[ejabberd] Forbid parts of web administration I/F

Bzzz lazyvirus at gmx.com
Fri Jun 8 20:08:06 MSK 2012

On Fri, 8 Jun 2012 17:39:16 +0200
Badlop <badlop at gmail.com> wrote:

> Basically, if I understood correctly, you want them to administer
> only some vhosts, not the whole server.
> [SNIP]
> Or go to the webadmin and check yourself that those users are only
> described as admins in the ACL pages of the corresponding vhosts,
> not on the whole/root ACL page.

Not what I want: I wanna forbid only some options to them.

i.e.: I know if I leave the database option reachable, one day or
another a dumb ass will touch it, and then they'll call me saying
it don't work anymore; of course, as usual, nobody will have done
nothing, and I'll spend hours to find out what's happened.

So, to be more precise, I don't want any sub-admins (or even admins,
if it isn't possible to make a distinction between both) totally
unable to (web)touch:

* General: 	* ACL
		* Access Rules

* VH(s):	* ACL
		* Access Rules

* Node(s):	* Database
		* Backup
		* Listened Ports
		* Update

NB: Most of the time there'll be only one VH, but for multi-VHs,
    it should be the same restrictions.

Of course, the best way would be to have one superadmin & 
some sub-admins, and keep the superadmin login for myself only;
or if it is not possible, forbid (+hide?) these options from
the web console, while leaving them accessible by ejabberdctl
(as sub-admins won't have a server root access).

A can of ASPARAGUS, 73 pigeons, some LIVE ammo, and a FROZEN

More information about the ejabberd mailing list