mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 12:05:37 +00:00
API CHANGE Moved "IP Address restrictions for groups" feature to a new "ipaddress-restriction" module (SSF-53)
This commit is contained in:
parent
3ded12e599
commit
0ab43cdcb8
@ -129,6 +129,13 @@ included through `translatable/_config.php`:
|
|||||||
Object::add_extension('SiteTree', 'Translatable');
|
Object::add_extension('SiteTree', 'Translatable');
|
||||||
Object::add_extension('SiteConfig', 'Translatable');
|
Object::add_extension('SiteConfig', 'Translatable');
|
||||||
|
|
||||||
|
### Moved Group->IPRestrictions into a new 'ipaddress-restriction' module
|
||||||
|
|
||||||
|
IP restrictions for group memberships in the "Security" section were a rarely used feature,
|
||||||
|
and cluttered up the interface. We've decided to move it to a separate module
|
||||||
|
called [ipaddress-restriction](http://github.com/silverstripe-labs/silverstripe-ipaddress-restriction).
|
||||||
|
To continue using these restrictions, just install the module - no data migration required.
|
||||||
|
|
||||||
### Removed "auto-merging" of member records from `Member->onBeforeWrite()`
|
### Removed "auto-merging" of member records from `Member->onBeforeWrite()`
|
||||||
|
|
||||||
Due to security reasons. Please use `DataObject->merge()` explicitly if this is desired behaviour.
|
Due to security reasons. Please use `DataObject->merge()` explicitly if this is desired behaviour.
|
||||||
|
@ -706,7 +706,6 @@ $lang['en_US']['Security']['CHANGEPASSWORDBELOW'] = 'You can change your passwor
|
|||||||
$lang['en_US']['Security']['CHANGEPASSWORDHEADER'] = 'Change your password';
|
$lang['en_US']['Security']['CHANGEPASSWORDHEADER'] = 'Change your password';
|
||||||
$lang['en_US']['Security']['ENTERNEWPASSWORD'] = 'Please enter a new password.';
|
$lang['en_US']['Security']['ENTERNEWPASSWORD'] = 'Please enter a new password.';
|
||||||
$lang['en_US']['Security']['ERRORPASSWORDPERMISSION'] = 'You must be logged in in order to change your password!';
|
$lang['en_US']['Security']['ERRORPASSWORDPERMISSION'] = 'You must be logged in in order to change your password!';
|
||||||
$lang['en_US']['Security']['IPADDRESSES'] = 'IP Addresses';
|
|
||||||
$lang['en_US']['Security']['LOGGEDOUT'] = 'You have been logged out. If you would like to log in again, enter your credentials below.';
|
$lang['en_US']['Security']['LOGGEDOUT'] = 'You have been logged out. If you would like to log in again, enter your credentials below.';
|
||||||
$lang['en_US']['Security']['LOGIN'] = 'Log in';
|
$lang['en_US']['Security']['LOGIN'] = 'Log in';
|
||||||
$lang['en_US']['Security']['LOSTPASSWORDHEADER'] = 'Lost Password';
|
$lang['en_US']['Security']['LOSTPASSWORDHEADER'] = 'Lost Password';
|
||||||
@ -721,15 +720,6 @@ $lang['en_US']['SecurityAdmin']['APPLY_ROLES_HELP'] = 'Ability to edit the roles
|
|||||||
$lang['en_US']['SecurityAdmin']['EDITPERMISSIONS'] = 'Manage permissions for groups';
|
$lang['en_US']['SecurityAdmin']['EDITPERMISSIONS'] = 'Manage permissions for groups';
|
||||||
$lang['en_US']['SecurityAdmin']['EDITPERMISSIONS_HELP'] = 'Ability to edit Permissions and IP Addresses for a group. Requires the "Access to \'Security\' section" permission.';
|
$lang['en_US']['SecurityAdmin']['EDITPERMISSIONS_HELP'] = 'Ability to edit Permissions and IP Addresses for a group. Requires the "Access to \'Security\' section" permission.';
|
||||||
$lang['en_US']['SecurityAdmin']['GROUPNAME'] = 'Group name';
|
$lang['en_US']['SecurityAdmin']['GROUPNAME'] = 'Group name';
|
||||||
$lang['en_US']['SecurityAdmin']['IPADDRESSESHELP'] = '<p>You can restrict this group to a particular
|
|
||||||
IP address range (one range per line). <br />Ranges can be in any of the following forms: <br />
|
|
||||||
203.96.152.12<br />
|
|
||||||
203.96.152/24<br />
|
|
||||||
203.96/16<br />
|
|
||||||
203/8<br /><br />If you enter one or more IP address ranges in this box, then members will only get
|
|
||||||
the rights of being in this group if they log on from one of the valid IP addresses. It won\'t prevent
|
|
||||||
people from logging in. This is because the same user might have to log in to access parts of the
|
|
||||||
system without IP address restrictions.';
|
|
||||||
$lang['en_US']['SecurityAdmin']['MEMBERS'] = 'Members';
|
$lang['en_US']['SecurityAdmin']['MEMBERS'] = 'Members';
|
||||||
$lang['en_US']['SecurityAdmin']['MENUTITLE'] = array(
|
$lang['en_US']['SecurityAdmin']['MENUTITLE'] = array(
|
||||||
'Users',
|
'Users',
|
||||||
|
@ -13,7 +13,6 @@ class Group extends DataObject {
|
|||||||
"Code" => "Varchar",
|
"Code" => "Varchar",
|
||||||
"Locked" => "Boolean",
|
"Locked" => "Boolean",
|
||||||
"Sort" => "Int",
|
"Sort" => "Int",
|
||||||
"IPRestrictions" => "Text",
|
|
||||||
"HtmlEditorConfig" => "Varchar"
|
"HtmlEditorConfig" => "Varchar"
|
||||||
);
|
);
|
||||||
|
|
||||||
@ -86,19 +85,6 @@ class Group extends DataObject {
|
|||||||
'GroupID',
|
'GroupID',
|
||||||
$this
|
$this
|
||||||
)
|
)
|
||||||
),
|
|
||||||
|
|
||||||
new Tab('IPAddresses', _t('Security.IPADDRESSES', 'IP Addresses'),
|
|
||||||
new LiteralField("", _t('SecurityAdmin.IPADDRESSESHELP',"<p>You can restrict this group to a particular
|
|
||||||
IP address range (one range per line). <br />Ranges can be in any of the following forms: <br />
|
|
||||||
203.96.152.12<br />
|
|
||||||
203.96.152/24<br />
|
|
||||||
203.96/16<br />
|
|
||||||
203/8<br /><br />If you enter one or more IP address ranges in this box, then members will only get
|
|
||||||
the rights of being in this group if they log on from one of the valid IP addresses. It won't prevent
|
|
||||||
people from logging in. This is because the same user might have to log in to access parts of the
|
|
||||||
system without IP address restrictions.")),
|
|
||||||
new TextareaField("IPRestrictions", "IP Ranges", 10)
|
|
||||||
)
|
)
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
@ -174,7 +160,6 @@ class Group extends DataObject {
|
|||||||
$labels['Code'] = _t('Group.Code', 'Group Code', PR_MEDIUM, 'Programmatical code identifying a group');
|
$labels['Code'] = _t('Group.Code', 'Group Code', PR_MEDIUM, 'Programmatical code identifying a group');
|
||||||
$labels['Locked'] = _t('Group.Locked', 'Locked?', PR_MEDIUM, 'Group is locked in the security administration area');
|
$labels['Locked'] = _t('Group.Locked', 'Locked?', PR_MEDIUM, 'Group is locked in the security administration area');
|
||||||
$labels['Sort'] = _t('Group.Sort', 'Sort Order');
|
$labels['Sort'] = _t('Group.Sort', 'Sort Order');
|
||||||
$labels['IPRestrictions'] = _t('Group.IPRestrictions', 'IP Address Restrictions');
|
|
||||||
if($includerelations){
|
if($includerelations){
|
||||||
$labels['Parent'] = _t('Group.Parent', 'Parent Group', PR_MEDIUM, 'One group has one parent group');
|
$labels['Parent'] = _t('Group.Parent', 'Parent Group', PR_MEDIUM, 'One group has one parent group');
|
||||||
$labels['Permissions'] = _t('Group.has_many_Permissions', 'Permissions', PR_MEDIUM, 'One group has many permissions');
|
$labels['Permissions'] = _t('Group.has_many_Permissions', 'Permissions', PR_MEDIUM, 'One group has many permissions');
|
||||||
@ -411,28 +396,6 @@ class Group extends DataObject {
|
|||||||
return $filteredChildren;
|
return $filteredChildren;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* Returns true if the given IP address is granted access to this group.
|
|
||||||
* For unrestricted groups, this always returns true.
|
|
||||||
*/
|
|
||||||
function allowedIPAddress($ip) {
|
|
||||||
if(!$this->IPRestrictions) return true;
|
|
||||||
if(!$ip) return false;
|
|
||||||
|
|
||||||
$ipPatterns = explode("\n", $this->IPRestrictions);
|
|
||||||
foreach($ipPatterns as $ipPattern) {
|
|
||||||
$ipPattern = trim($ipPattern);
|
|
||||||
if(preg_match('/^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)$/', $ipPattern, $matches)) {
|
|
||||||
if($ip == $ipPattern) return true;
|
|
||||||
} else if(preg_match('/^([0-9]+\.[0-9]+\.[0-9]+)\/24$/', $ipPattern, $matches)
|
|
||||||
|| preg_match('/^([0-9]+\.[0-9]+)\/16$/', $ipPattern, $matches)
|
|
||||||
|| preg_match('/^([0-9]+)\/8$/', $ipPattern, $matches)) {
|
|
||||||
if(substr($ip, 0, strlen($matches[1])) == $matches[1]) return true;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Add default records to database.
|
* Add default records to database.
|
||||||
*
|
*
|
||||||
|
@ -948,14 +948,7 @@ class Member extends DataObject {
|
|||||||
$groups = new Member_GroupSet('Group', 'Group_Members', 'GroupID', 'MemberID');
|
$groups = new Member_GroupSet('Group', 'Group_Members', 'GroupID', 'MemberID');
|
||||||
if($this->ID) $groups->setForeignID($this->ID);
|
if($this->ID) $groups->setForeignID($this->ID);
|
||||||
|
|
||||||
// Filter out groups that aren't allowed from this IP
|
$this->extend('updateGroups', $groups);
|
||||||
$ip = isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : null;
|
|
||||||
$disallowedGroups = array();
|
|
||||||
foreach($groups as $group) {
|
|
||||||
if(!$group->allowedIPAddress($ip)) $disallowedGroups[] = $groupID;
|
|
||||||
}
|
|
||||||
if($disallowedGroups) $group->where("\"Group\".\"ID\" NOT IN (" .
|
|
||||||
implode(',',$disallowedGroups) . ")");
|
|
||||||
|
|
||||||
return $groups;
|
return $groups;
|
||||||
}
|
}
|
||||||
|
Loading…
x
Reference in New Issue
Block a user