From: dongsheng Date: Tue, 22 Jul 2008 04:07:58 +0000 (+0000) Subject: MDL-15244 X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=5035228fc0691f1501f58e95019023d3965162f4;p=moodle.git MDL-15244 1. move ip blocker to security menu 2. blocked list and allowed list can work together, a new option could set the order of them --- diff --git a/admin/settings/security.php b/admin/settings/security.php index 85b9eec515..fdcc3276f8 100644 --- a/admin/settings/security.php +++ b/admin/settings/security.php @@ -2,7 +2,14 @@ if ($hassiteconfig) { // speedup for non-admins, add all caps used on this page - + // "ip blocker" settingpage + $temp = new admin_settingpage('ipblocker', get_string('ipblocker', 'admin')); + $temp->add(new admin_setting_configcheckbox('allowbeforeblock', get_string('allowbeforeblock', 'admin'), get_string('allowbeforeblockdesc', 'admin'), 0)); + $temp->add(new admin_setting_configiplist('allowedip', get_string('allowediplist', 'admin'), + '', '')); + $temp->add(new admin_setting_configiplist('blockedip', get_string('blockediplist', 'admin'), + '', '')); + $ADMIN->add('security', $temp); // "sitepolicies" settingpage $temp = new admin_settingpage('sitepolicies', get_string('sitepolicies', 'admin')); $temp->add(new admin_setting_configcheckbox('protectusernames', get_string('protectusernames', 'admin'), get_string('configprotectusernames', 'admin'), 1)); diff --git a/admin/settings/server.php b/admin/settings/server.php index 657bef2c6d..b94989fc57 100644 --- a/admin/settings/server.php +++ b/admin/settings/server.php @@ -161,14 +161,6 @@ $ADMIN->add('server', $temp); $ADMIN->add('server', new admin_externalpage('maintenancemode', get_string('sitemaintenancemode', 'admin'), "$CFG->wwwroot/$CFG->admin/maintenance.php")); -$temp = new admin_settingpage('ipblocker', get_string('ipblocker', 'admin')); -$temp->add(new admin_setting_configcheckbox('enableallowedip', get_string('enableallowedip', 'admin'), get_string('enableallowedipdesc', 'admin'), 0)); -$temp->add(new admin_setting_configiplist('allowedip', get_string('allowediplist', 'admin'), - '', '')); -$temp->add(new admin_setting_configiplist('blockedip', get_string('blockediplist', 'admin'), - '', '')); -$ADMIN->add('server', $temp); - $temp = new admin_settingpage('cleanup', get_string('cleanup', 'admin')); $temp->add(new admin_setting_configselect('longtimenosee', get_string('longtimenosee', 'admin'), get_string('configlongtimenosee', 'admin'), 120, array(0 => get_string('never'), 1000 => get_string('numdays', '', 1000), diff --git a/lang/en_utf8/admin.php b/lang/en_utf8/admin.php index 1ad1eeaa51..2adf02b2e3 100644 --- a/lang/en_utf8/admin.php +++ b/lang/en_utf8/admin.php @@ -335,8 +335,8 @@ $string['enablerecordcache'] = 'Enable Record Cache'; $string['enablerssfeeds'] = 'Enable RSS feeds'; $string['enablestats'] = 'Enable statistics'; $string['enabletrusttext'] = 'Enable Trusted Content'; -$string['enableallowedip'] = 'Allow clients from these IPs'; -$string['enableallowedipdesc'] = 'If this option enabled, only IPs entered in allowed list are permitted, IPs are in blocked list are blocked at the same time.'; +$string['allowbeforeblock'] = 'Allowed list will be processed first'; +$string['allowbeforeblockdesc'] = 'By Default, blocked list will be processed first, if this option enabled, allowed IPs list will be processed before blocked list.'; $string['encoding'] = 'Encoding'; $string['enrolmultipleusers'] = 'Enrol the users'; $string['environment'] = 'Environment'; @@ -418,8 +418,7 @@ $string['intcachemax'] = 'Int. cache max'; $string['invalidsection'] = 'Invalid section.'; $string['invaliduserchangeme'] = 'Username \"changeme\" is reserved -- you cannot create an account with it.'; $string['ipblocker'] = 'IP Blocker'; -$string['ipinblockedlist'] = 'This site is not available currently.'; -$string['ipoutallowedlist'] = 'This site is not available currently.'; +$string['ipblocked'] = 'This site is not available currently.'; $string['iplookup'] = 'IP address lookup'; $string['iplookupinfo'] = ' By default Moodle uses the free online NetGeo (The Internet Geographic Database) server to lookup location of IP addresses, unfortunately this database is not maintained anymore and may return wildly incorrect data. diff --git a/lib/setup.php b/lib/setup.php index 3e2d769130..b5747e3743 100644 --- a/lib/setup.php +++ b/lib/setup.php @@ -519,7 +519,6 @@ global $HTTPSPAGEREQUIRED; /// Adjust ALLOWED_TAGS adjust_allowed_tags(); - /// Use a custom script replacement if one exists if (!empty($CFG->customscripts)) { if (($customscript = custom_script_path()) !== false) { @@ -527,34 +526,58 @@ global $HTTPSPAGEREQUIRED; } } - $allowediponly = get_config(null, 'enableallowedip'); - if(!empty($allowediponly)){ - $allowediplist = get_config(null, 'allowedip'); - $blockediplist = get_config(null, 'blockedip'); - } else { - $blockediplist = get_config(null, 'blockedip'); - } - if(!empty($blockediplist)) { - $blockediplist = explode("\n", $blockediplist); - foreach($blockediplist as $ip) { - $ip = trim($ip); - if(address_in_subnet(getremoteaddr(), $ip)){ - // Telling the banned user the site is not - // available currently. - die(get_string('ipinblockedlist', 'admin')); + // allowed list processed before blocked list? + $allowbeforeblock = get_config(null, 'allowbeforeblock'); + $allowediplist = get_config(null, 'allowedip'); + $blockediplist = get_config(null, 'blockedip'); + $banned = false; + + function check_ip($list){ + $inlist = false; + $client_ip = getremoteaddr(); + $list = explode("\n", $list); + foreach($list as $subnet) { + $subnet = trim($subnet); + if (address_in_subnet($client_ip, $subnet)) { + $inlist = true; + break; } } - } - if(!empty($allowediplist)) { - $allowediplist = explode("\n", $allowediplist); - foreach($allowediplist as $ip) { - $ip = trim($ip); - if(!address_in_subnet(getremoteaddr(), $ip)){ - // Telling users only specfied users are - // allowed accessing this site. - die(get_string('ipoutallowedlist', 'admin')); - } + return $inlist; + } + // in the first case, ip in allowed list will be performed first + // for example, client IP is 192.168.1.1 + // 192.168 subnet is an entry in allowed list + // 192.168.1.1 is banned in blocked list + // This ip will be banned finally + if (!empty($allowbeforeblock)) { + if (!empty($allowediplist)) { + $banned = !check_ip($allowediplist); } + // need further check, client ip may a part of + // allowed subnet, but a IP address are listed + // in blocked list. + if (!empty($blockediplist)) { + $banned = check_ip($allowediplist); + } + } else { + // in this case, IPs in blocked list will be performed first + // for example, client IP is 192.168.1.1 + // 192.168 subnet is an entry in blocked list + // 192.168.1.1 is allowed in allowed list + // This ip will be allowed finally + if (!empty($blockediplist)) { + $banned = check_ip($blockediplist); + } + // if the allowed ip list is not empty + // IPs are not included in the allowed list will be + // blocked too + if (!empty($allowediplist)) { + $banned = !check_ip($allowediplist); + } + } + if($banned) { + die(get_string('ipblocked', 'admin')); } /// note: we can not block non utf-8 installatrions here, because empty mysql database