check default user policy

2025-09-07 21:54:54 +08:00 · 2024-10-23 15:29:47 +04:00 · 2024-10-23 15:29:47 +04:00 · d4da1774ff
commit d4da1774ff
parent c0f107b302
3 changed files with 14 additions and 19 deletions
--- a/logic/acls.go
+++ b/logic/acls.go
@ -441,6 +441,10 @@ func convAclTagToValueMap(acltags []models.AclPolicyTag) map[string]struct{} {

 // IsUserAllowedToCommunicate - check if user is allowed to communicate with peer
 func IsUserAllowedToCommunicate(userName string, peer models.Node) bool {
+	acl, _ := GetDefaultPolicy(models.NetworkID(peer.Network), models.UserPolicy)
+	if acl.Enabled {
+		return true
+	}
 	user, err := GetUser(userName)
 	if err != nil {
 		return false
--- a/logic/extpeers.go
+++ b/logic/extpeers.go
@ -526,7 +526,6 @@ func GetExtPeers(node, peer *models.Node) ([]wgtypes.PeerConfig, []models.IDandA
 	var peers []wgtypes.PeerConfig
 	var idsAndAddr []models.IDandAddr
 	var egressRoutes []models.EgressNetworkRoutes
-	var extUserIps []net.IP
 	extPeers, err := GetNetworkExtClients(node.Network)
 	if err != nil {
 		return peers, idsAndAddr, egressRoutes, err
@ -537,14 +536,6 @@ func GetExtPeers(node, peer *models.Node) ([]wgtypes.PeerConfig, []models.IDandA
 	}
 	for _, extPeer := range extPeers {
 		extPeer := extPeer
-		if extPeer.RemoteAccessClientID != "" {
-			if extPeer.AddressIPNet4().IP != nil {
-				extUserIps = append(extUserIps, extPeer.AddressIPNet4().IP)
-			}
-			if extPeer.AddressIPNet6().IP != nil {
-				extUserIps = append(extUserIps, extPeer.AddressIPNet6().IP)
-			}
-		}
 		if !IsClientNodeAllowed(&extPeer, peer.ID.String()) {
 			continue
 		}
--- a/logic/peers.go
+++ b/logic/peers.go
@ -294,17 +294,17 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N
 			if err == nil {
 				defaultUserPolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.UserPolicy)
 				defaultDevicePolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy)
-				ingFwUpdate := models.IngressInfo{
-					IngressID: node.ID.String(),
-					Network:   node.NetworkRange,
-					Network6:  node.NetworkRange6,
-					AllowAll:  defaultDevicePolicy.Enabled && defaultUserPolicy.Default,
+				if defaultDevicePolicy.Enabled && defaultUserPolicy.Enabled {
+					ingFwUpdate := models.IngressInfo{
+						IngressID:     node.ID.String(),
+						Network:       node.NetworkRange,
+						Network6:      node.NetworkRange6,
+						AllowAll:      defaultDevicePolicy.Enabled && defaultUserPolicy.Default,
+						StaticNodeIps: GetStaticNodeIps(node),
+						Rules:         GetFwRulesOnIngressGateway(node),
+					}
+					hostPeerUpdate.FwUpdate.IngressInfo[node.ID.String()] = ingFwUpdate
 				}
-				if !ingFwUpdate.AllowAll {
-					ingFwUpdate.StaticNodeIps = GetStaticNodeIps(node)
-					ingFwUpdate.Rules = GetFwRulesOnIngressGateway(node)
-				}
-				hostPeerUpdate.FwUpdate.IngressInfo[node.ID.String()] = ingFwUpdate
 				hostPeerUpdate.EgressRoutes = append(hostPeerUpdate.EgressRoutes, egressRoutes...)
 				hostPeerUpdate.Peers = append(hostPeerUpdate.Peers, extPeers...)
 				for _, extPeerIdAndAddr := range extPeerIDAndAddrs {