Hiding printers in web interface

John A. Sullivan III jsullivan at opensourcedevel.com
Thu Apr 8 16:28:37 PDT 2010


> > > On Apr 7, 2010, at 3:33 AM, John A. Sullivan III wrote:
> > > > Hello, all.  I'm feeling really stupid but after many hours, I can't =
> > > seem to crack this simple problem.  We are planning to host a =
> > > multi-tenant environment and want users to see only their printers and =
> > > only their print jobs.
> > > >=20
> > > > We did create our printers with a lpadmin -u allow:<userid>.  This =
> > > works perfectly fine.  Users only see their printers . . . until they go =
> > > to the print server web interface and click on printers or jobs.  They =
> > > see all the printers and all the jobs.  They can't print to them but =
> > > they can see them.  How do we restrict them to see only their printers =
> > > and their print jobs in this interface?
> > >
> > >
> > > You have to use authentication since otherwise there is no way for the =
> > > web interface to pass the correct username through to do filtering.
> > >
> > > We don't (and realistically can't) do filtering by IP since the CGI =
> > > programs don't have access to the printer policy/ACL information and are =
> > > the ones doing the "get printers" request on behalf of the web client.
> > > <Snip>
> > OK, I understand.  So if the problem is specifically with the CGI in the web interface, is it possible to disable the web interface or have it display nothing without restricting the printers.  It seems if we restrict the web interface, we also restrict the printers even though they do have access to the
> > policy/ACL information.  We could do quite well without the web interface other than for admins.  Thanks - John
> Argh!!! If we bite the bullet and force authentication at the / level to prevent unauthenticated users from seeing the complete printer and job list in the web interface, some applications, most notably OpenOffice, cannot compile a printer list. It just show the good old Generic Printer.
> I suppose there is no way to use a different port for the web interaction versus printer interaction.  It must all be the same http-like protocol.  Printers and web viewers must be indistinguishable to CUPS I guess.  Thanks - John
>
Well . . .it's ugly but what I've done is disable the CGI scripts in /usr/lib/cups/cgi-bin.  That seems to work.  The printing application still see only the appropriate printers as defined in printers.conf.  No one can see anything in the web application.  Are there any problems in doing it this way?




More information about the cups mailing list