if ($hassiteconfig) { // speedup for non-admins, add all caps used on this page
-
+ // "ip blocker" settingpage
+ $temp = new admin_settingpage('ipblocker', get_string('ipblocker', 'admin'));
+ $temp->add(new admin_setting_configcheckbox('allowbeforeblock', get_string('allowbeforeblock', 'admin'), get_string('allowbeforeblockdesc', 'admin'), 0));
+ $temp->add(new admin_setting_configiplist('allowedip', get_string('allowediplist', 'admin'),
+ '', ''));
+ $temp->add(new admin_setting_configiplist('blockedip', get_string('blockediplist', 'admin'),
+ '', ''));
+ $ADMIN->add('security', $temp);
// "sitepolicies" settingpage
$temp = new admin_settingpage('sitepolicies', get_string('sitepolicies', 'admin'));
$temp->add(new admin_setting_configcheckbox('protectusernames', get_string('protectusernames', 'admin'), get_string('configprotectusernames', 'admin'), 1));
$ADMIN->add('server', new admin_externalpage('maintenancemode', get_string('sitemaintenancemode', 'admin'), "$CFG->wwwroot/$CFG->admin/maintenance.php"));
-$temp = new admin_settingpage('ipblocker', get_string('ipblocker', 'admin'));
-$temp->add(new admin_setting_configcheckbox('enableallowedip', get_string('enableallowedip', 'admin'), get_string('enableallowedipdesc', 'admin'), 0));
-$temp->add(new admin_setting_configiplist('allowedip', get_string('allowediplist', 'admin'),
- '', ''));
-$temp->add(new admin_setting_configiplist('blockedip', get_string('blockediplist', 'admin'),
- '', ''));
-$ADMIN->add('server', $temp);
-
$temp = new admin_settingpage('cleanup', get_string('cleanup', 'admin'));
$temp->add(new admin_setting_configselect('longtimenosee', get_string('longtimenosee', 'admin'), get_string('configlongtimenosee', 'admin'), 120, array(0 => get_string('never'),
1000 => get_string('numdays', '', 1000),
$string['enablerssfeeds'] = 'Enable RSS feeds';
$string['enablestats'] = 'Enable statistics';
$string['enabletrusttext'] = 'Enable Trusted Content';
-$string['enableallowedip'] = 'Allow clients from these IPs';
-$string['enableallowedipdesc'] = 'If this option enabled, only IPs entered in allowed list are permitted, IPs are in blocked list are blocked at the same time.';
+$string['allowbeforeblock'] = 'Allowed list will be processed first';
+$string['allowbeforeblockdesc'] = 'By Default, blocked list will be processed first, if this option enabled, allowed IPs list will be processed before blocked list.';
$string['encoding'] = 'Encoding';
$string['enrolmultipleusers'] = 'Enrol the users';
$string['environment'] = 'Environment';
$string['invalidsection'] = 'Invalid section.';
$string['invaliduserchangeme'] = 'Username \"changeme\" is reserved -- you cannot create an account with it.';
$string['ipblocker'] = 'IP Blocker';
-$string['ipinblockedlist'] = 'This site is not available currently.';
-$string['ipoutallowedlist'] = 'This site is not available currently.';
+$string['ipblocked'] = 'This site is not available currently.';
$string['iplookup'] = 'IP address lookup';
$string['iplookupinfo'] = '
By default Moodle uses the free online NetGeo (The Internet Geographic Database) server to lookup location of IP addresses, unfortunately this database is not maintained anymore and may return <em>wildly incorrect</em> data.
/// Adjust ALLOWED_TAGS
adjust_allowed_tags();
-
/// Use a custom script replacement if one exists
if (!empty($CFG->customscripts)) {
if (($customscript = custom_script_path()) !== false) {
}
}
- $allowediponly = get_config(null, 'enableallowedip');
- if(!empty($allowediponly)){
- $allowediplist = get_config(null, 'allowedip');
- $blockediplist = get_config(null, 'blockedip');
- } else {
- $blockediplist = get_config(null, 'blockedip');
- }
- if(!empty($blockediplist)) {
- $blockediplist = explode("\n", $blockediplist);
- foreach($blockediplist as $ip) {
- $ip = trim($ip);
- if(address_in_subnet(getremoteaddr(), $ip)){
- // Telling the banned user the site is not
- // available currently.
- die(get_string('ipinblockedlist', 'admin'));
+ // allowed list processed before blocked list?
+ $allowbeforeblock = get_config(null, 'allowbeforeblock');
+ $allowediplist = get_config(null, 'allowedip');
+ $blockediplist = get_config(null, 'blockedip');
+ $banned = false;
+
+ function check_ip($list){
+ $inlist = false;
+ $client_ip = getremoteaddr();
+ $list = explode("\n", $list);
+ foreach($list as $subnet) {
+ $subnet = trim($subnet);
+ if (address_in_subnet($client_ip, $subnet)) {
+ $inlist = true;
+ break;
}
}
- }
- if(!empty($allowediplist)) {
- $allowediplist = explode("\n", $allowediplist);
- foreach($allowediplist as $ip) {
- $ip = trim($ip);
- if(!address_in_subnet(getremoteaddr(), $ip)){
- // Telling users only specfied users are
- // allowed accessing this site.
- die(get_string('ipoutallowedlist', 'admin'));
- }
+ return $inlist;
+ }
+ // in the first case, ip in allowed list will be performed first
+ // for example, client IP is 192.168.1.1
+ // 192.168 subnet is an entry in allowed list
+ // 192.168.1.1 is banned in blocked list
+ // This ip will be banned finally
+ if (!empty($allowbeforeblock)) {
+ if (!empty($allowediplist)) {
+ $banned = !check_ip($allowediplist);
}
+ // need further check, client ip may a part of
+ // allowed subnet, but a IP address are listed
+ // in blocked list.
+ if (!empty($blockediplist)) {
+ $banned = check_ip($allowediplist);
+ }
+ } else {
+ // in this case, IPs in blocked list will be performed first
+ // for example, client IP is 192.168.1.1
+ // 192.168 subnet is an entry in blocked list
+ // 192.168.1.1 is allowed in allowed list
+ // This ip will be allowed finally
+ if (!empty($blockediplist)) {
+ $banned = check_ip($blockediplist);
+ }
+ // if the allowed ip list is not empty
+ // IPs are not included in the allowed list will be
+ // blocked too
+ if (!empty($allowediplist)) {
+ $banned = !check_ip($allowediplist);
+ }
+ }
+ if($banned) {
+ die(get_string('ipblocked', 'admin'));
}
/// note: we can not block non utf-8 installatrions here, because empty mysql database
projects / moodle.git / commitdiff