[pmwiki-users] allow editing only from one IP
Oliver Betz
list_ob at gmx.net
Thu Sep 25 01:50:50 CDT 2008
"Patrick R. Michaud" wrote:
>> Is it possible to allow editing only from one selected IP (and disallow from
>> all others) ?
>
>In config.php:
>
>if ($action == 'edit' && @$_SERVER['REMOTE_ADDR'] != '192.168.1.1')
> $action = 'browse';
>
>This will prevent editing from any address other than 192.168.1.1.
could you have a look at my solution to check also (dynamic) DNS
entries:
- snip -
<?php if (!defined('PmWiki')) exit();
@session_start();
if(!isset($_SESSION['DNSauth'])){
$_SESSION['DNSauth'] = '';
$remoteip = preg_quote($_SERVER['REMOTE_ADDR']); # quote '.' to
make search pattern
$remoteip = preg_replace('/\\d+$/', '($0\\b|\\*)', $remoteip); #
same procedure as in blocklist
$page = ReadPage($DNSauthPage, READPAGE_CURRENT); # get IP
addresses and host names
if ($page &&
preg_match_all("/^\\s*([\\*\\.\\w]*):\\s*([\\@\\w]*)/m",
$page['text'], $matches, PREG_SET_ORDER)) {
foreach($matches as $m) {
if(preg_match("/\\d+\\.\\d+\\.\\d+\\.[\\d+*]/",$m[1])){
$hostip = $m[1]; # is already IP address
}
else {
$hostip = " " . gethostbyname($m[1]); # is a hostname -
resolve it
}
if(preg_match("/\\b$remoteip/", $hostip)){
$_SESSION['DNSauth'] = "$m[2]";
SessionAuth($pagename, array('authlist' => array($m[2] =>
'1')));
}
}
}
}
session_write_close();
$FmtPV['$DNS'] = "htmlentities(stripmagic(\$_SESSION['DNSauth']))";
?>
- snip -
It needs an entry like "$DNSauthPage = 'SiteAdmin/DNSallow';" in the
configuration script, this wiki page contains entries
"address:authname", e.g. "foobar.dyndns.org:someuser" or
"1.2.3.4:otheruser". The access rights are then defined with the
standard methods of authuser.
Since my php programming knowledge is pretty poor, I would be glad to
have someone looking over it, especially whether there are security
problems and whether the integration with AuthUser is done correctly.
To avoid a bunch of DNS queries with each page request, I do the
check only if the session hasn't been established. Is it a good idea
to check AuthList directly, or is there a cleaner way?
I would be glad to publish it on pmwiki.org, but not before some
confirmation that it's safe.
Oliver
More information about the pmwiki-users
mailing list