Last modified: 2008-12-14 20:49:31 UTC
I have provided code for this enhancement. It allows the wiki to grant privileges based on the IP address of the user. You use it by putting this sort of thing into your LocalSettings.php: $wgIpAddressRanges = array( "192.168.*.*" => "mycompany" ); $wgGroupPermissions["mycompany","createaccount"] = true; Here is the code that implements this feature: http://panda3d.org/josh/ip-privileges.patch The patch is against 1.7.1. The total amount of code in this patch is only about two dozen lines. I should warn you that I'm not a particularly experienced mediawiki coder, so somebody who knows what they're doing should definitely read over the code. Fortunately, that should only take a minute, since it's so short. The particular situation that led me to implement this feature is as follows. I work at a university, and we want a wiki where only university students can create accounts, but where anyone can read the wiki. Since we have thousands of students, and thousands more every semester, it is impractical to assign privileges by handing out accounts. Doing it by IP address range makes more sense. If you have time, let me know if you integrate this patch. jyelon@gmail.com
Please post your patch as *attachment* to this bug in unified format (patch -u). Thanks!
Created attachment 2437 [details] Adds the ability to grant privileges based on IP address.
Hang on, I'm not used to doing this. Give me a second, I'll get this right eventually.
$_SERVER['REMOTE_ADDR'] isn't safe when proxies are part of the setup; use wfGetIP() which follows the permitted proxy headers.
(In reply to comment #1) > Please post your patch as *attachment* to this bug in unified format (patch -u). "diff -u" of course - sorry
Created attachment 2438 [details] Adds the ability to grant privileges based on IP address This one's a unified diff (diff -u). Sorry, still getting used to the system.
Created attachment 2439 [details] Variant using wgGetIp instead of $_SERVER['REMOTE_ADDR'] Brion recommended this modification. I tested it and it worked fine in the normal case (I don't have a proxy setup, so I wasn't able to test that case). However, this raises a question in my mind. In the event that somebody is talking to the wiki via a proxy, we need to use the IP address of the proxy, not the IP address that the proxy reports. Using the latter would make a huge security hole, since anyone could code up a proxy that reports any IP that they wish. Which does wfGetIp report? Which does $_SERVER['REMOTE_ADDR'] report? These things are beyond my knowledge and experience.
"...use wfGetIP() which follows the **permitted** proxy headers." See ProxyTools.php for details.
Well, deciphering the code in ProxyTools.php is more that I can currently manage. I'll leave it to coders older and wiser than myself to decide what's the right method.
Created attachment 2440 [details] Variant using wfGetIP instead of $_SERVER['REMOTE_ADDR'] This time, without the typo. I'm not sure how the typo got through last time, I thought I tested it.
Created attachment 5581 [details] New implementation Redo this using the Autopromote stuff. Allows the user to get rights if they're either A) A specific IP address (using APCOND_ISIP) or B) In a range (using APCOND_IPINRANGE)
Done in r44592