MeshCentral icon indicating copy to clipboard operation
MeshCentral copied to clipboard

Published 20 hours ago verified publisher icon Ylianst

Setting up access rights for plugins

Open AntonAndreevichMoroz opened this issue 3 years ago • 16 comments

Good day. We use some good plugins (like File Distribution and ScriptTask). But we found that if plugins are enabled, then they are available to all users. Is it possible to make an additional setting of rights so that you can put a tick on the group to allow the use of plugins. Just like we allow the use of the desktop or terminal. I think it won't be too difficult to add an extra parameter to hide the plugin tabs, just like other tabs are hidden. If you can configure access to each plugin separately, it will be great, but it will probably be more difficult than just hiding all the plugins.

AntonAndreevichMoroz avatar Apr 11 '21 06:04 AntonAndreevichMoroz

Good suggesion...

VINISHVV avatar Apr 11 '21 12:04 VINISHVV

So, I don's support plugins. @ryanblenis would need to look into this. Another option is that I integrate the functionally of the plugin into MeshCentral, in that case I could then work on adding server permissions for these extra features.

Ylianst avatar Apr 11 '21 16:04 Ylianst

My memory isn't the best and I haven't done a bunch of coding with the plugins in a little while, but from what I recall, plugins enabled or disabled per user should be fairly easy. I do remember that I started working on some code for plugins to register permissions for each functionality they'd desire to be available per user/group, but I think I was running into issues because the base permissions in MC are stored in bits of a single variable, so depending on the plugins amount of different permissions, it would have required the pluginHandler to have its own permission system to handle that. I haven't gotten around to expanding on that as I've been working on other projects recently, but I hope to have some time in the future to revisit this.

ryanblenis avatar Apr 11 '21 21:04 ryanblenis

@ryanblenis Would you still be ok if I integrated some of your plugin's into MeshCentral base code? Let me know if you have any concerns.

Ylianst avatar Apr 12 '21 02:04 Ylianst

So, I don's support plugins. @ryanblenis would need to look into this. Another option is that I integrate the functionally of the plugin into MeshCentral, in that case I could then work on adding server permissions for these extra features.

Dear Ylian. In the current setup, I think it will be easier and faster to just add a checkbox "Allow the use of plugins" among other access rights, such as for example "Allow agent console". So that it works the same way by hiding and showing the Plugins tab. This will be enough. Then this will resolve the issue in the future for new plugins.

AntonAndreevichMoroz avatar Apr 12 '21 05:04 AntonAndreevichMoroz

@ryanblenis Would you still be ok if I integrated some of your plugin's into MeshCentral base code? Let me know if you have any concerns.

Absolutely! It's all open source so feel free. I don't know if you took a look at any of the code yet, but I used a lot of promise based code vs the vanilla callbacks like you've got in the main project for the sake of readability (I've been using a lot more async / await syntax since writing those, which I prefer, but I noticed you didn't have any of that in MC so I left it out), so if you're copy/pasting the functionality I'm not sure how far back in Node versions you're still targeting.

A couple notes for anything you're considering implementing:

  • the EventLog plugin being my first was more of an "exploratory mission" where I used a variety of methods in order to find out how they work and create the correct hooks within the pluginHandler, so CreateAgentRedirect was probably used where it didn't really need to be
  • Most of the plugins were created with Mongodb/NeDB support via the nemongo.js simplistic abstraction layer to simplify the code. No mysql + later DB access layers have been implemented yet
  • The WorkFromHome / RoutePlus plugins utilize shuffling the admin token of that who created the connection to the client to facilitate the route, meaning the logs will display that user as "connected" rather than the agent/user itself facilitating the connection
  • The WorkFromHome / RoutePlus plugins have a semi-known issue of disconnects every 300-500 seconds in some instances where they will break down and reconnect very quickly. It doesn't appear to happen on all connections, and most notably does not happen when the "client" computer is running macOS. This leads me to believe that the Windows MeshAgent.exe may have some sort of garbage collection occurring on the connection while this code is being run on it that does not affect macOS MeshAgent's.

While I know everything in the main project currently has a "certain way of doing things" (e.g. pages/tabs have a certain "x" value, hardcoded numbers with max limits, etc.) I would absolutely LOVE to see a type of modular integration where functionality is self-contained (think along the lines of "first party plugin" versus third-party) as I do strongly believe that given a more modular approach to adding functionality, the more people you'd have on-board with committing additional features/functionality to the codebase, and it would make separating the logical components much cleaner by keeping the functionality of a feature in its own place rather than the current "type of communication" separation that now exists, and using event emitters or similar to call functions/functionality where needed.

Of course, it's all open source, so feel free to take whatever you'd like and implement how you please, just my 2 cents and food for thought on how MC could evolve/improve moving forward.

I know you're absolutely more than capable of figuring out everything I've done thus far in the plugins, but please don't hesitate to ask if you have any questions on anything! I'm interested to see how you approach this and look forward to everything you do with MC. Thank you as always and keep up the great work!

ryanblenis avatar Apr 12 '21 07:04 ryanblenis

I think that it would be best to keep the plugins separate from the MeshCentral Core and then add the ability to control access to Plugins via the MeshCentral UI.

SystemAssure avatar Apr 13 '21 11:04 SystemAssure

Dear Ylian. In the current setup, I think it will be easier and faster to just add a checkbox "Allow the use of plugins" among other access rights, such as for example "Allow agent console". So that it works the same way by hiding and showing the Plugins tab. This will be enough. Then this will resolve the issue in the future for new plugins.

i Think this will be sufficient.

VINISHVV avatar Apr 13 '21 11:04 VINISHVV

Dear Ylian. In the current setup, I think it will be easier and faster to just add a checkbox "Allow the use of plugins" among other access rights, such as for example "Allow agent console". So that it works the same way by hiding and showing the Plugins tab. This will be enough. Then this will resolve the issue in the future for new plugins.

i Think this will be sufficient.

I agreed for this point.

Mfinadmin avatar Apr 30 '21 18:04 Mfinadmin

I agreed for this point.

I also agreed

JOSEPHDEVASSIA avatar May 05 '21 11:05 JOSEPHDEVASSIA

Agreed. I just realized that a user with only "No New Device Groups" and "No Tools" in a group where they have "No Rights" can still upload, edit, and execute ScriptTask plugins, even though they can't even see the Node History without "View All Events".

edlins avatar May 06 '21 14:05 edlins

Good evening. @Ylianst Earlier, you added additional permission to the Details tab https://github.com/Ylianst/MeshCentral/commit/b96c88f1b48c3749b0a6719daf91133984067ea7. If there is the same permission for the Plugins tab, it will remove a lot of questions. Many people will be satisfied with such a simple solution. I could be wrong, but judging by the added addition it is not that much of a job. To my great regret, I do not have that much experience to try to make edits following the example. Otherwise, I would love to help satisfy the wishes of many users.

AntonAndreevichMoroz avatar Aug 19 '21 20:08 AntonAndreevichMoroz

Anybody know if plugins permissions was added? Or the Plugin Work From Home function was added to the Meshcentral Core?

tecnicosya avatar May 21 '23 23:05 tecnicosya

Sorry, no idea. But IMHO MeshCentral is an excellent remote control/amt management suite. If you want more than a remote control software you need a RMM with scheduling and scripting...and all the other management stuff.

https://github.com/amidaware/tacticalrmm

silversword411 avatar May 22 '23 03:05 silversword411

Lo siento, ni idea. Pero en mi humilde opinión, MeshCentral es una excelente suite de gestión de control remoto/amt. Si desea más que un software de control remoto, necesita un RMM con programación y secuencias de comandos... y todas las demás funciones de administración.

https://github.com/amidaware/tacticalrmm

Thanks for you answer, I'm using Meshcentral for maybe 3-4 days and I'm loving it. I try to install TacticalRMM but I feel is too complicated. Finally just instal Mesh, I'm old user of screenconnect and my current license is too old and need to update or migrate.

tecnicosya avatar May 22 '23 04:05 tecnicosya

https://github.com/Ylianst/MeshCentral/issues/3872 https://github.com/Ylianst/MeshCentral/issues/6312

si458 avatar Aug 07 '24 07:08 si458