Last modified: 2008-12-14 20:49:31 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T9492, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 7492 - Feature: grant privileges to certain IP address ranges.
Feature: grant privileges to certain IP address ranges.
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
User login and signup (Other open bugs)
unspecified
All All
: Normal enhancement with 1 vote (vote)
: ---
Assigned To: Nobody - You can work on this!
: patch, patch-need-review
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2006-10-04 17:06 UTC by Josh Yelon
Modified: 2008-12-14 20:49 UTC (History)
1 user (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments
Adds the ability to grant privileges based on IP address. (2.56 KB, patch)
2006-10-04 18:00 UTC, Josh Yelon
Details
Adds the ability to grant privileges based on IP address (2.40 KB, patch)
2006-10-04 18:11 UTC, Josh Yelon
Details
Variant using wgGetIp instead of $_SERVER['REMOTE_ADDR'] (2.39 KB, patch)
2006-10-04 18:32 UTC, Josh Yelon
Details
Variant using wfGetIP instead of $_SERVER['REMOTE_ADDR'] (2.39 KB, patch)
2006-10-04 19:05 UTC, Josh Yelon
Details
New implementation (1009 bytes, patch)
2008-12-14 17:44 UTC, Chad H.
Details

Description Josh Yelon 2006-10-04 17:06:01 UTC
I have provided code for this enhancement.  It allows the wiki to grant
privileges based on the IP address of the user.  You use it by putting this sort
of thing into your LocalSettings.php:

$wgIpAddressRanges = array(
   "192.168.*.*" => "mycompany"
);

$wgGroupPermissions["mycompany","createaccount"] = true;

Here is the code that implements this feature:

http://panda3d.org/josh/ip-privileges.patch

The patch is against 1.7.1.  The total amount of code in this patch is only
about two dozen lines.  I should warn you that I'm not a particularly
experienced mediawiki coder, so somebody who knows what they're doing should
definitely read over the code.  Fortunately, that should only take a minute,
since it's so short.

The particular situation that led me to implement this feature is as follows.  I
work at a university, and we want a wiki where only university students can
create accounts, but where anyone can read the wiki.  Since we have thousands of
students, and thousands more every semester, it is impractical to assign
privileges by handing out accounts.  Doing it by IP address range makes more sense.

If you have time, let me know if you integrate this patch.  jyelon@gmail.com
Comment 1 Jimmy Collins 2006-10-04 17:53:27 UTC
Please post your patch as *attachment* to this bug in unified format (patch -u).

Thanks!
Comment 2 Josh Yelon 2006-10-04 18:00:17 UTC
Created attachment 2437 [details]
Adds the ability to grant privileges based on IP address.
Comment 3 Josh Yelon 2006-10-04 18:02:07 UTC
Hang on, I'm not used to doing this.  Give me a second, I'll get this right
eventually.  
Comment 4 Brion Vibber 2006-10-04 18:05:31 UTC
$_SERVER['REMOTE_ADDR'] isn't safe when proxies are part of the setup;
use wfGetIP() which follows the permitted proxy headers.
Comment 5 Jimmy Collins 2006-10-04 18:07:25 UTC
(In reply to comment #1)
> Please post your patch as *attachment* to this bug in unified format (patch -u).

"diff -u" of course - sorry

Comment 6 Josh Yelon 2006-10-04 18:11:12 UTC
Created attachment 2438 [details]
Adds the ability to grant privileges based on IP address

This one's a unified diff (diff -u).  Sorry, still getting used to the system.
Comment 7 Josh Yelon 2006-10-04 18:32:44 UTC
Created attachment 2439 [details]
Variant using wgGetIp instead of $_SERVER['REMOTE_ADDR']

Brion recommended this modification.  I tested it and it worked fine in the
normal case (I don't have a proxy setup, so I wasn't able to test that case).

However, this raises a question in my mind.  In the event that somebody is
talking to the wiki via a proxy, we need to use the IP address of the proxy,
not the IP address that the proxy reports.  Using the latter would make a huge
security hole, since anyone could code up a proxy that reports any IP that they
wish.  Which does wfGetIp report?  Which does $_SERVER['REMOTE_ADDR'] report? 
These things are beyond my knowledge and experience.
Comment 8 Brion Vibber 2006-10-04 18:44:12 UTC
"...use wfGetIP() which follows the **permitted** proxy headers."

See ProxyTools.php for details.
Comment 9 Josh Yelon 2006-10-04 18:50:40 UTC
Well, deciphering the code in ProxyTools.php is more that I can currently
manage.  I'll leave it to coders older and wiser than myself to decide what's
the right method.
Comment 10 Josh Yelon 2006-10-04 19:05:15 UTC
Created attachment 2440 [details]
Variant using wfGetIP instead of $_SERVER['REMOTE_ADDR']

This time, without the typo.  I'm not sure how the typo got through last time,
I thought I tested it.
Comment 11 Chad H. 2008-12-14 17:44:42 UTC
Created attachment 5581 [details]
New implementation

Redo this using the Autopromote stuff. Allows the user to get rights if they're either A) A specific IP address (using APCOND_ISIP) or B) In a range (using APCOND_IPINRANGE)
Comment 12 Chad H. 2008-12-14 20:49:31 UTC
Done in r44592

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links