Last modified: 2008-12-14 20:49:31 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 7492 - Feature: grant privileges to certain IP address ranges.
Feature: grant privileges to certain IP address ranges.
Product: MediaWiki
Classification: Unclassified
User login and signup (Other open bugs)
All All
: Normal enhancement with 1 vote (vote)
: ---
Assigned To: Nobody - You can work on this!
: patch, patch-need-review
Depends on:
  Show dependency treegraph
Reported: 2006-10-04 17:06 UTC by Josh Yelon
Modified: 2008-12-14 20:49 UTC (History)
1 user (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Adds the ability to grant privileges based on IP address. (2.56 KB, patch)
2006-10-04 18:00 UTC, Josh Yelon
Adds the ability to grant privileges based on IP address (2.40 KB, patch)
2006-10-04 18:11 UTC, Josh Yelon
Variant using wgGetIp instead of $_SERVER['REMOTE_ADDR'] (2.39 KB, patch)
2006-10-04 18:32 UTC, Josh Yelon
Variant using wfGetIP instead of $_SERVER['REMOTE_ADDR'] (2.39 KB, patch)
2006-10-04 19:05 UTC, Josh Yelon
New implementation (1009 bytes, patch)
2008-12-14 17:44 UTC, Chad H.

Description Josh Yelon 2006-10-04 17:06:01 UTC
I have provided code for this enhancement.  It allows the wiki to grant
privileges based on the IP address of the user.  You use it by putting this sort
of thing into your LocalSettings.php:

$wgIpAddressRanges = array(
   "192.168.*.*" => "mycompany"

$wgGroupPermissions["mycompany","createaccount"] = true;

Here is the code that implements this feature:

The patch is against 1.7.1.  The total amount of code in this patch is only
about two dozen lines.  I should warn you that I'm not a particularly
experienced mediawiki coder, so somebody who knows what they're doing should
definitely read over the code.  Fortunately, that should only take a minute,
since it's so short.

The particular situation that led me to implement this feature is as follows.  I
work at a university, and we want a wiki where only university students can
create accounts, but where anyone can read the wiki.  Since we have thousands of
students, and thousands more every semester, it is impractical to assign
privileges by handing out accounts.  Doing it by IP address range makes more sense.

If you have time, let me know if you integrate this patch.
Comment 1 Jimmy Collins 2006-10-04 17:53:27 UTC
Please post your patch as *attachment* to this bug in unified format (patch -u).

Comment 2 Josh Yelon 2006-10-04 18:00:17 UTC
Created attachment 2437 [details]
Adds the ability to grant privileges based on IP address.
Comment 3 Josh Yelon 2006-10-04 18:02:07 UTC
Hang on, I'm not used to doing this.  Give me a second, I'll get this right
Comment 4 Brion Vibber 2006-10-04 18:05:31 UTC
$_SERVER['REMOTE_ADDR'] isn't safe when proxies are part of the setup;
use wfGetIP() which follows the permitted proxy headers.
Comment 5 Jimmy Collins 2006-10-04 18:07:25 UTC
(In reply to comment #1)
> Please post your patch as *attachment* to this bug in unified format (patch -u).

"diff -u" of course - sorry

Comment 6 Josh Yelon 2006-10-04 18:11:12 UTC
Created attachment 2438 [details]
Adds the ability to grant privileges based on IP address

This one's a unified diff (diff -u).  Sorry, still getting used to the system.
Comment 7 Josh Yelon 2006-10-04 18:32:44 UTC
Created attachment 2439 [details]
Variant using wgGetIp instead of $_SERVER['REMOTE_ADDR']

Brion recommended this modification.  I tested it and it worked fine in the
normal case (I don't have a proxy setup, so I wasn't able to test that case).

However, this raises a question in my mind.  In the event that somebody is
talking to the wiki via a proxy, we need to use the IP address of the proxy,
not the IP address that the proxy reports.  Using the latter would make a huge
security hole, since anyone could code up a proxy that reports any IP that they
wish.  Which does wfGetIp report?  Which does $_SERVER['REMOTE_ADDR'] report? 
These things are beyond my knowledge and experience.
Comment 8 Brion Vibber 2006-10-04 18:44:12 UTC
"...use wfGetIP() which follows the **permitted** proxy headers."

See ProxyTools.php for details.
Comment 9 Josh Yelon 2006-10-04 18:50:40 UTC
Well, deciphering the code in ProxyTools.php is more that I can currently
manage.  I'll leave it to coders older and wiser than myself to decide what's
the right method.
Comment 10 Josh Yelon 2006-10-04 19:05:15 UTC
Created attachment 2440 [details]
Variant using wfGetIP instead of $_SERVER['REMOTE_ADDR']

This time, without the typo.  I'm not sure how the typo got through last time,
I thought I tested it.
Comment 11 Chad H. 2008-12-14 17:44:42 UTC
Created attachment 5581 [details]
New implementation

Redo this using the Autopromote stuff. Allows the user to get rights if they're either A) A specific IP address (using APCOND_ISIP) or B) In a range (using APCOND_IPINRANGE)
Comment 12 Chad H. 2008-12-14 20:49:31 UTC
Done in r44592

Note You need to log in before you can comment on or make changes to this bug.