Fix to enforce RPC-only users before module ACL check

* Note: Block `rpc=3` users from normal Webmin UI before `init_config` marks module ACLs checked, while explicitly allowing RPC endpoints.

https://github.com/webmin/webmin/actions/runs/25971500591/job/76344191751

45292ea815

fastrpc.cgi

@@ -4,11 +4,12 @@
 # client. From then on, direct TCP connections can be made to this port
 # to send requests and get replies.
 
-$main::allow_rpc_only = 1;
 BEGIN { push(@INC, "."); };
 use WebminCore;
 use POSIX;
 use Socket;
+
+$main::allow_rpc_only = 1;
 $force_lang = $default_lang;
 &init_config();
 

rpc.cgi

@@ -4,13 +4,13 @@
 # other webmin servers. State is preserved by starting a process for each
 # session that listens for requests on a named pipe (and dies after a few
 # seconds of inactivity)
-# access{'rpc'}  0=not allowed 1=allowed 2=allowed if root or admin, 3=allowed
+# access{'rpc'}  0=not allowed 1=allowed 2=allowed if root or admin, 3=RPC only
 
-$main::allow_rpc_only = 1;
 BEGIN { push(@INC, "."); };
 use WebminCore;
 use POSIX;
 
+$main::allow_rpc_only = 1;
 &init_config();
 if ($ENV{'REQUEST_METHOD'} eq 'POST') {
 	local $got;
@@ -169,4 +169,3 @@ unlink($fifo1);
 unlink($fifo2);
 exit;
 }
-

web-lib-funcs.pl

@@ -5741,6 +5741,16 @@ if ($module_name) {
 	$module_root_directory = &module_root_directory($module_name);
 	}
 
+if (!$main::allow_rpc_only &&
+    $main::webmin_script_type eq 'web' &&
+    !$main::no_acl_check &&
+    !defined($ENV{'FOREIGN_MODULE_NAME'})) {
+	# Check if this user is RPC-only
+	if (&webmin_user_can_rpc() == 2) {
+		&error($text{'erpconly'});
+		}
+	}
+
 if ($module_name && !$main::no_acl_check &&
     (!defined($ENV{'FOREIGN_MODULE_NAME'}) ||
       defined($ENV{'FOREIGN_MODULE_SEC_CHECK'})) &&
@@ -5759,16 +5769,6 @@ if ($module_name && !$main::no_acl_check &&
 	$main::no_acl_check++;
 	}
 
-if (!$main::allow_rpc_only &&
-    $main::webmin_script_type eq 'web' &&
-    !$main::no_acl_check &&
-    !defined($ENV{'FOREIGN_MODULE_NAME'})) {
-	# Check if this user is RPC-only
-	if (&webmin_user_can_rpc() == 2) {
-		&error($text{'erpconly'});
-		}
-	}
-
 # Check the Referer: header for nasty redirects
 my @referers = split(/\s+/, $gconfig{'referers'});
 my $referer_site;

xmlrpc.cgi

@@ -19,6 +19,8 @@ BEGIN { push(@INC, "."); };
 use WebminCore;
 use POSIX;
 use Socket;
+
+$main::allow_rpc_only = 1;
 $force_lang = $default_lang;
 $trust_unknown_referers = 2;	# Only trust if referer was not set
 &init_config();
@@ -317,4 +319,3 @@ $xmlerr .= "</methodResponse>\n";
 return $xmlerr;
 }
 
-