Groups restrict ip whitelist now is a csv list. Closes #1116

directus · Jul 28, 2016 · 6cb5614 · 6cb5614
1 parent 7f92b4d
commit 6cb5614
Show file tree

Hide file tree

Showing 5 changed files with 71 additions and 22 deletions.
diff --git a/api/api.php b/api/api.php
@@ -163,6 +163,20 @@
             $user = $user->toArray();
             $user = reset($user);
 
+            // ------------------------------
+            // Check if group needs whitelist
+            $groupId = $user['group'];
+            $directusGroupsTableGateway = new DirectusGroupsTableGateway($acl, $ZendDb);
+            if (!$directusGroupsTableGateway->acceptIP($groupId, $app->request->getIp())) {
+                $app->contentType('application/javascript');
+                $app->response->setStatus(401);
+                JsonView::render([
+                    'message' => 'Request not allowed from IP address',
+                    'success' => false
+                ]);
+                $app->stop();
+            }
+
             // Uf the request it's done by authentication
             // Store the session information in a global variable
             // And we retrieve this information back to session at the end of the execution.
@@ -320,18 +334,13 @@
     // Check if group needs whitelist
     $groupId = $user['group'];
     $directusGroupsTableGateway = new DirectusGroupsTableGateway($acl, $ZendDb);
-    $group = $directusGroupsTableGateway->find($groupId);
-
-    // if (1 == $group['restrict_to_ip_whitelist']) {
-    //     $directusIPWhitelist = new DirectusIPWhitelist($acl, $ZendDb);
-    //     if (!$directusIPWhitelist->hasIP($_SERVER['REMOTE_ADDR'])) {
-    //         return JsonView::render(array(
-    //             'message' => 'Request not allowed from IP address',
-    //             'success' => false,
-    //             'all_nonces' => $requestNonceProvider->getAllNonces()
-    //         ));
-    //     }
-    // }
+    if (!$directusGroupsTableGateway->acceptIP($groupId, $app->request->getIp())) {
+        return JsonView::render([
+            'message' => 'Request not allowed from IP address',
+            'success' => false,
+            'all_nonces' => $requestNonceProvider->getAllNonces()
+        ]);
+    }
 
     if (!$user) {
         return JsonView::render($response);

diff --git a/api/core/Directus/Db/TableGateway/DirectusGroupsTableGateway.php b/api/core/Directus/Db/TableGateway/DirectusGroupsTableGateway.php
@@ -9,19 +9,40 @@
 use Zend\Db\Sql\Sql;
 use Zend\Db\Adapter\Adapter;
 
-class DirectusGroupsTableGateway extends AclAwareTableGateway {
-
+class DirectusGroupsTableGateway extends AclAwareTableGateway
+{
     public static $_tableName = "directus_groups";
 
-    public function __construct(Acl $acl, AdapterInterface $adapter) {
+    public function __construct(Acl $acl, AdapterInterface $adapter)
+    {
         parent::__construct($acl, self::$_tableName, $adapter);
     }
 
     // @todo sanitize parameters and implement ACL
-    public function findUserByFirstOrLastName($tokens) {
+    public function findUserByFirstOrLastName($tokens)
+    {
         $tokenString = implode("|", $tokens);
         $sql = "SELECT id, 'directus_groups' as type, name from `directus_groups` WHERE `name` REGEXP '^($tokenString)'";
         $result = $this->adapter->query($sql, Adapter::QUERY_MODE_EXECUTE);
         return $result->toArray();
     }
+
+    public function acceptIP($groupID, $ipAddress)
+    {
+        $group = $this->find($groupID);
+        if (!$group) {
+            return false;
+        }
+
+        if (!$group['restrict_to_ip_whitelist']) {
+            return true;
+        }
+
+        $groupIPAddresses = explode(',', $group['restrict_to_ip_whitelist']);
+        if (in_array($ipAddress, $groupIPAddresses)) {
+            return true;
+        }
+
+        return false;
+    }
 }
diff --git a/api/migrations/schema/20150203221946_CreateDirectusGroupsTable.php b/api/migrations/schema/20150203221946_CreateDirectusGroupsTable.php
@@ -37,10 +37,8 @@ public function up()
         "default"=>NULL
         )
       );
-      $t->column("restrict_to_ip_whitelist", "tinyinteger", array(
-        "limit" => 1,
-        "null" => false,
-        "default" => 0
+      $t->column("restrict_to_ip_whitelist", "text", array(
+        "null" => true,
         )
       );
       $t->finish();

diff --git a/api/migrations/upgrades/20160728145005_UpdateDirectusGroupsIPWhitelistColumn.php b/api/migrations/upgrades/20160728145005_UpdateDirectusGroupsIPWhitelistColumn.php
@@ -0,0 +1,21 @@
+<?php
+use Ruckusing\Migration\Base as Ruckusing_Migration_Base;
+
+class UpdateDirectusGroupsIPWhitelistColumn extends Ruckusing_Migration_Base
+{
+    public function up()
+    {
+        $this->change_column('directus_groups', 'restrict_to_ip_whitelist', 'text', array(
+            'null' => true
+        ));
+    }//up()
+
+    public function down()
+    {
+        $this->change_column('directus_groups', 'restrict_to_ip_whitelist', 'tinyinteger', array(
+            'limit' => 1,
+            'null' => false,
+            'default' => 0
+        ));
+    }//down()
+}
diff --git a/api/schema.sql b/api/schema.sql
@@ -127,7 +127,7 @@ CREATE TABLE `directus_groups` (
   `id` int unsigned NOT NULL AUTO_INCREMENT,
   `name` varchar(100) DEFAULT NULL,
   `description` varchar(500) DEFAULT NULL,
-  `restrict_to_ip_whitelist` tinyint(1) NOT NULL DEFAULT '0',
+  `restrict_to_ip_whitelist` TEXT DEFAULT NULL,
   `show_activity` tinyint(1) NOT NULL DEFAULT '1',
   `show_messages` tinyint(1) NOT NULL DEFAULT '1',
   `show_users` tinyint(1) NOT NULL DEFAULT '1',
@@ -141,7 +141,7 @@ LOCK TABLES `directus_groups` WRITE;
 
 INSERT INTO `directus_groups` (`id`, `name`, `description`, `restrict_to_ip_whitelist`, `show_activity`, `show_messages`, `show_users`, `show_files`, `nav_override`)
 VALUES
-  (1,'Administrator',NULL,0,1,1,1,1,NULL);
+  (1,'Administrator',NULL,NULL,1,1,1,1,NULL);
 
 /*!40000 ALTER TABLE `directus_groups` ENABLE KEYS */;
 UNLOCK TABLES;