Page MenuHomePhabricator
Create Task
Maniphest T9492

Feature: grant privileges to certain IP address ranges.
Closed, ResolvedPublic
Actions

Description

Author: jyelon

Description:
I have provided code for this enhancement. It allows the wiki to grant
privileges based on the IP address of the user. You use it by putting this sort
of thing into your LocalSettings.php:

$wgIpAddressRanges = array(

"192.168.*.*" => "mycompany"

);

$wgGroupPermissions["mycompany","createaccount"] = true;

Here is the code that implements this feature:

http://panda3d.org/josh/ip-privileges.patch

The patch is against 1.7.1. The total amount of code in this patch is only
about two dozen lines. I should warn you that I'm not a particularly
experienced mediawiki coder, so somebody who knows what they're doing should
definitely read over the code. Fortunately, that should only take a minute,
since it's so short.

The particular situation that led me to implement this feature is as follows. I
work at a university, and we want a wiki where only university students can
create accounts, but where anyone can read the wiki. Since we have thousands of
students, and thousands more every semester, it is impractical to assign
privileges by handing out accounts. Doing it by IP address range makes more sense.

If you have time, let me know if you integrate this patch. jyelon@gmail.com

Version: unspecified
Severity: enhancement

Details

Reference
bz7492

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 9:27 PM
bzimport added a project: MediaWiki-User-login-and-signup.
bzimport set Reference to bz7492.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Oct 4 2006, 5:06 PM
bzimport added a comment.Oct 4 2006, 5:53 PM

jimmy.collins wrote:

Please post your patch as *attachment* to this bug in unified format (patch -u).

Thanks!

bzimport added a comment.Oct 4 2006, 6:00 PM

jyelon wrote:

Adds the ability to grant privileges based on IP address.

attachment wikipatch ignored as obsolete

bzimport added a comment.Oct 4 2006, 6:02 PM

jyelon wrote:

Hang on, I'm not used to doing this. Give me a second, I'll get this right
eventually.

brion added a comment.Oct 4 2006, 6:05 PM

$_SERVER['REMOTE_ADDR'] isn't safe when proxies are part of the setup;
use wfGetIP() which follows the permitted proxy headers.

bzimport added a comment.Oct 4 2006, 6:07 PM

jimmy.collins wrote:

(In reply to comment #1)

Please post your patch as *attachment* to this bug in unified format (patch -u).

"diff -u" of course - sorry

bzimport added a comment.Oct 4 2006, 6:11 PM

jyelon wrote:

Adds the ability to grant privileges based on IP address

This one's a unified diff (diff -u). Sorry, still getting used to the system.

attachment unified-diff ignored as obsolete

bzimport added a comment.Oct 4 2006, 6:32 PM

jyelon wrote:

Variant using wgGetIp instead of $_SERVER['REMOTE_ADDR']

Brion recommended this modification. I tested it and it worked fine in the
normal case (I don't have a proxy setup, so I wasn't able to test that case).

However, this raises a question in my mind. In the event that somebody is
talking to the wiki via a proxy, we need to use the IP address of the proxy,
not the IP address that the proxy reports. Using the latter would make a huge
security hole, since anyone could code up a proxy that reports any IP that they
wish. Which does wfGetIp report? Which does $_SERVER['REMOTE_ADDR'] report?
These things are beyond my knowledge and experience.

attachment wikipatch ignored as obsolete

brion added a comment.Oct 4 2006, 6:44 PM

"...use wfGetIP() which follows the permitted proxy headers."

See ProxyTools.php for details.

bzimport added a comment.Oct 4 2006, 6:50 PM

jyelon wrote:

Well, deciphering the code in ProxyTools.php is more that I can currently
manage. I'll leave it to coders older and wiser than myself to decide what's
the right method.

bzimport added a comment.Oct 4 2006, 7:05 PM

jyelon wrote:

Variant using wfGetIP instead of $_SERVER['REMOTE_ADDR']

This time, without the typo. I'm not sure how the typo got through last time,
I thought I tested it.

attachment wikipatch ignored as obsolete

demon added a comment.Dec 14 2008, 5:44 PM

Created attachment 5581
New implementation

Redo this using the Autopromote stuff. Allows the user to get rights if they're either A) A specific IP address (using APCOND_ISIP) or B) In a range (using APCOND_IPINRANGE)

Attached:

autopromote.patch1009 BDownload

demon added a comment.Dec 14 2008, 8:49 PM

Done in r44592

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL