tips:ipacl
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
wiki:tips:ipacl [2007-10-15 15:50] – made mail address clickable 131.220.9.183 | tips:ipacl [2011-03-21 08:53] (current) – [Another (simpler) approach] - edited for 2010-11-07 release 77.11.93.133 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | This small mod allows you to configure user access not just by username and group, but also by where a client is connecting from. The installation instructions below are for the 2005-07-13 release of dokuwiki. I will try to keep updating it for all the future releases as well, but ideally I would like to see this functionality make it into the main system. | ||
+ | ====== How does it work? ====== | ||
+ | The operation is rather simple. Use the ACLs to add a new rule either for a single IP, or for an entire network. Here's an example: | ||
+ | < | ||
+ | * | ||
+ | start %192.168.2.10 | ||
+ | </ | ||
+ | |||
+ | Currently, I didn't modify the actual ACL control panel to include a new type of entry, so all of these rules are added in exactly the same way as you would add a new user. Simply prefix the IP or network with ' | ||
+ | |||
+ | My system looks for all the entries that begin with % and tries to match them to the connecting user's IP. If an entry does not contain /xx on the end, it looks for an exact IP match. If there is a subnet mask at the end as in the example above, this mod will match only the part of the IP that fits within that mask, so an entry of 192.168.1.0/ | ||
+ | |||
+ | I have not done too much testing on this as of yet, but it does seen to work so far just fine. If you find any problems with this mod, or just have any tips/ | ||
+ | |||
+ | ====== Install Instructions ====== | ||
+ | The whole mod makes only 2 changes to **inc/ | ||
+ | |||
+ | - On line 307 (or somewhere around that), change this:< | ||
+ | //we did this already | ||
+ | //looks like there is something wrong with the ACL | ||
+ | //break here | ||
+ | return $perm;</ | ||
+ | //we did this already | ||
+ | //looks like there is something wrong with the ACL | ||
+ | //break here | ||
+ | //return $perm; | ||
+ | break;</ | ||
+ | - After this line (should be 310): <code php> | ||
+ | }while(1); //this should never loop endless</ | ||
+ | // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
+ | // IP ACL Mod - Max Khitrov < | ||
+ | // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
+ | | ||
+ | // First we get the IP of the client | ||
+ | $user_ip = $_SERVER[REMOTE_ADDR]; | ||
+ | | ||
+ | // Take all ACL entries that begin with % and see if they can be matched to | ||
+ | // the client' | ||
+ | $matches = preg_grep('/ | ||
+ | if(count($matches)){ | ||
+ | foreach($matches as $match){ | ||
+ | $match = preg_replace('/# | ||
+ | if ($match == '' | ||
+ | continue; | ||
+ | |||
+ | $acl = preg_split('/ | ||
+ | $acl[1] = substr($acl[1], | ||
+ | |||
+ | if (strpos($acl[1], | ||
+ | // This is an exact IP entry, see if it matches the user IP | ||
+ | if ($user_ip == $acl[1]) | ||
+ | $perm = $acl[2]; | ||
+ | } else { | ||
+ | // This is a network entry | ||
+ | $ip = preg_split('/ | ||
+ | |||
+ | if ((ip2long($user_ip) & ~(pow(2, 32-$ip[1])-1)) == (ip2long($ip[0]) & ~(pow(2, 32-$ip[1])-1))) | ||
+ | $perm = $acl[2]; | ||
+ | } | ||
+ | |||
+ | if($perm > -1){ | ||
+ | //we had a match - return it | ||
+ | return $perm; | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | | ||
+ | $ns = getNS($id); | ||
+ | if($ns){ | ||
+ | $path = $ns.': | ||
+ | }else{ | ||
+ | $path = ' | ||
+ | } | ||
+ | |||
+ | do{ | ||
+ | $matches = preg_grep('/ | ||
+ | if(count($matches)){ | ||
+ | foreach($matches as $match){ | ||
+ | $match = preg_replace('/# | ||
+ | if ($match == '' | ||
+ | continue; | ||
+ | |||
+ | $acl = preg_split('/ | ||
+ | if($acl[2] > AUTH_DELETE) $acl[2] = AUTH_DELETE; | ||
+ | | ||
+ | $acl[1] = substr($acl[1], | ||
+ | |||
+ | if (strpos($acl[1], | ||
+ | // This is an exact IP entry, see if it matches the user IP | ||
+ | if ($user_ip == $acl[1]) | ||
+ | if($acl[2] > $perm) | ||
+ | $perm = $acl[2]; | ||
+ | } else { | ||
+ | // This is a network entry | ||
+ | $ip = preg_split('/ | ||
+ | |||
+ | if ((ip2long($user_ip) & ~(pow(2, 32-$ip[1])-1)) == (ip2long($ip[0]) & ~(pow(2, 32-$ip[1])-1))) | ||
+ | if($acl[2] > $perm) | ||
+ | $perm = $acl[2]; | ||
+ | } | ||
+ | } | ||
+ | //we had a match - return it | ||
+ | return $perm; | ||
+ | } | ||
+ | |||
+ | //get next higher namespace | ||
+ | $ns = getNS($ns); | ||
+ | |||
+ | if($path != ' | ||
+ | $path = $ns.': | ||
+ | if($path == ': | ||
+ | }else{ | ||
+ | //we did this already | ||
+ | //looks like there is something wrong with the ACL | ||
+ | //break here | ||
+ | return $perm; | ||
+ | } | ||
+ | }while(1); //this should never loop endless | ||
+ | | ||
+ | // ~~~~~~~~~~~~~~ | ||
+ | // END IP ACL Mod | ||
+ | // ~~~~~~~~~~~~~~</ | ||
+ | |||
+ | ====== Install Instructions for the 2006-03-09b release ====== | ||
+ | In function auth_aclcheck, | ||
+ | |||
+ | It's slightly tricky to set up the permissions, | ||
+ | <code php> | ||
+ | somenamespace: | ||
+ | </ | ||
+ | It will override something like: | ||
+ | <code php> | ||
+ | * | ||
+ | </ | ||
+ | That means you won't get read access in " | ||
+ | |||
+ | Here's the code to insert after the " | ||
+ | <code php> | ||
+ | // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
+ | // IP ACL Mod - Max Khitrov < | ||
+ | // Modified by Scott Gilbertson to work with a newer DokuWiki version | ||
+ | // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
+ | // First we get the IP of the client | ||
+ | $user_ip = $_SERVER[REMOTE_ADDR]; | ||
+ | |||
+ | // Take all ACL entries that begin with % and see if they can be matched to | ||
+ | // the client' | ||
+ | $matches = preg_grep('/ | ||
+ | if(count($matches)){ | ||
+ | foreach($matches as $match){ | ||
+ | $match = preg_replace('/# | ||
+ | if ($match == '' | ||
+ | continue; | ||
+ | $acl = preg_split('/ | ||
+ | $acl[1] = substr($acl[1], | ||
+ | if (strpos($acl[1], | ||
+ | // This is an exact IP entry, see if it matches the user IP | ||
+ | if ($user_ip == $acl[1]) { | ||
+ | $perm = $acl[2]; | ||
+ | } | ||
+ | } else { | ||
+ | // This is a network entry | ||
+ | $ip = preg_split('/ | ||
+ | |||
+ | if ((ip2long($user_ip) & ~(pow(2, 32-$ip[1])-1)) == (ip2long($ip[0]) & ~(pow(2, 32-$ip[1])-1))) { | ||
+ | $perm = $acl[2]; | ||
+ | } | ||
+ | } | ||
+ | |||
+ | if($perm > -1){ | ||
+ | //we had a match - return it | ||
+ | return $perm; | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | |||
+ | $matches = preg_grep('/ | ||
+ | if(count($matches)){ | ||
+ | foreach($matches as $match){ | ||
+ | $match = preg_replace('/# | ||
+ | if ($match == '' | ||
+ | continue; | ||
+ | |||
+ | $acl = preg_split('/ | ||
+ | if($acl[2] > AUTH_DELETE) $acl[2] = AUTH_DELETE; | ||
+ | |||
+ | $acl[1] = substr($acl[1], | ||
+ | |||
+ | if (strpos($acl[1], | ||
+ | // This is an exact IP entry, see if it matches the user IP | ||
+ | if ($user_ip == $acl[1]) | ||
+ | if($acl[2] > $perm) | ||
+ | $perm = $acl[2]; | ||
+ | } else { | ||
+ | // This is a network entry | ||
+ | $ip = preg_split('/ | ||
+ | |||
+ | if ((ip2long($user_ip) & ~(pow(2, 32-$ip[1])-1)) == (ip2long($ip[0]) & ~(pow(2, | ||
+ | if($acl[2] > $perm) | ||
+ | $perm = $acl[2]; | ||
+ | } | ||
+ | } | ||
+ | //we had a match - return it | ||
+ | //return $perm; | ||
+ | } | ||
+ | |||
+ | // ~~~~~~~~~~~~~~ | ||
+ | // END IP ACL Mod | ||
+ | // ~~~~~~~~~~~~~~ | ||
+ | |||
+ | </ | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | ====== Another (simpler) approach ====== | ||
+ | |||
+ | If you don't need netmask support, but you can live with simpler class-network granularity, | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | |||
+ | This means, if you want to give rights (only) to users from Apple, you would use the ACL Plugin to set the rights for the group ''" | ||
+ | |||
+ | To patch the 2010-11-07 version of dokuwiki, replace the lines 509-518 of '' | ||
+ | (To patch the 2007-06-26 version, replace the lines 363-372) | ||
+ | |||
+ | <code php> | ||
+ | // --- patch to allow IP-Based access rights (replaces original lines 363-372) ---- | ||
+ | //add ALL group | ||
+ | $groups[] = ' | ||
+ | //add IP-based groups: | ||
+ | $ip = explode(' | ||
+ | $groups[] = ' | ||
+ | $groups[] = ' | ||
+ | $groups[] = ' | ||
+ | $groups[] = ' | ||
+ | if ($user){ | ||
+ | //add User | ||
+ | $groups[] = $user; | ||
+ | } | ||
+ | //build regexp | ||
+ | $regexp | ||
+ | // --- End of Patch ---- | ||
+ | </ | ||
+ | |||
+ | Please mail emarks, suggestions etc. to < |
tips/ipacl.txt · Last modified: 2011-03-21 08:53 by 77.11.93.133