From 501121c837b2b230d6767b0d5e39468e34a17d84 Mon Sep 17 00:00:00 2001 From: usmannasir Date: Tue, 1 Jul 2025 14:11:16 +0500 Subject: [PATCH] bug fix: dashboard for non-admin users --- CyberCP/secMiddleware.py | 4 +++ CyberCP/settings.py | 5 ++- .../baseTemplate/custom-js/system-status.js | 33 +++++++++++++++++-- .../templates/baseTemplate/homePage.html | 16 ++++----- baseTemplate/views.py | 6 ++-- 5 files changed, 50 insertions(+), 14 deletions(-) diff --git a/CyberCP/secMiddleware.py b/CyberCP/secMiddleware.py index 2f43bd9d3..675d417d5 100644 --- a/CyberCP/secMiddleware.py +++ b/CyberCP/secMiddleware.py @@ -118,6 +118,10 @@ class secMiddleware: if request.path.find('gitNotify') > -1: break + # Skip validation for ports key to allow port ranges with colons + if key == 'ports': + continue + if type(value) == str or type(value) == bytes: pass elif type(value) == list: diff --git a/CyberCP/settings.py b/CyberCP/settings.py index 0226e657c..650f09b0a 100644 --- a/CyberCP/settings.py +++ b/CyberCP/settings.py @@ -191,4 +191,7 @@ LANGUAGES = ( MEDIA_URL = '/usr/local/CyberCP/tmp/' MEDIA_ROOT = MEDIA_URL -DATA_UPLOAD_MAX_MEMORY_SIZE = 2147483648 \ No newline at end of file +DATA_UPLOAD_MAX_MEMORY_SIZE = 2147483648 + +# Security settings for CSF compliance +X_FRAME_OPTIONS = 'SAMEORIGIN' \ No newline at end of file diff --git a/baseTemplate/static/baseTemplate/custom-js/system-status.js b/baseTemplate/static/baseTemplate/custom-js/system-status.js index db947a0e3..63c4e4e42 100644 --- a/baseTemplate/static/baseTemplate/custom-js/system-status.js +++ b/baseTemplate/static/baseTemplate/custom-js/system-status.js @@ -911,6 +911,9 @@ app.controller('dashboardStatsController', function ($scope, $http, $timeout) { $scope.totalDBs = 0; $scope.totalEmails = 0; $scope.totalFTPUsers = 0; + + // Hide system charts for non-admin users + $scope.hideSystemCharts = false; // Top Processes $scope.topProcesses = []; @@ -1030,6 +1033,11 @@ app.controller('dashboardStatsController', function ($scope, $http, $timeout) { function pollTraffic() { console.log('pollTraffic called'); $http.get('/base/getTrafficStats').then(function(response) { + if (response.data.admin_only) { + // Hide chart for non-admin users + $scope.hideSystemCharts = true; + return; + } if (response.data.status === 1) { var now = new Date(); var rx = response.data.rx_bytes; @@ -1079,6 +1087,11 @@ app.controller('dashboardStatsController', function ($scope, $http, $timeout) { function pollDiskIO() { $http.get('/base/getDiskIOStats').then(function(response) { + if (response.data.admin_only) { + // Hide chart for non-admin users + $scope.hideSystemCharts = true; + return; + } if (response.data.status === 1) { var now = new Date(); var read = response.data.read_bytes; @@ -1117,6 +1130,11 @@ app.controller('dashboardStatsController', function ($scope, $http, $timeout) { function pollCPU() { $http.get('/base/getCPULoadGraph').then(function(response) { + if (response.data.admin_only) { + // Hide chart for non-admin users + $scope.hideSystemCharts = true; + return; + } if (response.data.status === 1 && response.data.cpu_times && response.data.cpu_times.length >= 4) { var now = new Date(); var cpuTimes = response.data.cpu_times; @@ -1433,8 +1451,19 @@ app.controller('dashboardStatsController', function ($scope, $http, $timeout) { // Initial setup $timeout(function() { - setupCharts(); - // Immediately poll once so charts are updated on first load + // Check if user is admin before setting up charts + $http.get('/base/getAdminStatus').then(function(response) { + if (response.data && response.data.admin === 1) { + setupCharts(); + } else { + $scope.hideSystemCharts = true; + } + }).catch(function() { + // If error, assume non-admin and hide charts + $scope.hideSystemCharts = true; + }); + + // Immediately poll once so stats are updated on first load pollDashboardStats(); pollTraffic(); pollDiskIO(); diff --git a/baseTemplate/templates/baseTemplate/homePage.html b/baseTemplate/templates/baseTemplate/homePage.html index a98ad7ff6..10382e6b0 100644 --- a/baseTemplate/templates/baseTemplate/homePage.html +++ b/baseTemplate/templates/baseTemplate/homePage.html @@ -494,19 +494,19 @@ {$ securityAlerts.length $} - - - - @@ -687,7 +687,7 @@ -
+
Loading top processes...
@@ -720,21 +720,21 @@
-
+
-
+
-
+
diff --git a/baseTemplate/views.py b/baseTemplate/views.py index 3c1c84dcf..c7a9a4ced 100644 --- a/baseTemplate/views.py +++ b/baseTemplate/views.py @@ -508,7 +508,7 @@ def getTrafficStats(request): # Only admins should see system-wide network stats if not currentACL.get('admin', 0): - return HttpResponse(json.dumps({'status': 0, 'error_message': 'Admin access required'}), content_type='application/json', status=403) + return HttpResponse(json.dumps({'status': 0, 'error_message': 'Admin access required', 'admin_only': True}), content_type='application/json') # Get network stats from /proc/net/dev (Linux) rx = tx = 0 @@ -536,7 +536,7 @@ def getDiskIOStats(request): # Only admins should see system-wide disk I/O stats if not currentACL.get('admin', 0): - return HttpResponse(json.dumps({'status': 0, 'error_message': 'Admin access required'}), content_type='application/json', status=403) + return HttpResponse(json.dumps({'status': 0, 'error_message': 'Admin access required', 'admin_only': True}), content_type='application/json') # Parse /proc/diskstats for all disks read_sectors = 0 @@ -570,7 +570,7 @@ def getCPULoadGraph(request): # Only admins should see system-wide CPU stats if not currentACL.get('admin', 0): - return HttpResponse(json.dumps({'status': 0, 'error_message': 'Admin access required'}), content_type='application/json', status=403) + return HttpResponse(json.dumps({'status': 0, 'error_message': 'Admin access required', 'admin_only': True}), content_type='application/json') # Parse /proc/stat for the 'cpu' line with open('/proc/stat', 'r') as f: