1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
|
# prepare for evil ass autism configs!
[security]
# Yk what this is, if not read the fkn readme
whitelisted_pin_ips = ["192.168.1.0/24", "127.0.0.1"]
whitelisted_string_ips = ["192.168.5.0/24", "127.0.0.1"]
# session stuffs
session_timeout_minutes = 60 # def session timeout (makes session key go bye bye)
refresh_session_on_activity = true # most useless thing ever most likely as nobody will ever disable this but sure you can just kill a users session during active use right?
max_concurrent_sessions = 3 # how many gooning session to allow per user (you can set custom ones per powerlevel btw)
session_cleanup_interval_minutes = 5 # how often to actually check on the session timeout, we aint gotta spam it none stop tbh
# PIN and Token Auth
hash_pins = false # weather or not to use bcrypt for pin field (left off for dev work)
hash_tokens = false # Same as above
pin_column = "pin_code"
token_column = "login_string"
# Rate Limiting, need i say more?
enable_rate_limiting = true # Do yuo wahnt raten limitierung or not?
# If i have to explain these to you just dont use this software
auth_rate_limit_per_minute = 10000
auth_rate_limit_per_second = 50000
# api rape limitz
api_rate_limit_per_minute = 100000
api_rate_limit_per_second = 100000
# default query limits to avoid someone spamming quieries on a table with 271k rows
default_max_limit = 10000
default_max_where_conditions = 1000
# own user preferences level
# Determines what an user can do with their own little preference store
# - "read-own-only": kiosk ah ruling
# - "read-write-own": what you probably want for most users
# - "read-write-all": adminier maybe ?
default_user_settings_access = "read-write-own"
# define what tables exist
# known tables for wildcard permissions (*:rw) and to prevent SQL injection via table names cuz thats a thing
known_tables = [
"users", "roles", "assets", "categories", "zones",
"suppliers", "templates", "audit_tasks", "borrowers",
"lending_history", "audit_history", "maintenance_log",
"asset_change_log", "issue_tracker", "issue_tracker_change_log",
"physical_audits", "physical_audit_logs",
"label_templates", "printer_settings", "print_history"
]
# tables you cant write or change using proxi in any way not even user overrides below
read_only_tables = ["asset_change_log", "issue_tracker_change_log", "print_history"]
# column names banned from being written to by default (this is however overwritable on a per table per column per user type schizo settings below)
global_write_protected_columns = [
"id",
"created_date",
"created_at",
"last_modified_date",
"updated_at",
"last_modified_at",
]
# note to myself how the rbac system kinda works
# Format: role_power contains both basic table rules and advanced column rules
# Basic rules: "table:permission" (r = read, w = write, rw = read+write, * = all tables (for like admins or smth))
# Advanced rules: "table.column:permission" for more granular column level control
# Column permissions: r = read, w = write, rw = read+write, block = blocked (obviously)
# Use "table.*:block" to block all columns, then "table.specific_column:r" to allow specific ones
# Use "table.*:r" to allow all columns, then "table.sensitive_column:block" to block specific ones
# In the future even more advaned rules called schizo_rules will be implemented where you can define sql logic based rules
# like "only allow access to rows where user_id = current_user_id" or "only allow access to assets where status != 'Stolen'"
# i let an llm comment on the crap below so i can understand what ive done in like 3 months when i forget everything
[permissions]
[permissions."100"]
# Admin - full access to everything
basic_rules = [
"*:rw", # Example of wildcard full access to all known tables
"asset_change_log:r", # More or less redundant but whatever
"issue_tracker_change_log:r" # Same as above
]
advanced_rules = [
# Further granularity wow!
"assets.asset_numeric_id:r",
"assets.created_by:r",
"assets.last_modified_by:r",
"users.password_hash:block",
]
max_limit = 500
max_where_conditions = 50
session_timeout_minutes = 120 # Admins get longer sessions (2 hours)
max_concurrent_sessions = 5 # Admins can have more concurrent sessions
rollback_on_error = true # Rollback batch operations on any error
allow_batch_operations = true # Admins can use batch operations
user_settings_access = "read-write-all" # Admins can modify any user's preferences
[permissions."75"]
# Manager - full asset management, limited user access
rollback_on_error = true # Rollback batch operations on any error
allow_batch_operations = true # Managers can use batch operations
basic_rules = [
"assets:rw",
"lending_history:rw",
"audit_history:rw",
"maintenance_log:rw",
"borrowers:rw",
"categories:rw",
"zones:rw",
"suppliers:rw",
"templates:rw",
"audit_tasks:rw",
"issue_tracker:rw",
"physical_audits:rw",
"physical_audit_logs:rw",
"label_templates:rw",
"printer_settings:rw",
"print_history:r",
"users:r", # Basic read access, then restricted by advanced rules below
"roles:r",
"asset_change_log:r",
"issue_tracker_change_log:r"
]
advanced_rules = [
# Table-specific protected (same as admin)
"assets.asset_numeric_id:r",
"assets.created_by:r",
"assets.last_modified_by:r",
# Users table - can read most info but not sensitive auth data
"users.password:block",
"users.password_hash:block",
"users.pin_code:block",
"users.login_string:block",
"users.password_reset_token:block",
"users.password_reset_expiry:block",
]
# Query limits (moderate for managers)
max_limit = 200
max_where_conditions = 20
user_settings_access = "read-write-own" # Managers can only modify their own preferences
[permissions."50"]
# Staff - asset and lending management, NO user access
rollback_on_error = false # Don't rollback batch operations on error (continue processing)
allow_batch_operations = true # Staff can use batch operations
basic_rules = [
"assets:rw",
"lending_history:rw",
"audit_history:rw",
"maintenance_log:rw",
"borrowers:rw",
"categories:r",
"zones:r",
"suppliers:r",
"templates:r",
"audit_tasks:r",
"issue_tracker:r",
"physical_audits:r",
"physical_audit_logs:r",
"label_templates:r",
"printer_settings:r",
"print_history:r",
"asset_change_log:r",
"issue_tracker_change_log:r"
]
advanced_rules = [
# Table-specific protected (same as admin/manager)
"assets.asset_numeric_id:r",
"assets.created_by:r",
"assets.last_modified_by:r",
]
# No users table access for staff - security requirement
# Query limits (standard for staff)
max_limit = 100
max_where_conditions = 10
user_settings_access = "read-write-own" # Staff can only modify their own preferences
[permissions."25"]
# Student - read-only access, no financial data, no user access, no change logs
rollback_on_error = true # Rollback batch operations on any error
allow_batch_operations = false # Students cannot use batch operations
basic_rules = [
"assets:r",
"lending_history:r",
"borrowers:r",
"categories:r",
"zones:r"
]
advanced_rules = [
# Assets table - hide financial and sensitive info
"assets.price:block",
"assets.purchase_date:block",
"assets.supplier_id:block",
"assets.warranty_expiry:block",
# Borrowers table - hide personal contact info
"borrowers.email:block",
"borrowers.phone_number:block",
"borrowers.notes:block"
]
# Query limits (restricted for students)
max_limit = 50
max_where_conditions = 5
user_settings_access = "read-own-only" # Students can only read their own preferences, not modify
|
