From b5f77ee6e6176850e0be7d4bbc66ab2865c4a8ce Mon Sep 17 00:00:00 2001
From: Stephan de Wit <stephan.de.wit@deciso.com>
Date: Fri, 17 Jan 2025 16:59:36 +0100
Subject: [PATCH] acl: prioritize dashboard and ui routes for landing page

---
 .../mvc/app/models/OPNsense/Core/ACL.php      | 24 +++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/src/opnsense/mvc/app/models/OPNsense/Core/ACL.php b/src/opnsense/mvc/app/models/OPNsense/Core/ACL.php
index d3b11db3a23..fcb4845b966 100644
--- a/src/opnsense/mvc/app/models/OPNsense/Core/ACL.php
+++ b/src/opnsense/mvc/app/models/OPNsense/Core/ACL.php
@@ -91,12 +91,24 @@ private function loadUserGroupRights()
     {
         $pageMap = $this->loadPageMap();
 
+        // prioritized acl names that, if configured, will be used first for getLandingPage
+        $priorityPrivileges = ['page-system-login-logout'];
+
         // create privilege mappings
         $this->userDatabase = [];
         $this->allGroupPrivs = [];
 
         $groupmap = [];
 
+        $privilegeSort = function($a, $b) use ($priorityPrivileges) {
+            $posA = array_search($a, $priorityPrivileges);
+            $posB = array_search($b, $priorityPrivileges);
+            if ($posA === false && $posB !== false) return 1;
+            if ($posA !== false && $posB === false) return -1;
+            if ($posA === false && $posB === false) return 0;
+            return $posA <=> $posB;
+        };
+
         // gather user / group data from config.xml
         $config = Config::getInstance()->object();
         $userUidMap = [];
@@ -115,7 +127,9 @@ private function loadUserGroupRights()
                         $this->userDatabase[$username]['landing_page'] = (string)$node->landing_page;
                     }
                     foreach ($node->priv as $priv) {
-                        foreach (array_filter(explode(',', $priv)) as $privname) {
+                        $privileges = array_filter(explode(',', $priv));
+                        usort($privileges, $privilegeSort);
+                        foreach ($privileges as $privname) {
                             if (array_key_exists($privname, $pageMap)) {
                                 $this->userDatabase[$username]['priv'][] = $pageMap[$privname];
                             }
@@ -144,7 +158,9 @@ private function loadUserGroupRights()
                         }
                     }
                 } elseif ($itemKey == "priv") {
-                    foreach (array_filter(explode(',', $node_data)) as $privname) {
+                    $privileges = array_filter(explode(',', $node_data));
+                    usort($privileges, $privilegeSort);
+                    foreach ($privileges as $privname) {
                         if (array_key_exists($privname, $pageMap)) {
                             $this->allGroupPrivs[$groupkey][] = $pageMap[$privname];
                         }
@@ -370,6 +386,10 @@ public function getLandingPage($username)
         } elseif (!empty($this->userDatabase[$username])) {
             // default behaviour, find first accessible location from configured privileges
             foreach ($this->urlMasks($username) as $pattern) {
+                if (str_starts_with('api', $pattern)) {
+                    continue;
+                }
+
                 if ($pattern == "*") {
                     return "index.php";
                 } elseif (!empty($pattern)) {