Page MenuHomePhabricator

Feature: grant privileges to certain IP address ranges.
Closed, ResolvedPublic

Description

Author: jyelon

Description:
I have provided code for this enhancement. It allows the wiki to grant
privileges based on the IP address of the user. You use it by putting this sort
of thing into your LocalSettings.php:

$wgIpAddressRanges = array(

"192.168.*.*" => "mycompany"

);

$wgGroupPermissions["mycompany","createaccount"] = true;

Here is the code that implements this feature:

http://panda3d.org/josh/ip-privileges.patch

The patch is against 1.7.1. The total amount of code in this patch is only
about two dozen lines. I should warn you that I'm not a particularly
experienced mediawiki coder, so somebody who knows what they're doing should
definitely read over the code. Fortunately, that should only take a minute,
since it's so short.

The particular situation that led me to implement this feature is as follows. I
work at a university, and we want a wiki where only university students can
create accounts, but where anyone can read the wiki. Since we have thousands of
students, and thousands more every semester, it is impractical to assign
privileges by handing out accounts. Doing it by IP address range makes more sense.

If you have time, let me know if you integrate this patch. jyelon@gmail.com


Version: unspecified
Severity: enhancement

Details

Reference
bz7492

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 9:27 PM
bzimport set Reference to bz7492.
bzimport added a subscriber: Unknown Object (MLST).

jimmy.collins wrote:

Please post your patch as *attachment* to this bug in unified format (patch -u).

Thanks!

jyelon wrote:

Adds the ability to grant privileges based on IP address.

attachment wikipatch ignored as obsolete

jyelon wrote:

Hang on, I'm not used to doing this. Give me a second, I'll get this right
eventually.

$_SERVER['REMOTE_ADDR'] isn't safe when proxies are part of the setup;
use wfGetIP() which follows the permitted proxy headers.

jimmy.collins wrote:

(In reply to comment #1)

Please post your patch as *attachment* to this bug in unified format (patch -u).

"diff -u" of course - sorry

jyelon wrote:

Adds the ability to grant privileges based on IP address

This one's a unified diff (diff -u). Sorry, still getting used to the system.

attachment unified-diff ignored as obsolete

jyelon wrote:

Variant using wgGetIp instead of $_SERVER['REMOTE_ADDR']

Brion recommended this modification. I tested it and it worked fine in the
normal case (I don't have a proxy setup, so I wasn't able to test that case).

However, this raises a question in my mind. In the event that somebody is
talking to the wiki via a proxy, we need to use the IP address of the proxy,
not the IP address that the proxy reports. Using the latter would make a huge
security hole, since anyone could code up a proxy that reports any IP that they
wish. Which does wfGetIp report? Which does $_SERVER['REMOTE_ADDR'] report?
These things are beyond my knowledge and experience.

attachment wikipatch ignored as obsolete

"...use wfGetIP() which follows the permitted proxy headers."

See ProxyTools.php for details.

jyelon wrote:

Well, deciphering the code in ProxyTools.php is more that I can currently
manage. I'll leave it to coders older and wiser than myself to decide what's
the right method.

jyelon wrote:

Variant using wfGetIP instead of $_SERVER['REMOTE_ADDR']

This time, without the typo. I'm not sure how the typo got through last time,
I thought I tested it.

attachment wikipatch ignored as obsolete

Created attachment 5581
New implementation

Redo this using the Autopromote stuff. Allows the user to get rights if they're either A) A specific IP address (using APCOND_ISIP) or B) In a range (using APCOND_IPINRANGE)

Attached: