tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 14:05:37 +02:00
Code Issues Projects Releases Wiki Activity

API CHANGE Moved "IP Address restrictions for groups" feature to a new "ipaddress-restriction" module (SSF-53)

Browse Source
This commit is contained in:
Ingo Schommer 2012-03-01 17:54:54 +01:00
parent 3ded12e599
commit 0ab43cdcb8
4 changed files with 8 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
docs/en/changelogs/3.0.0.md
View File

@ -128,6 +128,13 @@ included through `translatable/_config.php`:
Object::add_extension('SiteTree', 'Translatable');
Object::add_extension('SiteConfig', 'Translatable');
### Moved Group->IPRestrictions into a new 'ipaddress-restriction' module
IP restrictions for group memberships in the "Security" section were a rarely used feature,
and cluttered up the interface. We've decided to move it to a separate module
called [ipaddress-restriction](http://github.com/silverstripe-labs/silverstripe-ipaddress-restriction).
To continue using these restrictions, just install the module - no data migration required.
### Removed "auto-merging" of member records from `Member->onBeforeWrite()`

10
lang/en_US.php
View File

@ -706,7 +706,6 @@ $lang['en_US']['Security']['CHANGEPASSWORDBELOW'] = 'You can change your passwor
$lang['en_US']['Security']['CHANGEPASSWORDHEADER'] = 'Change your password';
$lang['en_US']['Security']['ENTERNEWPASSWORD'] = 'Please enter a new password.';
$lang['en_US']['Security']['ERRORPASSWORDPERMISSION'] = 'You must be logged in in order to change your password!';
$lang['en_US']['Security']['IPADDRESSES'] = 'IP Addresses';
$lang['en_US']['Security']['LOGGEDOUT'] = 'You have been logged out. If you would like to log in again, enter your credentials below.';
$lang['en_US']['Security']['LOGIN'] = 'Log in';
$lang['en_US']['Security']['LOSTPASSWORDHEADER'] = 'Lost Password';
@ -721,15 +720,6 @@ $lang['en_US']['SecurityAdmin']['APPLY_ROLES_HELP'] = 'Ability to edit the roles
$lang['en_US']['SecurityAdmin']['EDITPERMISSIONS'] = 'Manage permissions for groups';
$lang['en_US']['SecurityAdmin']['EDITPERMISSIONS_HELP'] = 'Ability to edit Permissions and IP Addresses for a group. Requires the "Access to \'Security\' section" permission.';
$lang['en_US']['SecurityAdmin']['GROUPNAME'] = 'Group name';
$lang['en_US']['SecurityAdmin']['IPADDRESSESHELP'] = '<p>You can restrict this group to a particular
IP address range (one range per line). <br />Ranges can be in any of the following forms: <br />
203.96.152.12<br />
203.96.152/24<br />
203.96/16<br />
203/8<br /><br />If you enter one or more IP address ranges in this box, then members will only get
the rights of being in this group if they log on from one of the valid IP addresses. It won\'t prevent
people from logging in. This is because the same user might have to log in to access parts of the
system without IP address restrictions.';
$lang['en_US']['SecurityAdmin']['MEMBERS'] = 'Members';
$lang['en_US']['SecurityAdmin']['MENUTITLE'] = array(
'Users',

37
security/Group.php
View File

@ -13,7 +13,6 @@ class Group extends DataObject {
"Code" => "Varchar",
"Locked" => "Boolean",
"Sort" => "Int",
"IPRestrictions" => "Text",
"HtmlEditorConfig" => "Varchar"
);
@ -86,19 +85,6 @@ class Group extends DataObject {
'GroupID',
$this
)
),
new Tab('IPAddresses', _t('Security.IPADDRESSES', 'IP Addresses'),
new LiteralField("", _t('SecurityAdmin.IPADDRESSESHELP',"<p>You can restrict this group to a particular
IP address range (one range per line). <br />Ranges can be in any of the following forms: <br />
203.96.152.12<br />
203.96.152/24<br />
203.96/16<br />
203/8<br /><br />If you enter one or more IP address ranges in this box, then members will only get
the rights of being in this group if they log on from one of the valid IP addresses. It won't prevent
people from logging in. This is because the same user might have to log in to access parts of the
system without IP address restrictions.")),
new TextareaField("IPRestrictions", "IP Ranges", 10)
)
)
);
@ -174,7 +160,6 @@ class Group extends DataObject {
$labels['Code'] = _t('Group.Code', 'Group Code', PR_MEDIUM, 'Programmatical code identifying a group');
$labels['Locked'] = _t('Group.Locked', 'Locked?', PR_MEDIUM, 'Group is locked in the security administration area');
$labels['Sort'] = _t('Group.Sort', 'Sort Order');
$labels['IPRestrictions'] = _t('Group.IPRestrictions', 'IP Address Restrictions');
if($includerelations){
$labels['Parent'] = _t('Group.Parent', 'Parent Group', PR_MEDIUM, 'One group has one parent group');
$labels['Permissions'] = _t('Group.has_many_Permissions', 'Permissions', PR_MEDIUM, 'One group has many permissions');
@ -411,28 +396,6 @@ class Group extends DataObject {
return $filteredChildren;
}
/**
* Returns true if the given IP address is granted access to this group.
* For unrestricted groups, this always returns true.
*/
function allowedIPAddress($ip) {
if(!$this->IPRestrictions) return true;
if(!$ip) return false;
$ipPatterns = explode("\n", $this->IPRestrictions);
foreach($ipPatterns as $ipPattern) {
$ipPattern = trim($ipPattern);
if(preg_match('/^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)$/', $ipPattern, $matches)) {
if($ip == $ipPattern) return true;
} else if(preg_match('/^([0-9]+\.[0-9]+\.[0-9]+)\/24$/', $ipPattern, $matches)
|| preg_match('/^([0-9]+\.[0-9]+)\/16$/', $ipPattern, $matches)
|| preg_match('/^([0-9]+)\/8$/', $ipPattern, $matches)) {
if(substr($ip, 0, strlen($matches[1])) == $matches[1]) return true;
}
}
return false;
}
/**
* Add default records to database.
*

9
security/Member.php
View File

@ -948,14 +948,7 @@ class Member extends DataObject {
$groups = new Member_GroupSet('Group', 'Group_Members', 'GroupID', 'MemberID');
if($this->ID) $groups->setForeignID($this->ID);
// Filter out groups that aren't allowed from this IP
$ip = isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : null;
$disallowedGroups = array();
foreach($groups as $group) {
if(!$group->allowedIPAddress($ip)) $disallowedGroups[] = $groupID;
}
if($disallowedGroups) $group->where("\"Group\".\"ID\" NOT IN (" .
implode(',',$disallowedGroups) . ")");
$this->extend('updateGroups', $groups);
return $groups;
}