Hello Samuele, Le 2 déc. 2013 à 15:43, Samuele Kaplun <[email protected]> a écrit :
> Hi Johnny, > > In data lunedì 2 dicembre 2013 14:59:25, Johnny Mariéthoz ha scritto: >>> allow from "2014-01-01" >>> allow remote_ip "192.168.0.1" >>> deny any >>> >>> (be carefuly, you had allow any in your example. That would match any >>> user). >> I don't think that this do the job. It looks theses rules prevent any access >> (except for the admin) until the 2014-01-01 and allow access to it only to >> 192.168.0.1 after this date. In my case I want to allow 192.168.0.1 to >> access to this file at any date and to all after the 2014-01-01. > > Mmh.. maybe swapping them should do the trick: > > [...] > allow remote_ip "192.168.0.1" > allow from "2014-01-01" > allow any > [...] > This is exactly that! > if the user is internal, then the first row would match and the user would be > authorized. Otherwise the second row would be applied, and if the time > matches > it would read the third row which would actually authorize the user. > >> Hmm, I'm not sure that is the right approach as usually the user is not >> logged in. Can I add user_preferences to the guest account based on the >> remote_ip? >> >> My problem is the following: >> I have several institutions in RERO DOC. For each I have a list of IP >> ranges. I already use this for the restriction (the "status" flag). Can I >> use this configuration in the firerole rules, as I want to "centralize" the >> ip configuration. > > This calls for a new feature. Maybe we can define a new parameter, say: > > CFG_INTRANET_DEFINITION > > defined as a list of newtwork ranges. > > Then we can extend webuser.collect_user_info to use this new config variable > and set up a new key in user_info which could then be consumed in firerole > rules... why not enrich the user_info by the list of the role that he belongs to: from access_control_admin import acc_get_user_roles_from_user_info, acc_get_role_name user_info["roles"] = [acc_get_role_name(v) for v in acc_get_user_roles_from_user_info(user_info)] and use it in the firerole rules? Regards, > > Cheers! > Sam > > -- > Samuele Kaplun > Invenio Developer ** <http://invenio-software.org/> > INSPIRE Service Manager ** <http://inspirehep.net/>
