API CHANGE Moved "IP Address restrictions for groups" feature to a new "ipaddress-restriction" module (SSF-53)

This commit is contained in:
Ingo Schommer 2012-03-01 17:54:54 +01:00
parent 3ded12e599
commit 0ab43cdcb8
4 changed files with 8 additions and 55 deletions

View File

@ -129,6 +129,13 @@ included through `translatable/_config.php`:
Object::add_extension('SiteTree', 'Translatable'); Object::add_extension('SiteTree', 'Translatable');
Object::add_extension('SiteConfig', 'Translatable'); Object::add_extension('SiteConfig', 'Translatable');
### Moved Group->IPRestrictions into a new 'ipaddress-restriction' module
IP restrictions for group memberships in the "Security" section were a rarely used feature,
and cluttered up the interface. We've decided to move it to a separate module
called [ipaddress-restriction](http://github.com/silverstripe-labs/silverstripe-ipaddress-restriction).
To continue using these restrictions, just install the module - no data migration required.
### Removed "auto-merging" of member records from `Member->onBeforeWrite()` ### Removed "auto-merging" of member records from `Member->onBeforeWrite()`
Due to security reasons. Please use `DataObject->merge()` explicitly if this is desired behaviour. Due to security reasons. Please use `DataObject->merge()` explicitly if this is desired behaviour.

View File

@ -706,7 +706,6 @@ $lang['en_US']['Security']['CHANGEPASSWORDBELOW'] = 'You can change your passwor
$lang['en_US']['Security']['CHANGEPASSWORDHEADER'] = 'Change your password'; $lang['en_US']['Security']['CHANGEPASSWORDHEADER'] = 'Change your password';
$lang['en_US']['Security']['ENTERNEWPASSWORD'] = 'Please enter a new password.'; $lang['en_US']['Security']['ENTERNEWPASSWORD'] = 'Please enter a new password.';
$lang['en_US']['Security']['ERRORPASSWORDPERMISSION'] = 'You must be logged in in order to change your password!'; $lang['en_US']['Security']['ERRORPASSWORDPERMISSION'] = 'You must be logged in in order to change your password!';
$lang['en_US']['Security']['IPADDRESSES'] = 'IP Addresses';
$lang['en_US']['Security']['LOGGEDOUT'] = 'You have been logged out. If you would like to log in again, enter your credentials below.'; $lang['en_US']['Security']['LOGGEDOUT'] = 'You have been logged out. If you would like to log in again, enter your credentials below.';
$lang['en_US']['Security']['LOGIN'] = 'Log in'; $lang['en_US']['Security']['LOGIN'] = 'Log in';
$lang['en_US']['Security']['LOSTPASSWORDHEADER'] = 'Lost Password'; $lang['en_US']['Security']['LOSTPASSWORDHEADER'] = 'Lost Password';
@ -721,15 +720,6 @@ $lang['en_US']['SecurityAdmin']['APPLY_ROLES_HELP'] = 'Ability to edit the roles
$lang['en_US']['SecurityAdmin']['EDITPERMISSIONS'] = 'Manage permissions for groups'; $lang['en_US']['SecurityAdmin']['EDITPERMISSIONS'] = 'Manage permissions for groups';
$lang['en_US']['SecurityAdmin']['EDITPERMISSIONS_HELP'] = 'Ability to edit Permissions and IP Addresses for a group. Requires the "Access to \'Security\' section" permission.'; $lang['en_US']['SecurityAdmin']['EDITPERMISSIONS_HELP'] = 'Ability to edit Permissions and IP Addresses for a group. Requires the "Access to \'Security\' section" permission.';
$lang['en_US']['SecurityAdmin']['GROUPNAME'] = 'Group name'; $lang['en_US']['SecurityAdmin']['GROUPNAME'] = 'Group name';
$lang['en_US']['SecurityAdmin']['IPADDRESSESHELP'] = '<p>You can restrict this group to a particular
IP address range (one range per line). <br />Ranges can be in any of the following forms: <br />
203.96.152.12<br />
203.96.152/24<br />
203.96/16<br />
203/8<br /><br />If you enter one or more IP address ranges in this box, then members will only get
the rights of being in this group if they log on from one of the valid IP addresses. It won\'t prevent
people from logging in. This is because the same user might have to log in to access parts of the
system without IP address restrictions.';
$lang['en_US']['SecurityAdmin']['MEMBERS'] = 'Members'; $lang['en_US']['SecurityAdmin']['MEMBERS'] = 'Members';
$lang['en_US']['SecurityAdmin']['MENUTITLE'] = array( $lang['en_US']['SecurityAdmin']['MENUTITLE'] = array(
'Users', 'Users',

View File

@ -13,7 +13,6 @@ class Group extends DataObject {
"Code" => "Varchar", "Code" => "Varchar",
"Locked" => "Boolean", "Locked" => "Boolean",
"Sort" => "Int", "Sort" => "Int",
"IPRestrictions" => "Text",
"HtmlEditorConfig" => "Varchar" "HtmlEditorConfig" => "Varchar"
); );
@ -86,19 +85,6 @@ class Group extends DataObject {
'GroupID', 'GroupID',
$this $this
) )
),
new Tab('IPAddresses', _t('Security.IPADDRESSES', 'IP Addresses'),
new LiteralField("", _t('SecurityAdmin.IPADDRESSESHELP',"<p>You can restrict this group to a particular
IP address range (one range per line). <br />Ranges can be in any of the following forms: <br />
203.96.152.12<br />
203.96.152/24<br />
203.96/16<br />
203/8<br /><br />If you enter one or more IP address ranges in this box, then members will only get
the rights of being in this group if they log on from one of the valid IP addresses. It won't prevent
people from logging in. This is because the same user might have to log in to access parts of the
system without IP address restrictions.")),
new TextareaField("IPRestrictions", "IP Ranges", 10)
) )
) )
); );
@ -174,7 +160,6 @@ class Group extends DataObject {
$labels['Code'] = _t('Group.Code', 'Group Code', PR_MEDIUM, 'Programmatical code identifying a group'); $labels['Code'] = _t('Group.Code', 'Group Code', PR_MEDIUM, 'Programmatical code identifying a group');
$labels['Locked'] = _t('Group.Locked', 'Locked?', PR_MEDIUM, 'Group is locked in the security administration area'); $labels['Locked'] = _t('Group.Locked', 'Locked?', PR_MEDIUM, 'Group is locked in the security administration area');
$labels['Sort'] = _t('Group.Sort', 'Sort Order'); $labels['Sort'] = _t('Group.Sort', 'Sort Order');
$labels['IPRestrictions'] = _t('Group.IPRestrictions', 'IP Address Restrictions');
if($includerelations){ if($includerelations){
$labels['Parent'] = _t('Group.Parent', 'Parent Group', PR_MEDIUM, 'One group has one parent group'); $labels['Parent'] = _t('Group.Parent', 'Parent Group', PR_MEDIUM, 'One group has one parent group');
$labels['Permissions'] = _t('Group.has_many_Permissions', 'Permissions', PR_MEDIUM, 'One group has many permissions'); $labels['Permissions'] = _t('Group.has_many_Permissions', 'Permissions', PR_MEDIUM, 'One group has many permissions');
@ -411,28 +396,6 @@ class Group extends DataObject {
return $filteredChildren; return $filteredChildren;
} }
/**
* Returns true if the given IP address is granted access to this group.
* For unrestricted groups, this always returns true.
*/
function allowedIPAddress($ip) {
if(!$this->IPRestrictions) return true;
if(!$ip) return false;
$ipPatterns = explode("\n", $this->IPRestrictions);
foreach($ipPatterns as $ipPattern) {
$ipPattern = trim($ipPattern);
if(preg_match('/^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)$/', $ipPattern, $matches)) {
if($ip == $ipPattern) return true;
} else if(preg_match('/^([0-9]+\.[0-9]+\.[0-9]+)\/24$/', $ipPattern, $matches)
|| preg_match('/^([0-9]+\.[0-9]+)\/16$/', $ipPattern, $matches)
|| preg_match('/^([0-9]+)\/8$/', $ipPattern, $matches)) {
if(substr($ip, 0, strlen($matches[1])) == $matches[1]) return true;
}
}
return false;
}
/** /**
* Add default records to database. * Add default records to database.
* *

View File

@ -948,14 +948,7 @@ class Member extends DataObject {
$groups = new Member_GroupSet('Group', 'Group_Members', 'GroupID', 'MemberID'); $groups = new Member_GroupSet('Group', 'Group_Members', 'GroupID', 'MemberID');
if($this->ID) $groups->setForeignID($this->ID); if($this->ID) $groups->setForeignID($this->ID);
// Filter out groups that aren't allowed from this IP $this->extend('updateGroups', $groups);
$ip = isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : null;
$disallowedGroups = array();
foreach($groups as $group) {
if(!$group->allowedIPAddress($ip)) $disallowedGroups[] = $groupID;
}
if($disallowedGroups) $group->where("\"Group\".\"ID\" NOT IN (" .
implode(',',$disallowedGroups) . ")");
return $groups; return $groups;
} }