-
-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(security): restrict admin actions to IP ranges #46473
Conversation
71c789d
to
5fff029
Compare
lib/private/AppFramework/Middleware/Security/Exceptions/AdminIpNotAllowedException.php
Outdated
Show resolved
Hide resolved
5fff029
to
741dca0
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No in-if assignments please
90da5d8
to
8b24270
Compare
f534588
to
da6dd95
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Definitely needs documentation, so that other "admin alike endpoints" are aware and can integrate it and use IGroupManager::isAdmin()
instead of checking for the admin group.
da6dd95
to
d1007db
Compare
3391801
to
791b066
Compare
17a6845
to
fb9866d
Compare
6682c99
to
6cdb1c7
Compare
lib/public/Security/Ip/IFactory.php
Outdated
* Creates a range from string | ||
* | ||
* @since 30.0.0 | ||
* @throws on invalid range |
Check failure
Code scanning / Psalm
UndefinedDocblockClass Error
lib/public/Security/Ip/IFactory.php
Outdated
* Creates a address from string | ||
* | ||
* @since 30.0.0 | ||
* @throws on invalid IP |
Check failure
Code scanning / Psalm
UndefinedDocblockClass Error
6cdb1c7
to
e511bab
Compare
lib/private/Server.php
Outdated
@@ -1403,6 +1406,10 @@ | |||
|
|||
$this->registerAlias(\OCP\TaskProcessing\IManager::class, \OC\TaskProcessing\Manager::class); | |||
|
|||
$this->registerAlias(IRemoteAddress::class, RemoteAddress::class); | |||
|
|||
$this->registerAlias(\OCP\Security\Ip\Factory::class, \OC\Security\Ip\Factory::class); |
Check failure
Code scanning / Psalm
UndefinedClass Error
e511bab
to
07264dd
Compare
Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
…king for "in range" Signed-off-by: Joas Schilling <coding@schilljs.com> Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
07264dd
to
f1d97a3
Compare
Cool feature 🎉🎉🎉🎉🎉 I wonder, would it make sense to document this under https://docs.nextcloud.com/server/latest/admin_manual/installation/harden_server.html? |
Yes, exactly there. I think @sorbaugh already discusses this with @Altahrim - we talked about this 30 minutes ago 😁 |
Added here: nextcloud/documentation#12059 |
Summary
Restrict admin actions to IP ranges
When administrator IP address is not in specified range, all admin actions are hidden/forbidden.
Checklist