Added checkAccessCallback in order to allow custom access checks

samdark · Mar 4, 2016 · 2508d87 · 2508d87
1 parent 0ddf839
commit 2508d87
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 5 deletions.
diff --git a/Module.php b/Module.php
@@ -2,6 +2,7 @@
 namespace samdark\webshell;
 
 use Yii;
+use yii\base\Action;
 use yii\web\ForbiddenHttpException;
 
 /**
@@ -53,6 +54,17 @@ class Module extends \yii\base\Module
      */
     public $allowedIPs = ['127.0.0.1', '::1'];
 
+    /**
+     * @var callable A valid PHP callback that returns true if user is allowed to use web shell and false otherwise
+     *
+     * The signature is the following:
+     *
+     * function (Action $action)
+     *
+     * @since 2.0.0
+     */
+    public $checkAccessCallback;
+
     /**
      * @inheritdoc
      */
@@ -71,7 +83,7 @@ public function beforeAction($action)
             return false;
         }
 
-        if (Yii::$app instanceof \yii\web\Application && !$this->checkAccess()) {
+        if (Yii::$app instanceof \yii\web\Application && !$this->checkAccess($action)) {
             throw new ForbiddenHttpException('You are not allowed to access this page.');
         }
 
@@ -81,16 +93,28 @@ public function beforeAction($action)
     /**
      * @return boolean whether the module can be accessed by the current user
      */
-    protected function checkAccess()
+    protected function checkAccess(Action $action)
     {
+        $allowed = false;
+
         $ip = Yii::$app->getRequest()->getUserIP();
         foreach ($this->allowedIPs as $filter) {
             if ($filter === '*' || $filter === $ip || (($pos = strpos($filter, '*')) !== false && !strncmp($ip, $filter, $pos))) {
-                return true;
+                $allowed = true;
+                break;
             }
         }
-        Yii::warning('Access to web shell is denied due to IP address restriction. The requested IP is ' . $ip, __METHOD__);
 
-        return false;
+        if ($allowed === false) {
+            Yii::warning('Access to web shell is denied due to IP address restriction. The requested IP is ' . $ip, __METHOD__);
+            return false;
+        }
+
+        if ($this->checkAccessCallback !== null && call_user_func_array($this->checkAccessCallback, [$action]) !== true) {
+            Yii::warning('Access to web shell is denied due to checkAccessCallback.', __METHOD__);
+            return false;
+        }
+
+        return true;
     }
 }
diff --git a/README.md b/README.md
@@ -44,3 +44,24 @@ return [
 With the above configuration, you will be able to access web shell in your browser using
 the URL `http://localhost/path/to/index.php?r=webshell`
 
+Access control
+--------------
+
+By default access is restricted to local IPs. It could be changed via `allowedIPs` property. Additionally,
+`checkAccessCallback` is available to be able to introduce custom access control:
+
+```php
+return [
+    'modules' => [
+        'webshell' => [
+            'class' => 'samdark\webshell\Module',
+            // 'yiiScript' => Yii::getAlias('@root'). '/yii', // adjust path to point to your ./yii script
+            'allowedIPs' => ['127.0.0.1', '::1', '192.168.0.2'],
+            'checkAccessCallback' => function (\yii\base\Action $action) {
+                // return true if access is granted or false otherwise
+                return true;
+            }
+        ],
+    ],
+]
+```