diff --git a/api/api.php b/api/api.php index 146e0d001f6c7..53f624a457458 100644 --- a/api/api.php +++ b/api/api.php @@ -163,6 +163,20 @@ $user = $user->toArray(); $user = reset($user); + // ------------------------------ + // Check if group needs whitelist + $groupId = $user['group']; + $directusGroupsTableGateway = new DirectusGroupsTableGateway($acl, $ZendDb); + if (!$directusGroupsTableGateway->acceptIP($groupId, $app->request->getIp())) { + $app->contentType('application/javascript'); + $app->response->setStatus(401); + JsonView::render([ + 'message' => 'Request not allowed from IP address', + 'success' => false + ]); + $app->stop(); + } + // Uf the request it's done by authentication // Store the session information in a global variable // And we retrieve this information back to session at the end of the execution. @@ -320,18 +334,13 @@ // Check if group needs whitelist $groupId = $user['group']; $directusGroupsTableGateway = new DirectusGroupsTableGateway($acl, $ZendDb); - $group = $directusGroupsTableGateway->find($groupId); - - // if (1 == $group['restrict_to_ip_whitelist']) { - // $directusIPWhitelist = new DirectusIPWhitelist($acl, $ZendDb); - // if (!$directusIPWhitelist->hasIP($_SERVER['REMOTE_ADDR'])) { - // return JsonView::render(array( - // 'message' => 'Request not allowed from IP address', - // 'success' => false, - // 'all_nonces' => $requestNonceProvider->getAllNonces() - // )); - // } - // } + if (!$directusGroupsTableGateway->acceptIP($groupId, $app->request->getIp())) { + return JsonView::render([ + 'message' => 'Request not allowed from IP address', + 'success' => false, + 'all_nonces' => $requestNonceProvider->getAllNonces() + ]); + } if (!$user) { return JsonView::render($response); diff --git a/api/core/Directus/Db/TableGateway/DirectusGroupsTableGateway.php b/api/core/Directus/Db/TableGateway/DirectusGroupsTableGateway.php index 5883f89f7c82d..27c25f131a89e 100644 --- a/api/core/Directus/Db/TableGateway/DirectusGroupsTableGateway.php +++ b/api/core/Directus/Db/TableGateway/DirectusGroupsTableGateway.php @@ -9,19 +9,40 @@ use Zend\Db\Sql\Sql; use Zend\Db\Adapter\Adapter; -class DirectusGroupsTableGateway extends AclAwareTableGateway { - +class DirectusGroupsTableGateway extends AclAwareTableGateway +{ public static $_tableName = "directus_groups"; - public function __construct(Acl $acl, AdapterInterface $adapter) { + public function __construct(Acl $acl, AdapterInterface $adapter) + { parent::__construct($acl, self::$_tableName, $adapter); } // @todo sanitize parameters and implement ACL - public function findUserByFirstOrLastName($tokens) { + public function findUserByFirstOrLastName($tokens) + { $tokenString = implode("|", $tokens); $sql = "SELECT id, 'directus_groups' as type, name from `directus_groups` WHERE `name` REGEXP '^($tokenString)'"; $result = $this->adapter->query($sql, Adapter::QUERY_MODE_EXECUTE); return $result->toArray(); } + + public function acceptIP($groupID, $ipAddress) + { + $group = $this->find($groupID); + if (!$group) { + return false; + } + + if (!$group['restrict_to_ip_whitelist']) { + return true; + } + + $groupIPAddresses = explode(',', $group['restrict_to_ip_whitelist']); + if (in_array($ipAddress, $groupIPAddresses)) { + return true; + } + + return false; + } } diff --git a/api/migrations/schema/20150203221946_CreateDirectusGroupsTable.php b/api/migrations/schema/20150203221946_CreateDirectusGroupsTable.php index df6f8f13e8abc..1abdff4aff895 100644 --- a/api/migrations/schema/20150203221946_CreateDirectusGroupsTable.php +++ b/api/migrations/schema/20150203221946_CreateDirectusGroupsTable.php @@ -37,10 +37,8 @@ public function up() "default"=>NULL ) ); - $t->column("restrict_to_ip_whitelist", "tinyinteger", array( - "limit" => 1, - "null" => false, - "default" => 0 + $t->column("restrict_to_ip_whitelist", "text", array( + "null" => true, ) ); $t->finish(); diff --git a/api/migrations/upgrades/20160728145005_UpdateDirectusGroupsIPWhitelistColumn.php b/api/migrations/upgrades/20160728145005_UpdateDirectusGroupsIPWhitelistColumn.php new file mode 100644 index 0000000000000..93ffcd53b9a67 --- /dev/null +++ b/api/migrations/upgrades/20160728145005_UpdateDirectusGroupsIPWhitelistColumn.php @@ -0,0 +1,21 @@ +change_column('directus_groups', 'restrict_to_ip_whitelist', 'text', array( + 'null' => true + )); + }//up() + + public function down() + { + $this->change_column('directus_groups', 'restrict_to_ip_whitelist', 'tinyinteger', array( + 'limit' => 1, + 'null' => false, + 'default' => 0 + )); + }//down() +} diff --git a/api/schema.sql b/api/schema.sql index 6fd21738c5893..3eeebae253c95 100644 --- a/api/schema.sql +++ b/api/schema.sql @@ -127,7 +127,7 @@ CREATE TABLE `directus_groups` ( `id` int unsigned NOT NULL AUTO_INCREMENT, `name` varchar(100) DEFAULT NULL, `description` varchar(500) DEFAULT NULL, - `restrict_to_ip_whitelist` tinyint(1) NOT NULL DEFAULT '0', + `restrict_to_ip_whitelist` TEXT DEFAULT NULL, `show_activity` tinyint(1) NOT NULL DEFAULT '1', `show_messages` tinyint(1) NOT NULL DEFAULT '1', `show_users` tinyint(1) NOT NULL DEFAULT '1', @@ -141,7 +141,7 @@ LOCK TABLES `directus_groups` WRITE; INSERT INTO `directus_groups` (`id`, `name`, `description`, `restrict_to_ip_whitelist`, `show_activity`, `show_messages`, `show_users`, `show_files`, `nav_override`) VALUES - (1,'Administrator',NULL,0,1,1,1,1,NULL); + (1,'Administrator',NULL,NULL,1,1,1,1,NULL); /*!40000 ALTER TABLE `directus_groups` ENABLE KEYS */; UNLOCK TABLES;