New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add possibility to restrict piwik access by ip #12242
Conversation
|
👍
|
As mentioned in previous comment it is not really a good solution and will try to find a better solution. And I won't mention it in developer changelog, this does definitely not qualify for developer change. |
I will need to log at tests tomorrow and probs fix ui tests due to translation change. It should work better now and more as expected and even if login plugin is disabled or using different login alternative etc. |
UI tests should now be fixed (other failures not due to this change) and am all happy now with the implementation. In config UI it doesn't really show a field for |
@@ -75,6 +75,18 @@ | |||
|
|||
'Piwik\EventDispatcher' => DI\object()->constructorParameter('observers', DI\get('observers.global')), | |||
|
|||
'login.whitelist.ips' => function (ContainerInterface $c) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Config is wrapped in DI so other plugins can add further IPs dynamically without the risk of changing the config when manipulating the config directly in DI
This might fix #4577 |
Excellent new security feature! 🎉 Added new FAQ: How do I restrict viewing the analytics reports to one or more whitelisted IP addresses or IP ranges? |
No need to mention in developer changelog I would say as it is only new user config settings.
IPs can now be whitelisted like this:
When whistlisted IPs are configured and you try to access it but your IP is not matching, you will see an error like this:
For API the same message is used but doesn't 100% match:
{"result":"error","message":"You cannot log in as your IP is not whitelisted"}
maybe we can find a more generic error message?I decided to implement it within the
Auth
class since this class is not API and the authentication is happening here so we can make sure it is applied everywhere. Also here we know whether we are dealing with a token authenticated request (API) or a regular UI request (login/password or login/cookie).I noticed
LoginHttpAuth
is overwriting theAuth
class even thoughAuth
is not API so it might not 100% work there.Also I noticed
authenticate()
is actually not really supposed to throw an exception but to return aAuthResult(AuthResult::FAILURE)
. Problem with that is the user may enter the correct login / password, but still sees the error messageWrong Username and password combination.
. I wouldn't really like to introduce a newAuthResult::FAILURE_NOT_ALLOWED
or so as this could introduce regressions and makes it harder to identify correct vs failed logins. Any thoughts?