From 7409776a263fb788bc661b8077b869f731343e90 Mon Sep 17 00:00:00 2001
From: Sam Minnee <sam@silverstripe.com>
Date: Sat, 26 Apr 2008 06:35:03 +0000
Subject: [PATCH] Merged revisions 52647 via svnmerge from
 http://svn.silverstripe.com/open/modules/sapphire/branches/govtsecurity

........
  r52647 | sminnee | 2008-04-13 21:48:51 +1200 (Sun, 13 Apr 2008) | 1 line

  Added Group.IPRestrictions field, for limiting security group access by IP range
........


git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@53486 467b73ca-7a2a-4603-9d3b-597d59a354a9
---
 security/Group.php      | 21 +++++++++++++++++++++
 security/Member.php     |  8 +++++++-
 security/Permission.php |  2 +-
 3 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/security/Group.php b/security/Group.php
index c635af66a..2f126a3ad 100644
--- a/security/Group.php
+++ b/security/Group.php
@@ -22,6 +22,7 @@ class Group extends DataObject {
 		"CanCMSAdmin" => "Boolean",
 		"Locked" => "Boolean",
 		"Sort" => "Int",
+		"IPRestrictions" => "Text",
 	);
 	static $has_one = array(
 		"Parent" => "SiteTree",
@@ -273,6 +274,26 @@ class Group extends DataObject {
 		
 		return $filteredChildren;
 	}
+	
+	/**
+	 * Returns true if the given IP address is granted access to this group.
+	 * For unrestricted groups, this always returns true.
+	 */
+	function allowedIPAddress($ip) {
+		if(!$this->IPRestrictions) return true;
+		$ipPatterns = explode("\n", $this->IPRestrictions);
+		foreach($ipPatterns as $ipPattern) {
+			$ipPattern = trim($ipPattern);
+			if(preg_match('/^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)$/', $ipPattern, $matches)) {
+				if($ip == $ipPattern) return true;
+			} else if(preg_match('/^([0-9]+\.[0-9]+\.[0-9]+)\/24$/', $ipPattern, $matches)
+					|| preg_match('/^([0-9]+\.[0-9]+)\/16$/', $ipPattern, $matches)
+					|| preg_match('/^([0-9]+)\/8$/', $ipPattern, $matches)) {
+				if(substr($ip, 0, strlen($matches[1])) == $matches[1]) return true;
+			}
+		}
+		return false;
+	}
 }
 
 /**
diff --git a/security/Member.php b/security/Member.php
index 1a43b82d5..d0ec6dba1 100644
--- a/security/Member.php
+++ b/security/Member.php
@@ -720,7 +720,13 @@ class Member extends DataObject {
 		if(count($collatedGroups) > 0) {
 			$collatedGroups = implode(", ", array_unique($collatedGroups));
 
-			$result = singleton('Group')->instance_get("`ID` IN ($collatedGroups)", "ID", "", "", "Member_GroupSet");
+			$unfilteredGroups = singleton('Group')->instance_get("`ID` IN ($collatedGroups)", "ID", "", "", "Member_GroupSet");
+			$result = new ComponentSet();
+			
+			// Only include groups where allowedIPAddress() returns true
+			foreach($unfilteredGroups as $group) {
+				if($group->allowedIPAddress($_SERVER['REMOTE_ADDR'])) $result->push($group);
+			}
 		} else {
 			$result = new Member_GroupSet();
 		}
diff --git a/security/Permission.php b/security/Permission.php
index a77686b90..bcf25a9c0 100755
--- a/security/Permission.php
+++ b/security/Permission.php
@@ -177,7 +177,7 @@ class Permission extends DataObject {
 						$argClause
 					)
 				")->value();
-			
+				
 			if($permission)
 				return $permission;