opcodesio/log-viewer

log-viewer visible by public, unauthorized users

christoferd opened this issue ยท 11 comments

Hi, I have just installed this using the documentation instructions.

/log-viewer is loading and can see all log files while not logged in on both local and production environments.

I see now that it is set by default to allow everyone to see log files

I followed this to restrict it to only authorized users.
https://log-viewer.opcodes.io/docs/3.x/configuration/access-to-log-viewer#authorizing-users

Bug
I would say that it's a bug to have a log viewer automatically open to the public.
Is there a way to restrict this to logged in users by default?

I got this problem before. And after some try and error, i got this working by using the Gate like this.

Gate::define("viewLogViewer", fn () => auth()->user()->isAdmin());

instead of this

Gate::define('viewLogViewer', function (?User $user) {
        return $user->isAdmin();
});

I use the global helper instead of grab the user from the function parameter like in the documentation.

I hope it helps.

Hi
I would like to add extra thing here, our team have used Cloudflare to limit access to log-viewer url from whitelisted IPs only

hey all, thanks for bringing this up!

Starting with v3.3.0, Log Viewer will be unauthorized in production by default, if no gate or auth callback is set up.

I have been using a middleware since forever:

'middleware' => ['web', 'auth', 'role:support|superadmin'],

Now, this is no longer enough! Not great for a non major release.

I have been using a middleware since forever:

'middleware' => ['web', 'auth', 'role:support|superadmin'],

Now, this is no longer enough! Not great for a non major release.

Hey @zoispag , you're not using the \Opcodes\LogViewer\Http\Middleware\AuthorizeLogViewer middleware, so I don't what exactly is blocking your access here ๐Ÿค”

The change should only apply to the default installations where the above middleware is applied by default. If you're not using that middleware then you're responsible for the access to the Log Viewer - and looks like you did add it already.

So, it should be working for you just fine ๐Ÿค”

It doesn't however. I get 403 when it tries to access the log files. Maybe a bug?

@zoispag , do you also use the same middleware in api_middleware configuration? Or maybe you're calling LogViewer::auth() somewhere else in the system?

hey @zoispag , try the new release, v3.3.1 which should fix the issue.

Hi @arukompas. My published config was apparently a very old one, with no api_middleware in place. So for the API only, it was using \Opcodes\LogViewer\Http\Middleware\AuthorizeLogViewer::class which started failing. I updated the api_middleware to

'api_middleware' => [EnsureFrontendRequestsAreStateful::class, 'auth', 'role:support|superadmin'],

and now it works. Thanks for pointing me to the direction. Once I removed the AuthorizeLogViewer::class from the api_middleware array, I no longer need to create a Gate for the API to work.

By the way I would like to apologize for "bitching" earlier.
I had a very bad start of the day!

Apologies again and thanks for the quick reaction!! ๐Ÿ’ช๐Ÿผ

@zoispag no worries at all, it kept me on my toes! :)

Enjoy the rest of the week ๐Ÿ’ช