Skip to content
Snippets Groups Projects
Commit 3e119203 authored by Jay Friendly's avatar Jay Friendly
Browse files

adding white and black list for pages

parent 1cc5f813
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
includes/restrict_ip.pages.inc
+ 48
6
View file @ 3e119203
......@@ -11,13 +11,21 @@ function restrict_ip_settings($form, &$form_state)
(
'#markup' => t('Enter the list of allowed IP addresses below'),
'#prefix' => '<h2>',
'#suffix' => '</h2><p><strong style="color:red">' . t("Warning: If you don't enter your current IP address into the list, you will immediately be locked out of the system upon save, and will not be able to access the system until you are in a location with an allowed IP address. Alternatively you can allow Restrict IP to be bypassed by role, and set at least one of your roles to be bypassed on the !permissions page.", array('!permissions' => user_access('administer permissions') ? l(t('permissions'), 'admin/people/permissions') : t('permissions'))) . '</strong></p><p><strong>' . t('Your current IP address is: !ip_address', array('!ip_address' => '<em>' . ip_address() . '</em>')) . '</strong></p>',
'#suffix' => '</h2><p><strong style="color:red">' . t("Warning: If you enable IP restriction, and don't enter your current IP address into the list, you will immediately be locked out of the system upon save, and will not be able to access the system until you are in a location with an allowed IP address. Alternatively you can allow Restrict IP to be bypassed by role, and set at least one of your roles to be bypassed on the !permissions page.", array('!permissions' => user_access('administer permissions') ? l(t('permissions'), 'admin/people/permissions') : t('permissions'))) . '</strong></p><p><strong>' . t('Your current IP address is: !ip_address', array('!ip_address' => '<em>' . ip_address() . '</em>')) . '</strong></p>',
);
$form['restrict_ip_enable'] = array
(
'#type' => 'checkbox',
'#title' => t('Enable Restricted IPs'),
'#description' => t('IP addresses will only be enabled when this option is selected'),
'#default_value' => variable_get('restrict_ip_enable', 0),
);
$form['restrict_ip_address_list'] = array
(
'#title' => t('Allowed IP Address List'),
'#description' => t('Enter the list of IP Addresses that are allowed to access the site. If this field is left empty, all IP addresses will be able to access the site. Enter one IP address per line. You may also enter a range of IP addresses in the format AAA.BBB.CCC.XXX - AAA.BBB.CCC.YYY'),
'#description' => t('Enter the list of IP Addresses that are allowed to access the site. Enter one IP address per line, in IPv4 or IPv6 format. You may also enter a range of IPv4 addresses in the format AAA.BBB.CCC.XXX - AAA.BBB.CCC.YYY'),
'#type' => 'textarea',
'#default_value' => variable_get('restrict_ip_address_list', ''),
);
......@@ -69,12 +77,46 @@ function restrict_ip_settings($form, &$form_state)
),
);
$form['restrict_ip_white_black_list'] = array
(
'#type' => 'radios',
'#options' => array
(
t('Check IP addresses on all paths'),
t('Check IP addresses on all paths except the following'),
t('Check IP addresses only on the following paths'),
),
'#default_value' => variable_get('restrict_ip_white_black_list', 0),
);
$form['restrict_ip_page_whitelist'] = array
(
'#title' => t('Whitelisted pages'),
'#description' => t('Enter a list of paths that will be allowed regardless of IP address. For example, to whitelist this page, you would enter <em>admin/config/people/restrict_ip</em>. Do not include domain names. Wildcards will not work at this time.'),
'#description' => t('Enter a list of paths that will be allowed regardless of IP address. For example, to not check IP addresses on this page, you would enter <em>admin/config/people/restrict_ip</em>. All paths not included here will be checked. Do not include domain names. Wildcards in paths do not work.'),
'#type' => 'textarea',
'#default_value' => variable_get('restrict_ip_page_whitelist'),
'#default_value' => variable_get('restrict_ip_page_whitelist', ''),
'#states' => array
(
'visible' => array
(
':input[name="restrict_ip_white_black_list"]' => array('value' => 1),
),
),
);
$form['restrict_ip_page_blacklist'] = array
(
'#title' => t('Blacklisted pages'),
'#description' => t('Enter a list of paths on which IP addresses will be checked. For example, to check IP addresses on this page, you would enter <em>admin/config/people/restrict_ip</em>. All paths not included here will not be checked. Do not include domain names. Wildcards in paths do not work.'),
'#type' => 'textarea',
'#default_value' => variable_get('restrict_ip_page_blacklist'),
'#states' => array
(
'visible' => array
(
':input[name="restrict_ip_white_black_list"]' => array('value' => 2),
),
),
);
return system_settings_form($form);
......@@ -180,14 +222,14 @@ function restrict_ip_settings_validate($form, &$form_state)
*/
function restrict_ip_access_denied_page()
{
if(!ip_restricted())
if(!isset($_SESSION['restrict_ip']) || !$_SESSION['restrict_ip'])
{
drupal_goto('<front>');
}
$page['access_denied'] = array
(
'#markup' => t('This site cannot be accessed from your IP address.'),
'#markup' => t('The page you are trying to access cannot be accessed from your IP address.'),
'#prefix' => '<p>',
'#suffix' => '</p>',
);
......
restrict_ip.module
+ 119
80
View file @ 3e119203
......@@ -100,114 +100,145 @@ function restrict_ip_boot()
{
global $user;
// Allow Drush requests regardless of IP.
if(!drupal_is_cli())
{
// Get the value saved ot the system, and turn it into an array of IP addresses.
$ip_addresses = restrict_ip_sanitize_ip_list(variable_get('restrict_ip_address_list', ''));
// Add any whitelisted IPs from the settings.php file to the whitelisted array
if(count(variable_get('restrict_ip_whitelist', array())))
{
$ip_addresses = array_merge($ip_addresses, restrict_ip_sanitize_ip_list(implode(PHP_EOL, variable_get('restrict_ip_whitelist', array()))));
}
drupal_bootstrap(DRUPAL_BOOTSTRAP_SESSION);
drupal_session_start();
// We only need to check IP addresses if at least one IP has been set to be whitelisted.
if(count($ip_addresses))
unset($_SESSION['restrict_ip']);
if(variable_get('restrict_ip_enable', 0))
{
// Allow Drush requests regardless of IP.
if(!drupal_is_cli())
{
$access_denied = TRUE;
$whitelisted_pages = variable_get('restrict_ip_page_whitelist', '');
if(strlen(trim($whitelisted_pages)))
if(variable_get('restrict_ip_white_black_list', 0) == 1)
{
$whitelisted_pages = explode(PHP_EOL, trim($whitelisted_pages));
for($i = 0; $i < count($whitelisted_pages); $i++)
$whitelisted_pages = trim(variable_get('restrict_ip_page_whitelist', ''));
if(strlen($whitelisted_pages))
{
$whitelisted_pages[$i] = trim($whitelisted_pages[$i]);
$whitelisted_pages = explode(PHP_EOL, $whitelisted_pages);
for($i = 0; $i < count($whitelisted_pages); $i++)
{
$whitelisted_pages[$i] = strtolower(trim($whitelisted_pages[$i]));
}
$current_path = strtolower($_GET['q']);
if(in_array($current_path, $whitelisted_pages))
{
$access_denied = FALSE;
}
}
}
$current_path = $_GET['q'];
if(in_array($current_path, $whitelisted_pages))
if(variable_get('restrict_ip_white_black_list', 0) == 2)
{
$blacklisted_pages = trim(variable_get('restrict_ip_page_blacklist', ''));
if(strlen($blacklisted_pages))
{
$access_denied = FALSE;
$blacklisted_pages = explode(PHP_EOL, $blacklisted_pages);
for($i = 0; $i < count($blacklisted_pages); $i++)
{
$blacklisted_pages[$i] = strtolower(trim($blacklisted_pages[$i]));
}
$current_path = strtolower($_GET['q']);
if(!in_array($current_path, $blacklisted_pages))
{
$access_denied = FALSE;
}
}
}
if($access_denied)
{
$user_ip = ip_address();
foreach($ip_addresses as $ip_address)
// Get the value saved to the system, and turn it into an array of IP addresses.
$ip_addresses = restrict_ip_sanitize_ip_list(variable_get('restrict_ip_address_list', ''));
// Add any whitelisted IPs from the settings.php file to the whitelisted array
if(count(variable_get('restrict_ip_whitelist', array())))
{
$ip_address = trim($ip_address);
if(strlen($ip_address))
$ip_addresses = array_merge($ip_addresses, restrict_ip_sanitize_ip_list(implode(PHP_EOL, variable_get('restrict_ip_whitelist', array()))));
}
if(count($ip_addresses))
{
$user_ip = ip_address();
foreach($ip_addresses as $ip_address)
{
// Check if the given IP address matches the current user
if($ip_address == $user_ip)
$ip_address = trim($ip_address);
if(strlen($ip_address))
{
// The given IP is allowed - so we don't deny access (aka we allow it)
$access_denied = FALSE;
// No need to continue as user is allowed
break;
}
// Check if the given IP address matches the current user
if($ip_address == $user_ip)
{
// The given IP is allowed - so we don't deny access (aka we allow it)
$access_denied = FALSE;
// No need to continue as user is allowed
break;
}
$pieces = explode('-', $ip_address);
// We only need to continue checking this IP address
// if it is a range of addresses
if(count($pieces) == 2)
{
$start_ip = $pieces[0];
$end_ip = $pieces[1];
$start_pieces = explode('.', $start_ip);
// If there are not 4 sections to the IP then its an invalid
// IPv4 address, and we don't need to continue checking
if(count($start_pieces) === 4)
$pieces = explode('-', $ip_address);
// We only need to continue checking this IP address
// if it is a range of addresses
if(count($pieces) == 2)
{
$user_pieces = explode('.', $user_ip);
$continue = TRUE;
// We compare the first three chunks of the first IP address
// With the first three chunks of the user's IP address
// If they are not the same, then the IP address is not within
// the range of IPs
for($i = 0; $i < 3; $i++)
$start_ip = $pieces[0];
$end_ip = $pieces[1];
$start_pieces = explode('.', $start_ip);
// If there are not 4 sections to the IP then its an invalid
// IPv4 address, and we don't need to continue checking
if(count($start_pieces) === 4)
{
if((int) $user_pieces[$i] !== (int) $start_pieces[$i])
$user_pieces = explode('.', $user_ip);
$continue = TRUE;
// We compare the first three chunks of the first IP address
// With the first three chunks of the user's IP address
// If they are not the same, then the IP address is not within
// the range of IPs
for($i = 0; $i < 3; $i++)
{
// One of the chunks has failed, so we can stop
// checking this range
$continue = FALSE;
break;
if((int) $user_pieces[$i] !== (int) $start_pieces[$i])
{
// One of the chunks has failed, so we can stop
// checking this range
$continue = FALSE;
break;
}
}
}
// The first three chunks have past testing, so now we check the
// range given to see if the final chunk is in this range
if($continue)
{
// First we get the start of the range
$start_final_chunk = (int) array_pop($start_pieces);
$end_pieces = explode('.', $end_ip);
// Then we get the end of the range. This will work
// whether the user has entered XXX.XXX.XXX.XXX - XXX.XXX.XXX.XXX
// or XXX.XXX.XXX.XXX-XXX
$end_final_chunk = (int) array_pop($end_pieces);
// Now we get the user's final chunk
$user_final_chunk = (int) array_pop($user_pieces);
// And finally we check to see if the user's chunk lies in that range
if($user_final_chunk >= $start_final_chunk && $user_final_chunk <= $end_final_chunk)
// The first three chunks have past testing, so now we check the
// range given to see if the final chunk is in this range
if($continue)
{
// The user's IP lies in the range, so we don't deny access (ie - we grant it)
$access_denied = FALSE;
// No need to cintinue checking addresses as the user has been granted
break;
// First we get the start of the range
$start_final_chunk = (int) array_pop($start_pieces);
$end_pieces = explode('.', $end_ip);
// Then we get the end of the range. This will work
// whether the user has entered XXX.XXX.XXX.XXX - XXX.XXX.XXX.XXX
// or XXX.XXX.XXX.XXX-XXX
$end_final_chunk = (int) array_pop($end_pieces);
// Now we get the user's final chunk
$user_final_chunk = (int) array_pop($user_pieces);
// And finally we check to see if the user's chunk lies in that range
if($user_final_chunk >= $start_final_chunk && $user_final_chunk <= $end_final_chunk)
{
// The user's IP lies in the range, so we don't deny access (ie - we grant it)
$access_denied = FALSE;
// No need to cintinue checking addresses as the user has been granted
break;
}
}
}
}
}
}
}
}
// The user has been denied access, so we need to set this value as so.
if($access_denied)
{
ip_restricted(TRUE);
// The user has been denied access, so we need to set this value as so.
if($access_denied)
{
$_SESSION['restrict_ip'] = TRUE;
ip_restricted(TRUE);
}
}
}
}
......@@ -297,7 +328,15 @@ function restrict_ip_page_alter(&$page)
drupal_goto('user/login');
}
drupal_goto('restrict_ip/access_denied');
if(in_array(variable_get('restrict_ip_white_black_list', 0), array(0, 1)))
{
drupal_goto('restrict_ip/access_denied');
}
else
{
drupal_set_message(t('The page you are trying to access cannot be accessed from your IP address.'));
drupal_goto('<front>');
}
}
$regions = system_region_list($theme, REGIONS_ALL);
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment