From f77f5ed955f32fe0dceb176c85d9609eea07106d Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Thu, 12 Feb 2015 18:27:51 +0100
Subject: [PATCH] added transition class for legacy ACL support (based on
 pages)

---
 .../OPNsense/Base/ControllerBase.php          |   4 +
 .../mvc/app/models/OPNsense/Core/ACL.php      | 142 +++++++++++
 .../OPNsense/Core/ACL_Legacy_Page_Map.txt     | 241 ++++++++++++++++++
 .../mvc/app/models/OPNsense/Core/Config.php   |   1 -
 .../layout_partials/base_menu_system.volt     |   8 +-
 src/opnsense/mvc/public/index.php             |   5 -
 6 files changed, 391 insertions(+), 10 deletions(-)
 create mode 100644 src/opnsense/mvc/app/models/OPNsense/Core/ACL.php
 create mode 100644 src/opnsense/mvc/app/models/OPNsense/Core/ACL_Legacy_Page_Map.txt

diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerBase.php b/src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerBase.php
index e99961b19..2cc549e48 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerBase.php
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerBase.php
@@ -61,6 +61,7 @@ class ControllerBase extends Controller
     }
 
     /**
+     * shared functionality
      * @param $dispatcher
      */
     public function beforeExecuteRoute($dispatcher)
@@ -76,6 +77,9 @@ class ControllerBase extends Controller
         $menu = new Menu\MenuSystem();
         $this->view->menuSystem = $menu->getItems("/ui".$this->router->getRewriteUri());
 
+        $acl = new \OPNsense\Core\ACL();
+        $this->view->acl = $acl;
+
         // prevent session lock
         session_write_close();
     }
diff --git a/src/opnsense/mvc/app/models/OPNsense/Core/ACL.php b/src/opnsense/mvc/app/models/OPNsense/Core/ACL.php
new file mode 100644
index 000000000..ad971ad2a
--- /dev/null
+++ b/src/opnsense/mvc/app/models/OPNsense/Core/ACL.php
@@ -0,0 +1,142 @@
+<?php
+/**
+ *    Copyright (C) 2015 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+namespace OPNsense\Core;
+
+/**
+ * Class ACL, this version is only for legacy support and should eventually be replaced by a decent model.
+ * @package OPNsense\Core
+ */
+class ACL
+{
+    private $legacyUsers = array();
+    private $legacyGroupPrivs = array();
+
+    /**
+     * temporary hack to support the old pfSense priv to page mapping.
+     * @return array
+     */
+    private function loadLegacyPageMap()
+    {
+        $legacyPageMap = array();
+        $handle = fopen(__DIR__."/ACL_Legacy_Page_Map.txt", "r");
+        if ($handle) {
+            while (($line = fgets($handle)) !== false) {
+                $parts = explode("=", $line);
+                if (count($parts) == 2) {
+                    if (array_key_exists($parts[0], $legacyPageMap) == 0) {
+                        $legacyPageMap[$parts[0]] = array();
+                    }
+                    $legacyPageMap[$parts[0]][] = trim($parts[1]);
+                }
+            }
+            fclose($handle);
+        }
+
+        return $legacyPageMap;
+    }
+
+    /**
+     * init legacy ACL features
+     */
+    private function initLegacy()
+    {
+        $this->legacyUsers = array();
+        $this->legacyGroupPrivs = array();
+
+        $legacyPageMap = $this->loadLegacyPageMap();
+
+        $groupmap = array();
+
+        // gather user / group data from config.xml
+        $config = Config::getInstance()->object() ;
+        foreach ($config->system->children() as $key => $node) {
+            if ($key == "user") {
+                $this->legacyUsers[$node->name->__toString()] = array() ;
+                $this->legacyUsers[$node->name->__toString()]["uid"] = $node->uid->__toString();
+                $this->legacyUsers[$node->name->__toString()]["groups"] = array();
+            } elseif ($key == "group") {
+                $groupmap[$node->name->__toString()] = $node ;
+            }
+        }
+
+        // interpret group privilege data and update user data with group information.
+        foreach ($groupmap as $groupkey => $groupNode) {
+            $legacyGroupPrivs[$groupkey] = array();
+            foreach ($groupNode->children() as $itemKey => $node) {
+                if ($node->getName() == "member" && $node->__toString() != "") {
+                    foreach ($this->legacyUsers as $username => $userinfo) {
+                        if ($this->legacyUsers[$username]["uid"] == $node->__toString()) {
+                            $this->legacyUsers[$username]["groups"][] = $groupkey;
+                        }
+                    }
+                } elseif ($node->getName() == "priv" && substr($node->__toString(), 0, 5) == "page-") {
+                    if (array_key_exists($node->__toString(), $legacyPageMap)) {
+                        $this->legacyGroupPrivs[$groupkey][] = $legacyPageMap[$node->__toString()];
+                    }
+                }
+            }
+        }
+    }
+
+    /**
+     * legacy functionality to check if a page is accessible for the specified user.
+     * @param $username user name
+     * @param $url full url, for example /firewall_rules.php
+     * @return bool
+     */
+    public function isPageAccessible($username, $url)
+    {
+        if (array_key_exists($username, $this->legacyUsers)) {
+            // search groups
+            foreach ($this->legacyUsers[$username]["groups"] as $itemkey => $group) {
+                if (array_key_exists($group, $this->legacyGroupPrivs)) {
+                    foreach ($this->legacyGroupPrivs[$group] as $privset) {
+                        foreach ($privset as $urlmask) {
+                            $match =  str_replace(array(".", "*","?"), array("\.", ".*","\?"), $urlmask);
+                            $result = preg_match("@^/{$match}$@", "{$url}");
+                            if ($result) {
+                                return true;
+                            }
+                        }
+                    }
+                }
+
+            }
+        }
+
+        return false;
+    }
+
+
+    public function __construct()
+    {
+        $this->initLegacy();
+    }
+
+}
\ No newline at end of file
diff --git a/src/opnsense/mvc/app/models/OPNsense/Core/ACL_Legacy_Page_Map.txt b/src/opnsense/mvc/app/models/OPNsense/Core/ACL_Legacy_Page_Map.txt
new file mode 100644
index 000000000..d611b18b9
--- /dev/null
+++ b/src/opnsense/mvc/app/models/OPNsense/Core/ACL_Legacy_Page_Map.txt
@@ -0,0 +1,241 @@
+page-all=*
+page-status-carp=carp_status.php*
+page-diagnostics-crash-reporter=crash_reporter.php*
+page-diagnostics-arptable=diag_arp.php*
+page-diagnostics-authentication=diag_authentication.php*
+page-diagnostics-backup/restore=diag_backup.php*
+page-diagnostics-configurationhistory=diag_confbak.php*
+page-diagnostics-factorydefaults=diag_defaults.php*
+page-diagnostics-ndptable=diag_ndp.php*
+page-diagnostics-restore-full-backup=system_firmware_restorefullbackup.php
+page-diagnostics-showstates=diag_dump_states.php*
+page-diagnostics-sockets=diag_sockets.php*
+page-diagnostics-testport=diag_testport.php*
+page-status-ipsec=diag_ipsec.php*
+page-status-ipsec-leases=diag_ipsec_leases.php*
+page-status-ipsec-sad=diag_ipsec_sad.php*
+page-status-ipsec-spd=diag_ipsec_spd.php*
+page-status-ntp=status_ntpd.php*
+page-ipsecxml=diag_ipsec_xml.php
+page-diagnostics-logs-system=diag_logs.php*
+page-status-systemlogs-portalauth=diag_logs_auth.php*
+page-diagnostics-logs-dhcp=diag_logs_dhcp.php*
+page-diagnostics-logs-firewall=diag_logs_filter.php*
+page-diagnostics-logs-gateways=diag_logs_gateways.php*
+page-diagnostics-logs-resolver=diag_logs_resolver.php*
+page-hidden-nolongerincluded=diag_logs_filter_dynamic.php*
+page-status-systemlogs-ipsecvpn=diag_logs_ipsec.php*
+page-status-systemlogs-ntpd=diag_logs_ntpd.php*
+page-status-systemlogs-openvpn=diag_logs_openvpn.php*
+page-status-systemlogs-ppp=diag_logs_ppp.php*
+page-status-systemlogs-loadbalancer=diag_logs_relayd.php*
+page-status-systemlogs-routing=diag_logs_routing.php*
+page-status-systemlogs-wireless=diag_logs_wireless.php*
+page-diagnostics-logs-settings=diag_logs_settings.php*
+page-diagnostics-logs-pptpvpn=diag_logs_vpn.php*
+page-diagnostics-nanobsd=diag_nanobsd.php*
+page-diagnostics-packetcapture=diag_packet_capture.php*
+page-diagnostics-patters=patterns.php*
+page-diagnostics-limiter-info=diag_limiter_info.php*
+page-diagnostics-pf-info=diag_pf_info.php*
+page-diagnostics-system-activity=diag_system_activity.php*
+page-diagnostics-system-pftop=diag_system_pftop.php*
+page-diagnostics-ping=diag_ping.php*
+page-status-packagelogs=diag_pkglogs.php*
+page-diagnostics-resetstate=diag_resetstate.php*
+page-diagnostics-routingtables=diag_routes.php*
+page-diagnostics-statessummary=diag_states_summary.php*
+page-diagnostics-tables=diag_tables.php*
+page-diagnostics-traceroute=diag_traceroute.php*
+page-diagnostics-edit=edit.php*
+page-diagnostics-edit=browser.php*
+page-diagnostics-edit=filebrowser/browser.php*
+page-diagnostics-command=exec.php*
+page-firewall-aliases=firewall_aliases.php*
+page-firewall-alias-edit=firewall_aliases_edit.php*
+page-firewall-alias-import=firewall_aliases_import.php*
+page-firewall-nat-npt=firewall_nat_npt.php*
+page-firewall-nat-npt-edit=firewall_nat_npt_edit.php*
+page-firewall-nat-portforward=firewall_nat.php*
+page-firewall-nat-1-1=firewall_nat_1to1.php*
+page-firewall-nat-1-1-edit=firewall_nat_1to1_edit.php*
+page-firewall-nat-portforward-edit=firewall_nat_edit.php*
+page-firewall-nat-outbound=firewall_nat_out.php*
+page-firewall-nat-outbound-edit=firewall_nat_out_edit.php*
+page-firewall-rules=firewall_rules.php*
+page-firewall-rules-edit=firewall_rules_edit.php*
+page-firewall-schedules=firewall_schedule.php*
+page-firewall-schedules-edit=firewall_schedule_edit.php*
+page-firewall-trafficshaper=firewall_shaper.php*
+page-firewall-trafficshaper-layer7=firewall_shaper_layer7.php*
+page-firewall-trafficshaper-queues=firewall_shaper_queues.php*
+page-firewall-trafficshaper-limiter=firewall_shaper_vinterface.php*
+page-firewall-trafficshaper-wizard=firewall_shaper_wizards.php*
+page-firewall-virtualipaddresses=firewall_virtual_ip.php*
+page-firewall-virtualipaddress-edit=firewall_virtual_ip_edit.php*
+page-getserviceproviders=getserviceproviders.php*
+page-getstats=getstats.php*
+page-diagnostics-interfacetraffic=graph.php*
+page-diagnostics-cpuutilization=graph_cpu.php*
+page-diagnostics-haltsystem=halt.php*
+page-requiredforjavascript=headjs.php*
+page-xmlrpcinterfacestats=ifstats.php*
+page-system-login/logout=index.php*
+page-interfaces=interfaces.php*
+page-interfaces-assignnetworkports=interfaces_assign.php*
+page-interfaces-bridge=interfaces_bridge.php*
+page-interfaces-bridge-edit=interfaces_bridge_edit.php*
+page-interfaces-gif=interfaces_gif.php*
+page-interfaces-gif-edit=interfaces_gif_edit.php*
+page-interfaces-gre=interfaces_gre.php*
+page-interfaces-gre-edit=interfaces_gre_edit.php*
+page-interfaces-groups=interfaces_groups.php*
+page-interfaces-groups-edit=interfaces_groups_edit.php*
+page-interfaces-lagg=interfaces_lagg.php*
+page-interfaces-lagg-edit=interfaces_lagg_edit.php*
+page-interfaces-ppps=interfaces_ppps.php*
+page-interfaces-ppps-edit=interfaces_ppps_edit.php*
+page-interfaces-qinq=interfaces_qinq.php*
+page-interfaces-qinq-edit=interfaces_qinq_edit.php*
+page-interfaces-vlan=interfaces_vlan.php*
+page-interfaces-vlan-edit=interfaces_vlan_edit.php*
+page-interfaces-wireless=interfaces_wireless.php*
+page-interfaces-wireless-edit=interfaces_wireless_edit.php*
+page-system-license=license.php*
+page-services-loadbalancer-monitor=load_balancer_monitor.php*
+page-services-loadbalancer-monitor-edit=load_balancer_monitor_edit.php*
+page-loadbalancer-pool=load_balancer_pool.php*
+page-loadbalancer-pool-edit=load_balancer_pool_edit.php*
+page-services-loadbalancer-relay-action=load_balancer_relay_action.php*
+page-services-loadbalancer-relay-action-edit=load_balancer_relay_action_edit.php*
+page-services-loadbalancer-relay-protocol=load_balancer_relay_protocol.php*
+page-services-loadbalancer-relay-protocol-edit=load_balancer_relay_protocol_edit.php*
+page-services-loadbalancer-setting=load_balancer_setting.php*
+page-services-loadbalancer-virtualservers=load_balancer_virtual_server.php*
+page-services-ntpd=services_ntpd.php*
+page-services-ntp-gps=status_ntpd_gps.php*
+page-services-ntp-pps=status_ntpd_pps.php*
+page-loadbalancer-virtualserver-edit=load_balancer_virtual_server_edit.php*
+page-package-settings=pkg.php*
+page-package-edit=pkg_edit.php*
+page-system-packagemanager=pkg_mgr.php*
+page-system-packagemanager-installpackage=pkg_mgr_install.php*
+page-system-packagemanager-installed=pkg_mgr_installed.php*
+page-pkg-mgr-settings=pkg_mgr_settings.php*
+page-diagnostics-rebootsystem=reboot.php*
+page-diagnostics-restart-httpd=restart_httpd.php*
+page-services-captiveportal=services_captiveportal.php*
+page-services-captiveportal-filemanager=services_captiveportal_filemanager.php*
+page-services-captiveportal-allowedips=services_captiveportal_ip.php*
+page-services-captiveportal-editallowedips=services_captiveportal_ip_edit.php*
+page-services-captiveportal-macaddresses=services_captiveportal_mac.php*
+page-services-captiveportal-editmacaddresses=services_captiveportal_mac_edit.php*
+page-services-captiveportal-allowedhostnames=services_captiveportal_hostname.php*
+page-services-captiveportal-editallowedhostnames=services_captiveportal_hostname_edit.php*
+page-services-captiveportal-editzones=services_captiveportal_zones_edit.php*
+page-services-captiveportal-vouchers=services_captiveportal_vouchers.php*
+page-services-captiveportal-voucher-edit=services_captiveportal_vouchers_edit.php*
+page-services-captiveportal-zones=services_captiveportal_zones.php*
+page-services-dhcpserver=services_dhcp.php*
+page-services-dhcpserver-editstaticmapping=services_dhcp_edit.php*
+page-services-dhcprelay=services_dhcp_relay.php*
+page-services-dhcpv6server=services_dhcpv6.php*
+page-services-dhcpserverv6-editstaticmapping=services_dhcpv6_edit.php*
+page-services-dhcpv6relay=services_dhcpv6_relay.php*
+page-services-dnsforwarder=services_dnsmasq.php*
+page-services-dnsforwarder-editdomainoverride=services_dnsmasq_domainoverride_edit.php*
+page-services-dnsforwarder-edithost=services_dnsmasq_edit.php*
+page-services-dnsresolver=services_unbound.php*
+page-services-dnsresolver-advanced=services_unbound_advanced.php*
+page-services-dnsresolver-acls=services_unbound_acls.php*
+page-services-dnsresolver-editacls=services_unbound_acls_edit.php*
+page-services-dnsresolver-editdomainoverride=services_unbound_domainoverride_edit.php*
+page-services-dnsresolver-edithost=services_unbound_host_edit.php*
+page-services-dynamicdnsclients=services_dyndns.php*
+page-services-dynamicdnsclient=services_dyndns_edit.php*
+page-services-igmpproxy=services_igmpproxy.php*
+page-services-igmpproxy-edit=services_igmpproxy_edit.php*
+page-services-rfc2136clients=services_rfc2136.php*
+page-services-router-advertisements=services_router_advertisements.php*
+page-services-snmp=services_snmp.php*
+page-services-wakeonlan=services_wol.php*
+page-services-wakeonlan-edit=services_wol_edit.php*
+page-diagnostics-cpuutilization=stats.php*
+page-hidden-detailedstatus=status.php*
+page-status-captiveportal=status_captiveportal.php*
+page-status-captiveportal-expire=status_captiveportal_expire.php*
+page-status-captiveportal-test=status_captiveportal_test.php*
+page-status-captiveportal-voucher-rolls=status_captiveportal_voucher_rolls.php*
+page-status-captiveportal-vouchers=status_captiveportal_vouchers.php*
+page-status-dhcpleases=status_dhcp_leases.php*
+page-status-dhcpv6leases=status_dhcpv6_leases.php*
+page-status-filterreloadstatus=status_filter_reload.php*
+page-status-gatewaygroups=status_gateway_groups.php*
+page-status-gateways=status_gateways.php*
+page-status-trafficgraph=status_graph.php*
+page-status-trafficgraph=bandwidth_by_ip.php*
+page-status-trafficgraph=graph.php*
+page-status-trafficgraph=ifstats.php*
+page-status-cpuload=status_graph_cpu.php*
+page-status-interfaces=status_interfaces.php*
+page-status-loadbalancer-pool=status_lb_pool.php*
+page-status-loadbalancer-virtualserver=status_lb_vs.php*
+page-status-openvpn=status_openvpn.php*
+page-status-trafficshaper-queues=status_queues.php*
+page-status-rrdgraphs=status_rrd_graph.php*
+page-status-rrdgraphs=status_rrd_graph_img.php*
+page-status-rrdgraph-settings=status_rrd_graph_settings.php*
+page-status-services=status_services.php*
+page-status-upnpstatus=status_upnp.php*
+page-diagnostics-wirelessstatus=status_wireless.php*
+page-system-generalsetup=system.php*
+page-system-advanced-admin=system_advanced_admin.php*
+page-system-advanced-firewall=system_advanced_firewall.php*
+page-system-advanced-misc=system_advanced_misc.php*
+page-system-advanced-network=system_advanced_network.php*
+page-system-advanced-notifications=system_advanced_notifications.php*
+page-system-advanced-sysctl=system_advanced_sysctl.php*
+page-system-authservers=system_authservers.php*
+page-system-camanager=system_camanager.php*
+page-system-certmanager=system_certmanager.php*
+page-system-crlmanager=system_crlmanager.php*
+page-system-firmware-manualupdate=system_firmware.php*
+page-system-firmware-checkforupdate=system_firmware_auto.php*
+page-system-firmware-autoupdate=system_firmware_check.php*
+page-system-firmware-settings=system_firmware_settings.php*
+page-system-gatewaygroups=system_gateway_groups.php*
+page-system-gateways-editgatewaygroups=system_gateway_groups_edit.php*
+page-system-gateways=system_gateways.php*
+page-system-gateways-editgateway=system_gateways_edit.php*
+page-system-groupmanager=system_groupmanager.php*
+page-system-groupmanager-addprivs=system_groupmanager_addprivs.php*
+page-system-hasync=system_hasync.php*
+page-system-staticroutes=system_routes.php*
+page-system-staticroutes-editroute=system_routes_edit.php*
+page-system-usermanager=system_usermanager.php*
+page-system-usermanager-addprivs=system_usermanager_addprivs.php*
+page-system-usermanager-passwordmg=system_usermanager_passwordmg.php*
+page-system-usermanager-settings=system_usermanager_settings.php*
+page-system-usermanager-settings-testldap=system_usermanager_settings_test.php*
+page-upload_progress=upload_progress*
+page-hidden-uploadconfiguration=uploadconfig.php*
+page-vpn-ipsec=vpn_ipsec.php*
+page-vpn-ipsec-listkeys=vpn_ipsec_keys.php*
+page-vpn-ipsec-editkeys=vpn_ipsec_keys_edit.php*
+page-vpn-ipsec-mobile=vpn_ipsec_mobile.php*
+page-vpn-ipsec-editphase1=vpn_ipsec_phase1.php*
+page-vpn-ipsec-editphase2=vpn_ipsec_phase2.php*
+page-vpn-vpnl2tp=vpn_l2tp.php*
+page-vpn-vpnl2tp-users=vpn_l2tp_users.php*
+page-vpn-vpnl2tp-users-edit=vpn_l2tp_users_edit.php*
+page-openvpn-client=vpn_openvpn_client.php*
+page-openvpn-csc=vpn_openvpn_csc.php*
+page-openvpn-server=vpn_openvpn_server.php*
+page-services-pppoeserver=vpn_pppoe.php*
+page-services-pppoeserver-edit=vpn_pppoe_edit.php*
+page-vpn-vpnpptp=vpn_pptp.php*
+page-vpn-vpnpptp-users=vpn_pptp_users.php*
+page-vpn-vpnpptp-user-edit=vpn_pptp_users_edit.php*
+page-pfsensewizardsubsystem=wizard.php*
+page-xmlrpclibrary=xmlrpc.php*
+page-firewall-easyrule=easyrule.php*
diff --git a/src/opnsense/mvc/app/models/OPNsense/Core/Config.php b/src/opnsense/mvc/app/models/OPNsense/Core/Config.php
index 821b0fc0d..d09700cfc 100644
--- a/src/opnsense/mvc/app/models/OPNsense/Core/Config.php
+++ b/src/opnsense/mvc/app/models/OPNsense/Core/Config.php
@@ -181,7 +181,6 @@ class Config extends Singleton
         $this->configxml->loadXML($xml);
         $this->simplexml = simplexml_import_dom($this->configxml);
         $this->isValid = true;
-
     }
 
     /**
diff --git a/src/opnsense/mvc/app/views/layout_partials/base_menu_system.volt b/src/opnsense/mvc/app/views/layout_partials/base_menu_system.volt
index 08e0f56c5..7d9971d4f 100644
--- a/src/opnsense/mvc/app/views/layout_partials/base_menu_system.volt
+++ b/src/opnsense/mvc/app/views/layout_partials/base_menu_system.volt
@@ -1,14 +1,14 @@
 <aside id="navigation" class="page-side col-xs-12 col-sm-2 hidden-xs">
-
     <div class="row">
         <nav class="page-side-nav" role="navigation">
-
             <div class="list-group" id="mainmenu">
                 {% for topMenuItem in menuSystem %}
-                <a href="#{{ topMenuItem.Id }}" class="list-group-item " data-toggle="collapse" data-parent="#mainmenu"><span class="{{ topMenuItem.CssClass }} __iconspacer"></span>{{ topMenuItem.VisibleName }}</a>
+                <a href="#{{ topMenuItem.Id }}" class="list-group-item " data-toggle="collapse" data-parent="#mainmenu"><span class="{{ topMenuItem.CssClass }} __iconspacer"></span>{{ topMenuItem.VisibleName }} </a>
                 <div class="collapse  {% if topMenuItem.Selected %} active-menu in {% endif  %}" id="{{ topMenuItem.Id }}">
                     {% for subMenuItem in topMenuItem.Children %}
-                    <a href="{{ subMenuItem.Url }}" class="list-group-item {% if subMenuItem.Selected %} active {% endif  %}">{{ subMenuItem.VisibleName }}</a>
+                        {% if acl.isPageAccessible(session.get('Username'),subMenuItem.Url)  %}
+                            <a href="{{ subMenuItem.Url }}" class="list-group-item {% if subMenuItem.Selected %} active {% endif  %}">{{ subMenuItem.VisibleName }}</a>
+                        {% endif %}
                     {% endfor %}
                 </div>
                 {% endfor %}
diff --git a/src/opnsense/mvc/public/index.php b/src/opnsense/mvc/public/index.php
index e686e6ac5..80225fc35 100644
--- a/src/opnsense/mvc/public/index.php
+++ b/src/opnsense/mvc/public/index.php
@@ -3,11 +3,6 @@
 error_reporting(E_ALL);
 
 try {
-    // Fix authentication for local testing
-//    session_start();
-//    $_SESSION["Username"]="admin";
-//    session_write_close();
-
     /**
      * Read the configuration
      */