[pmwiki-users] allow editing only from one IP

Oliver Betz list_ob at gmx.net
Thu Sep 25 01:50:50 CDT 2008


"Patrick R. Michaud" wrote:

>> Is it possible to allow editing only from one selected IP (and disallow from
>> all others) ?
>
>In config.php:
>
>if ($action == 'edit' && @$_SERVER['REMOTE_ADDR'] != '192.168.1.1') 
>  $action = 'browse';
>
>This will prevent editing from any address other than 192.168.1.1.

could you have a look at my solution to check also (dynamic) DNS
entries:

- snip -
<?php if (!defined('PmWiki')) exit();

@session_start();
if(!isset($_SESSION['DNSauth'])){
  $_SESSION['DNSauth'] = '';
  $remoteip = preg_quote($_SERVER['REMOTE_ADDR']);      # quote '.' to
make search pattern
  $remoteip = preg_replace('/\\d+$/', '($0\\b|\\*)', $remoteip); #
same procedure as in blocklist

  $page = ReadPage($DNSauthPage, READPAGE_CURRENT);     # get IP
addresses and host names
  if ($page &&
preg_match_all("/^\\s*([\\*\\.\\w]*):\\s*([\\@\\w]*)/m",
$page['text'], $matches, PREG_SET_ORDER)) {
    foreach($matches as $m) {
      if(preg_match("/\\d+\\.\\d+\\.\\d+\\.[\\d+*]/",$m[1])){
        $hostip = $m[1]; # is already IP address
      }
      else {
        $hostip = " " . gethostbyname($m[1]); # is a hostname -
resolve it
      }
      if(preg_match("/\\b$remoteip/", $hostip)){
        $_SESSION['DNSauth'] = "$m[2]";
        SessionAuth($pagename, array('authlist' => array($m[2] =>
'1')));
      }
    }
  }
}
session_write_close();

$FmtPV['$DNS'] = "htmlentities(stripmagic(\$_SESSION['DNSauth']))";

?>
- snip -

It needs an entry like "$DNSauthPage = 'SiteAdmin/DNSallow';" in the
configuration script, this wiki page contains entries
"address:authname", e.g. "foobar.dyndns.org:someuser" or
"1.2.3.4:otheruser". The access rights are then defined with the
standard methods of authuser.

Since my php programming knowledge is pretty poor, I would be glad to
have someone looking over it, especially whether there are security
problems and whether the integration with AuthUser is done correctly.

To avoid a bunch of DNS queries with each page request, I do the
check only if the session hasn't been established. Is it a good idea
to check AuthList directly, or is there a cleaner way?

I would be glad to publish it on pmwiki.org, but not before some
confirmation that it's safe.

Oliver




More information about the pmwiki-users mailing list