backoffice: allow limiting ADMIN_FOR_ALL to specific IP addresses (#7122)
This commit is contained in:
parent
ba05822bba
commit
28f249224a
|
@ -45,12 +45,13 @@
|
|||
|
||||
<p>
|
||||
Dans le répertoire de l'instance (<file>/var/lib/wcs/www.example.net/</file>
|
||||
par exemple), créez un fichier <file>ADMIN_FOR_ALL</file>.
|
||||
par exemple), un fichier <file>ADMIN_FOR_ALL</file> doit être créé,
|
||||
contenant l'adresse IP qui sera utilisée pour la connexion.
|
||||
</p>
|
||||
|
||||
<screen>
|
||||
<output style="prompt"># </output><input>cd /var/lib/wcs/www.example.net/</input>
|
||||
<output style="prompt"># </output><input>touch ADMIN_FOR_ALL</input>
|
||||
<output style="prompt"># </output><input>echo 77.109.103.99 > ADMIN_FOR_ALL</input>
|
||||
</screen>
|
||||
|
||||
<p>
|
||||
|
@ -61,6 +62,15 @@
|
|||
<file>ADMIN_FOR_ALL</file>.
|
||||
</p>
|
||||
|
||||
<note style="warning">
|
||||
<p>
|
||||
Pour des raisons de compatibilité, un fichier <file>ADMIN_FOR_ALL</file>
|
||||
vide ouvre l'accès pour toutes les connexions; ce comportement
|
||||
dangereux sera supprimé dans une version à venir, son utilisation est
|
||||
fortement découragée.
|
||||
</p>
|
||||
</note>
|
||||
|
||||
</section>
|
||||
|
||||
</page>
|
||||
|
|
|
@ -95,6 +95,19 @@ def test_admin_for_all():
|
|||
pub.cfg['admin-permissions'] = {'settings': [role.id]}
|
||||
pub.write_cfg()
|
||||
resp = get_app(pub).get('/backoffice/settings/', status=200)
|
||||
|
||||
# check it doesn't work with a non-empty ADMIN_FOR_ALL file
|
||||
fd = open(os.path.join(pub.app_dir, 'ADMIN_FOR_ALL'), 'w')
|
||||
fd.write('x.x.x.x')
|
||||
fd.close()
|
||||
resp = get_app(pub).get('/backoffice/settings/', status=302)
|
||||
|
||||
# check it works if the file contains the user IP address
|
||||
fd = open(os.path.join(pub.app_dir, 'ADMIN_FOR_ALL'), 'w')
|
||||
fd.write('127.0.0.1')
|
||||
fd.close()
|
||||
resp = get_app(pub).get('/backoffice/settings/', status=200)
|
||||
|
||||
finally:
|
||||
del pub.cfg['admin-permissions']
|
||||
pub.write_cfg()
|
||||
|
|
|
@ -137,7 +137,8 @@ def clean_temporary_pub():
|
|||
known_elements.sql_db_name = None
|
||||
|
||||
def get_app(pub):
|
||||
return TestApp(QWIP(pub), extra_environ={'HTTP_HOST': 'example.net'})
|
||||
return TestApp(QWIP(pub), extra_environ={
|
||||
'HTTP_HOST': 'example.net', 'REMOTE_ADDR': '127.0.0.1'})
|
||||
|
||||
def login(app, username='admin', password='admin'):
|
||||
login_page = app.get('/login/')
|
||||
|
|
|
@ -99,11 +99,25 @@ class RootDirectory(BackofficeRootDirectory):
|
|||
# to be marked as admin
|
||||
return get_request().user.can_go_in_admin()
|
||||
|
||||
def check_admin_for_all(self):
|
||||
admin_for_all_file_path = os.path.join(get_publisher().app_dir, 'ADMIN_FOR_ALL')
|
||||
if not os.path.exists(os.path.join(admin_for_all_file_path)):
|
||||
return False
|
||||
admin_for_all_contents = open(admin_for_all_file_path).read()
|
||||
if not admin_for_all_contents:
|
||||
# empty file, access is granted to everybody
|
||||
return True
|
||||
if get_request().get_environ('REMOTE_ADDR', '') in admin_for_all_contents.splitlines():
|
||||
# if the file is not empty it should contain the list of authorized
|
||||
# IP addresses.
|
||||
return True
|
||||
return False
|
||||
|
||||
def _q_access(self):
|
||||
get_response().breadcrumb.append( ('backoffice/', _('Back Office')) )
|
||||
req = get_request()
|
||||
|
||||
if os.path.exists(os.path.join(get_publisher().app_dir, 'ADMIN_FOR_ALL')):
|
||||
if self.check_admin_for_all():
|
||||
get_response().filter['admin_for_all'] = True
|
||||
return
|
||||
|
||||
|
|
Loading…
Reference in New Issue