Hi Johnny,
In data lunedì 2 dicembre 2013 14:59:25, Johnny Mariéthoz ha scritto:
> > allow from "2014-01-01"
> > allow remote_ip "192.168.0.1"
> > deny any
> >
> > (be carefuly, you had allow any in your example. That would match any
> > user).
> I don't think that this do the job. It looks theses rules prevent any access
> (except for the admin) until the 2014-01-01 and allow access to it only to
> 192.168.0.1 after this date. In my case I want to allow 192.168.0.1 to
> access to this file at any date and to all after the 2014-01-01.
Mmh.. maybe swapping them should do the trick:
[...]
allow remote_ip "192.168.0.1"
allow from "2014-01-01"
allow any
[...]
if the user is internal, then the first row would match and the user would be
authorized. Otherwise the second row would be applied, and if the time matches
it would read the third row which would actually authorize the user.
> Hmm, I'm not sure that is the right approach as usually the user is not
> logged in. Can I add user_preferences to the guest account based on the
> remote_ip?
>
> My problem is the following:
> I have several institutions in RERO DOC. For each I have a list of IP
> ranges. I already use this for the restriction (the "status" flag). Can I
> use this configuration in the firerole rules, as I want to "centralize" the
> ip configuration.
This calls for a new feature. Maybe we can define a new parameter, say:
CFG_INTRANET_DEFINITION
defined as a list of newtwork ranges.
Then we can extend webuser.collect_user_info to use this new config variable
and set up a new key in user_info which could then be consumed in firerole
rules...
Cheers!
Sam
--
Samuele Kaplun
Invenio Developer ** <http://invenio-software.org/>
INSPIRE Service Manager ** <http://inspirehep.net/>
