

And the ejabberd.log file shows:

[info] Access to WebAdmin page vhosts/ for account tim@example.org was denied

What's the problem? How to solve it?

Explanation of WebAdmin in 24.06

Until ejabberd 24.02, when you login to webadmin successfully, you immediately had access to all the pages and content.

In ejabberd 24.06, the WebAdmin uses commands API to generate the page content. Let's view the process in detail:

1. Accessing URL

ejabberd.yml contains something like this:

hosts:
  - example.org

listen:
  -
    port: 5280
    module: ejabberd_http
    request_handlers:
      /admin: ejabberd_web_admin

And you can open a web browser with any of those URLs:

• A) http://127.0.0.1:5280/admin/
• B) http://localhost:5280/admin/
• C) http://10.20.30.40:5280/admin/
• D) http://example.org:5280/admin/

Let's assume that example.org directs to the IP address 10.20.30.40.

2. The browser immediately requests the login credentials. If you configure like this:

acl:
  admin:
    user: tim@example.org

access_rules:
  configure:
    allow: admin

Then you can login with

• A) http://127.0.0.1:5280/admin/ login with tim@example.org
• B) http://localhost:5280/admin/ login with tim@example.org
• C) http://10.20.30.40:5280/admin/ login with tim@example.org
• D) http://example.org:5280/admin/ login with tim or tim@example.org

3. The WebAdmin site shows the logo, navigation menu and welcome page.

The WebAdmin also shows pages content depending on the permissions that the user has to execute API commands. For example, this configuration gives access ONLY from 127.0.0.1 and ::1 to user tim@example.org:

acl:
  admin:
    user: tim@example.org
  loopback:
    ip:
      - 127.0.0.0/8
      - ::1/128

access_rules:
  configure:
    allow: admin
  trusted_network:
    allow: loopback

api_permissions:
  "admin access":
    who:
      access:
        allow:
          - acl: loopback
          - acl: admin
    what:
      - "*"

• A) http://127.0.0.1:5280/admin/ --> :x: fails due to a bug in ejabberd 24.06 !!
• B) http://localhost:5280/admin/ --> :x: fails due to a bug in ejabberd 24.06 !!
• C) http://10.20.30.40:5280/admin/ --> :x: fails due to a bug in ejabberd 24.06 !!
• D) http://example.org:5280/admin/ from the same machine --> :white_check_mark:
• E) http://example.org:5280/admin/ from a different machine --> :x: fails due to api_permissions configuration !!

Solution to bug in 3.A/B/C

There is a bug in ejabberd 24.06 that appears when you visit an WebAdmin URL but login with an account in another vhost. A fix is already available in git (https://github.com/processone/ejabberd/commit/54f5db851defb5f69e75830081c6aad4a991a20e).

You can update ejabberd from git and recompile, or wait for a newer ejabberd release, or:

If you want to login with account tim@example.org, then please open the URL http://example.org:5280/admin/ , not localhost or 127.0.0.1 or anything else. That is, make sure the host in the URL matches the host in your login account.

Solution to configuration problem in 3.E

The default api_permissions only allows to execute commands from localhost to admin accounts.

Let's add a new permission in api_permissions to allow executing commands from ejabberd_web_admin to admin accounts from any machine:

api_permissions:
  "webadmin":
    from:
      - ejabberd_web_admin
    who:
      access:
        allow:
          - acl: admin
    what:
      - "*"