Author: sevein
Date: Mon Jan 30 21:52:50 2012
New Revision: 10783
Log:
Add QubitLimitIp filter, configurable via QuitSetting limit_admin_ip. Fixes
issue 2228
Added:
trunk/lib/filter/QubitLimitIp.class.php
Modified:
trunk/apps/qubit/config/filters.yml
trunk/apps/qubit/modules/settings/actions/listAction.class.php
trunk/apps/qubit/modules/sfInstallPlugin/config/filters.yml
trunk/data/fixtures/settings.yml
trunk/lib/form/SettingsSecurityForm.class.php
trunk/plugins/qtSwordPlugin/modules/qtSwordPlugin/config/filters.yml
Modified: trunk/apps/qubit/config/filters.yml
==============================================================================
--- trunk/apps/qubit/config/filters.yml Mon Jan 30 21:50:53 2012 (r10782)
+++ trunk/apps/qubit/config/filters.yml Mon Jan 30 21:52:50 2012 (r10783)
@@ -8,15 +8,16 @@
class: sfHistoryPluginFilter
rendering: ~
-security: ~
+security: ~
-# insert your own filters here
settings:
class: QubitSettingsFilter
-# Must be executed after QubitSettingsFilter
+QubitLimitIp:
+ class: QubitLimitIpFilter
+
QubitSslRequirement:
class: QubitSslRequirementFilter
-cache: ~
+cache: ~
execution: ~
Modified: trunk/apps/qubit/modules/settings/actions/listAction.class.php
==============================================================================
--- trunk/apps/qubit/modules/settings/actions/listAction.class.php Mon Jan
30 21:50:53 2012 (r10782)
+++ trunk/apps/qubit/modules/settings/actions/listAction.class.php Mon Jan
30 21:52:50 2012 (r10783)
@@ -655,10 +655,12 @@
*/
protected function populateSecurityForm()
{
+ $limitAdminIp = QubitSetting::getSettingByName('limit_admin_ip');
$requireSslAdmin = QubitSetting::getSettingByName('require_ssl_admin');
$requireStrongPasswords =
QubitSetting::getSettingByName('require_strong_passwords');
$this->securityForm->setDefaults(array(
+ 'limit_admin_ip' => (isset($limitAdminIp)) ?
$limitAdminIp->getValue(array('sourceCulture'=>true)) : null,
'require_ssl_admin' => (isset($requireSslAdmin)) ?
intval($requireSslAdmin->getValue(array('sourceCulture'=>true))) : 1,
'require_strong_passwords' => (isset($requireStrongPasswords)) ?
intval($requireStrongPasswords->getValue(array('sourceCulture'=>true))) : 1
));
@@ -671,6 +673,16 @@
{
$thisForm = $this->securityForm;
+ // Limit admin IP
+ if (null !== $limitAdminIp = $thisForm->getValue('limit_admin_ip'))
+ {
+ $setting = QubitSetting::getSettingByName('limit_admin_ip');
+
+ // Force sourceCulture update to prevent discrepency in settings between
cultures
+ $setting->setValue($limitAdminIp, array('sourceCulture' => true));
+ $setting->save();
+ }
+
// Require SSL for admin funcionality
if (null !== $requireSslAdmin = $thisForm->getValue('require_ssl_admin'))
{
Modified: trunk/apps/qubit/modules/sfInstallPlugin/config/filters.yml
==============================================================================
--- trunk/apps/qubit/modules/sfInstallPlugin/config/filters.yml Mon Jan 30
21:50:53 2012 (r10782)
+++ trunk/apps/qubit/modules/sfInstallPlugin/config/filters.yml Mon Jan 30
21:52:50 2012 (r10783)
@@ -1,16 +1,16 @@
transaction: ~
-
history: ~
-
rendering: ~
-security: ~
+security: ~
-# insert your own filters here
settings:
enabled: false
+QubitLimitIp:
+ enabled: false
+
QubitSslRequirement:
enabled: false
-cache: ~
+cache: ~
execution: ~
Modified: trunk/data/fixtures/settings.yml
==============================================================================
--- trunk/data/fixtures/settings.yml Mon Jan 30 21:50:53 2012 (r10782)
+++ trunk/data/fixtures/settings.yml Mon Jan 30 21:52:50 2012 (r10783)
@@ -375,3 +375,6 @@
QubitSetting_requireStrongPasswords:
name: require_strong_passwords
value: 0
+ QubitSetting_limitAdminIp:
+ name: limit_admin_ip
+ value: ''
Added: trunk/lib/filter/QubitLimitIp.class.php
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ trunk/lib/filter/QubitLimitIp.class.php Mon Jan 30 21:52:50 2012
(r10783)
@@ -0,0 +1,97 @@
+<?php
+
+/*
+ * This file is part of Qubit Toolkit.
+ *
+ * Qubit Toolkit is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Qubit Toolkit is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with Qubit Toolkit. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+class QubitLimitIpFilter extends sfFilter
+{
+ public function execute($filterChain)
+ {
+ $this->context = $this->getContext();
+ $this->request = $this->context->getRequest();
+
+ $this->limit = sfConfig::get('app_limit_admin_ip');
+
+ # Pass if:
+ # - Debug mode is on
+ # - Setting "limit_admin_ip" is not set
+ # - The filter is forwarding to admin/secure (isFirstCall)
+ # - Route is user/logout
+ if ($this->context->getConfiguration()->isDebug() ||
+ !$this->limit ||
+ !$this->isFirstCall() ||
+ ('user' == $this->request->getParameter('module') && 'logout' ==
$this->request->getParameter('action')))
+ {
+ $filterChain->execute();
+
+ return;
+ }
+
+ # Forward to admin/secure if not allowed (only applies if user is
authenticated)
+ if ($this->context->user->isAuthenticated() && !$this->isAllowed())
+ {
+
$this->context->getController()->forward(sfConfig::get('sf_secure_module'),
sfConfig::get('sf_secure_action'));
+
+ throw new sfStopException();
+ }
+
+ $filterChain->execute();
+ }
+
+ protected function getRemoteAddress()
+ {
+ $this->pathInfo = $this->request->getPathInfoArray();
+
+ if (!empty($this->pathInfo["HTTP_CLIENT_IP"]))
+ {
+ return $this->pathInfo["HTTP_CLIENT_IP"];
+ }
+ else if (!empty($this->pathInfo["HTTP_X_FORWARDED_FOR"]))
+ {
+ return $this->pathInfo["HTTP_X_FORWARDED_FOR"];
+ }
+ else
+ {
+ return $this->pathInfo["REMOTE_ADDR"];
+ }
+ }
+
+ protected function isAllowed()
+ {
+ $limit = preg_split('/[,-]/', $this->limit);
+ $address = $this->getRemoteAddress();
+
+ // Single IP
+ if (1 == count($limit) && $address == $limit[0])
+ {
+ return true;
+ }
+ // Range
+ else if (2 == count($limit))
+ {
+ $address = ip2long($address);
+
+ if (ip2long($limit[0]) <= $address &&
+ ip2long($limit[1]) >= $address)
+ {
+ return true;
+ }
+ }
+
+ return false;
+ }
+}
Modified: trunk/lib/form/SettingsSecurityForm.class.php
==============================================================================
--- trunk/lib/form/SettingsSecurityForm.class.php Mon Jan 30 21:50:53
2012 (r10782)
+++ trunk/lib/form/SettingsSecurityForm.class.php Mon Jan 30 21:52:50
2012 (r10783)
@@ -32,22 +32,26 @@
{
// Build widgets
$this->setWidgets(array(
+ 'limit_admin_ip' => new sfWidgetFormInput,
'require_ssl_admin' => new
sfWidgetFormSelectRadio(array('choices'=>array(1=>'yes', 0=>'no')),
array('class'=>'radio')),
'require_strong_passwords' => new
sfWidgetFormSelectRadio(array('choices'=>array(1=>'yes', 0=>'no')),
array('class'=>'radio'))
));
// Add labels
$this->widgetSchema->setLabels(array(
+ 'limit_admin_ip' => __('Limit administrator functionality to a static IP
address or range'),
'require_ssl_admin' => __('Require SSL for all administrator
funcionality'),
'require_strong_passwords' => __('Require strong passwords')
));
// Add helper text
$this->widgetSchema->setHelps(array(
+ // 'limit_admin_ip' => __('')
// 'require_ssl_admin' => __('')
// 'require_strong_passwords' => __('')
));
+ $this->validatorSchema['limit_admin_ip'] = new
sfValidatorString(array('required' => false));
$this->validatorSchema['require_ssl_admin'] = new
sfValidatorInteger(array('required' => false));
$this->validatorSchema['require_strong_passwords'] = new
sfValidatorInteger(array('required' => false));
Modified: trunk/plugins/qtSwordPlugin/modules/qtSwordPlugin/config/filters.yml
==============================================================================
--- trunk/plugins/qtSwordPlugin/modules/qtSwordPlugin/config/filters.yml
Mon Jan 30 21:50:53 2012 (r10782)
+++ trunk/plugins/qtSwordPlugin/modules/qtSwordPlugin/config/filters.yml
Mon Jan 30 21:52:50 2012 (r10783)
@@ -1,26 +1,23 @@
httpAuthFilter:
class: qtSwordPluginHttpAuthFilter
-# Disable other filters
-# http://trac.symfony-project.org/ticket/1748
-
transaction:
- class: QubitTransactionFilter
- enabled: off
+ enabled: false
history:
- class: sfHistoryPluginFilter
- enabled: off
+ enabled: false
+
+rendering: ~
+security: ~
settings:
- class: QubitSettingsFilter
- enabled: off
+ enabled: false
+
+QubitLimitIp:
+ enabled: false
QubitSslRequirement:
- class: QubitSslRequirementFilter
- enabled: off
+ enabled: false
-rendering: ~
-security: ~
-cache: ~
+cache: ~
execution: ~
--
You received this message because you are subscribed to the Google Groups
"Qubit Toolkit Commits" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/qubit-commits?hl=en.
