Improve client IP check

www/htdocs/central/common/inc_ip_check.php

@@ -1,14 +1,17 @@
 <?php
 /* Modifications
 2026-03-11 Created fho4abcd
+2026-03-12 fho4abcd Moved code to functions to avoid undesired interactions
 ** Description
-This script is intended to allow only access to a database from allowed client IP addresses.
-Default all clients are allowed.
+This file contains functions intended to allow only access to a database from allowed client IP addresses.
 
 Configuration by dr_path.def parameter "VALID_IP"
 For databases with restricted access this parameter contains the valid external IP addresses
 If no valid IP addresses are known fill this parameter with "none".
 Clients on the local network of the server are always allowed
+The check function shows a warning:
+The script calling the functions must take action to disallow the actual access.
+See inicio.php for an example
 */
 function getClientIP() {
     /*
@@ -47,9 +50,14 @@ function getClientIP() {
     // Fallback: return "unknown" if no valid IP found
     return 'unknown';
 }
-/*********** Main code to check for a valid IP  *******/
-if ( isset($arrHttp['base'])) {
-	$clientIP = getClientIP();
+/***** function to check the IP
+** Used to isolate the used variables from the including file
+** Returns true if IP check is not configured
+** Returns true if IP is valid
+** Returns fals if IP is invalid
+*/
+function checkClientIP($clientIP, $database) {
+	global $db_path, $msgstr;
 	//debug: echo "Client IP: " . $clientIP."<br>";
 	/*
 	** In IPv4, link-local addresses fall within the range of 169.254.0.0 to 169.254.255.255.
@@ -58,13 +66,13 @@ function getClientIP() {
 	if ( strpos($clientIP, "fe80::") === 0 || strpos($clientIP, "169.254.") === 0 ) {
 		//debug: echo "Link-Local Address<br>";
 	} else {
-		$dr_path_file = $db_path . $arrHttp['base'] . "/dr_path.def";
+		$dr_path_file = $db_path . $database . "/dr_path.def";
 		if (file_exists($dr_path_file)) {
-			$def = parse_ini_file($dr_path_file);
+			$deflocal = parse_ini_file($dr_path_file);
 			// Check if IP is mentioned
-			if ( isset($def["VALID_IP"]) ) {
+			if ( isset($deflocal["VALID_IP"]) ) {
 				$allowed = false;
-				$validIPs = explode( ",", $def["VALID_IP"]);
+				$validIPs = explode( ",", $deflocal["VALID_IP"]);
 				for ( $i=0; $i<count($validIPs); $i++ ) {
 					if ( $clientIP == $validIPs[$i] ) {
 						$allowed = true;
@@ -74,14 +82,15 @@ function getClientIP() {
 				if ( $allowed === false ) {?>
 					<div id="ip_not_allowed" style="width: 100%; background-color: #ffc107; text-align: center;">
 					<?php
-					echo $msgstr["clientip"]." (".$clientIP.") ".$msgstr["invalidfordb"]." ".$arrHttp['base']."<br>";
+					echo $msgstr["clientip"]." (".$clientIP.") ".$msgstr["invalidfordb"]." ".$database."<br>";
 					?>	
 					</div><?php
-					// Next statement forces reselection
-					$arrHttp['base']="";
+					// Next value should force inhibiting actions in the calling code
+					return false;
 				}
 			}
 		}
 	}
+	return true;
 }
 ?>

www/htdocs/central/common/inicio.php

@@ -15,6 +15,7 @@
 2025-10-14 fho4abcd Regenerate sessionid after login to reduce session fixation attacks
 2025-10-15 fho4abcd Improve switch to error page in case of expired/lost session
 2026-03-11 fho4abcd Added ip check
+2026-03-12 fho4abcd Improved ip check
 */
 global $Permiso, $arrHttp,$valortag,$nombre;
 $arrHttp=Array();
@@ -326,6 +327,15 @@ function VerificarUsuarioLDAP(){
 }
 $Permiso=$_SESSION["permiso"];
 if (isset($_SESSION["meta_encoding"])) $meta_encoding=$_SESSION["meta_encoding"];
-include ("inc_ip_check.php");
+/*
+Check Client IP if a database is set
+*/
+if ( isset($arrHttp['base'])) {
+	include ("inc_ip_check.php");
+	$clientIP = getClientIP();
+	if ( checkClientIP( $clientIP, $arrHttp['base'] ) === false ) {
+		unset( $arrHttp['base'] );
+	}
+}
 include("homepage.php");
-
+?>

www/htdocs/central/lang/00/dbadmin.tab

@@ -545,7 +545,7 @@ set_TIP_DIRTREE_EXT=Sets the file extensions that are allowed to be displayed wh
 set_TIP_CHANGE_PASSWORD=Allows operators to change their password.
 set_TIP_SECURE_PASSWORD_LENGTH=Minimum length that the access key must have to be considered valid.
 set_TIP_SECURE_PASSWORD_LEVEL=Security level to be assigned to the password according to the following possibilities:<br>0 Verifies only that the key is present;<br>1 Verifies that the key complies with the length established in the  SECURE_PASSWORD_LENGTH parameter;<br>2 In addition to the above, it verifies that there is a lowercase alphabetic character;<br>3 In addition to the above, it verifies that there is at least one numeric character;<br>4 In addition to the above, check that there is at least one uppercase letter;<br>5 In addition to the above, check that there is at least one special character: .,!@#$%^&*?_~\-().
-set_TIP_VALID_IP=Valid client IP's, separated by comma (,). Empty value allows all addresses, Link-Local Address are always allowed.
+set_TIP_VALID_IP=Valid internet client IP's, separated by comma (,). Empty value allows all addresses.<br>Link-Local Addresses are always allowed. To limit valid adresses only to local adresses enter 'None'
 set_ROOT=Define where linked documents will be stored
 set_TIP_ROOT=Indicate the full path to the top folder for linked documents.<br>Suggestion: %path_database%
 set_COLLECTION=Define where digital documents will be stored.