From 269c9a0010c2495db961c185e83fd52b33b04d73 Mon Sep 17 00:00:00 2001 From: xue <> Date: Tue, 11 Sep 2007 02:09:27 +0000 Subject: Fixed #692, #700. --- framework/Security/TAuthorizationRule.php | 59 +++++++++++++++++++++++++++++-- 1 file changed, 57 insertions(+), 2 deletions(-) (limited to 'framework/Security') diff --git a/framework/Security/TAuthorizationRule.php b/framework/Security/TAuthorizationRule.php index fa1eb134..5b3a3c25 100644 --- a/framework/Security/TAuthorizationRule.php +++ b/framework/Security/TAuthorizationRule.php @@ -14,7 +14,7 @@ * * TAuthorizationRule represents a single authorization rule. * A rule is specified by an action (required), a list of users (optional), - * a list of roles (optional), and a verb (optional). + * a list of roles (optional), a verb (optional), and a list of IP rules (optional). * Action can be either 'allow' or 'deny'. * Guest (anonymous, unauthenticated) users are represented by question mark '?'. * All users (including guest users) are represented by asterisk '*'. @@ -22,6 +22,7 @@ * Users/roles are case-insensitive. * Different users/roles are separated by comma ','. * Verb can be either 'get' or 'post'. If it is absent, it means both. + * IP rules are separated by comma ',' and can contain wild card in the rules (e.g. '192.132.23.33, 192.122.*.*') * * @author Qiang Xue * @version $Id$ @@ -46,6 +47,10 @@ class TAuthorizationRule extends TComponent * @var string verb, may be empty, 'get', or 'post'. */ private $_verb; + /** + * @var string IP patterns + */ + private $_ipRules; /** * @var boolean if this rule applies to everyone */ @@ -65,8 +70,9 @@ class TAuthorizationRule extends TComponent * @param string a comma separated user list * @param string a comma separated role list * @param string verb, can be empty, 'get', or 'post' + * @param string IP rules (separated by comma, can contain wild card *) */ - public function __construct($action,$users,$roles,$verb='') + public function __construct($action,$users,$roles,$verb='',$ipRules='') { $action=strtolower(trim($action)); if($action==='allow' || $action==='deny') @@ -75,6 +81,7 @@ class TAuthorizationRule extends TComponent throw new TInvalidDataValueException('authorizationrule_action_invalid',$action); $this->_users=array(); $this->_roles=array(); + $this->_ipRules=array(); $this->_everyone=false; $this->_guest=false; $this->_authenticated=false; @@ -105,6 +112,11 @@ class TAuthorizationRule extends TComponent $this->_verb=$verb; else throw new TInvalidDataValueException('authorizationrule_verb_invalid',$verb); + foreach(explode(',',$ipRules) as $ipRule) + { + if(($ipRule=trim($ipRule))!=='') + $this->_ipRules[]=$ipRule; + } } /** @@ -139,6 +151,15 @@ class TAuthorizationRule extends TComponent return $this->_verb; } + /** + * @return array list of IP rules. + * @since 3.1.1 + */ + public function getIPRules() + { + return $this->_ipRules; + } + /** * @return boolean if this rule applies to everyone */ @@ -171,6 +192,8 @@ class TAuthorizationRule extends TComponent $decision=($this->_action==='allow')?1:-1; if($this->_verb==='' || strcasecmp($verb,$this->_verb)===0) { + if(!$this->isHostAddressMatched()) + return 0; if($this->_everyone || ($this->_guest && $user->getIsGuest()) || ($this->_authenticated && !$user->getIsGuest())) return $decision; if(in_array(strtolower($user->getName()),$this->_users)) @@ -181,6 +204,38 @@ class TAuthorizationRule extends TComponent } return 0; } + + private function isHostAddressMatched() + { + if(empty($this->_ipRules)) + return 1; + $ip=Prado::getApplication()->getRequest()->getUserHostAddress(); + foreach($this->_ipRules as $rule) + { + if($rule===$ip) + return 1; + if(strpos($rule,'*')!==false) + { + $a=explode('.',$rule); + $b=explode('.',$ip); + if(isset($a[3]) && isset($b[3])) + { + $matched=true; + for($i=0;$i<4;++$i) + { + if($a[$i]!==$b[i] && $a[$i]!=='*') + { + $matched=false; + break; + } + } + if($matched) + return 1; + } + } + } + return 0; + } } -- cgit v1.2.3