mirror/moodle-auth_outage
1
0
Fork 0
mirror of https://github.com/catalyst/moodle-auth_outage.git synced 2026-06-19 05:38:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #345 from catalyst/access-key-fix

Browse Source 
Fix: make access key and allowed ips OR conditional
This commit is contained in:
Matthew Hilton
2024-09-30 10:44:32 +10:00
committed by GitHub
parent cba55cdc69 c5485849d5
commit a40e198d3e
3 changed files with 20 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+2
View File
@@ -192,6 +192,8 @@ Note: these restrictions build on each other; If both are enabled, users must me
Only allow users from a certain IP or range of ips to enter.
## Access key
Users provide an access key in the URL params on first page load, which is then stored as a cookie for 24 hours. If the access key matches the one setup for the outage, they are allowed in.
## Using IP restriction with access key
Users will be allowed if they are from the configured allowed ips OR if they provide the correct access key.
Feedback and issues
classes/local/outagelib.php
+2 -10
View File
@@ -321,10 +321,10 @@ if ((time() >= {{STARTTIME}}) && (time() < {{STOPTIME}})) {
$ipblocked = !remoteip_in_list('{{ALLOWEDIPS}}');
$accesskeyblocked = $useraccesskey != '{{ACCESSKEY}}';
$blocked = ({{USEACCESSKEY}} && $accesskeyblocked) || ({{USEALLOWEDIPS}} && $ipblocked);
$allowed = ({{USEACCESSKEY}} && !$accesskeyblocked) || ({{USEALLOWEDIPS}} && !$ipblocked);
$isphpunit = defined('PHPUNIT_TEST');
if ($blocked) {
if (!$allowed) {
if (!$isphpunit) {
header($_SERVER['SERVER_PROTOCOL'] . ' 503 Moodle under maintenance');
header('Status: 503 Moodle under maintenance');
@@ -347,19 +347,11 @@ if ((time() >= {{STARTTIME}}) && (time() < {{STOPTIME}})) {
if ({{USEALLOWEDIPS}} && $ipblocked) {
echo '<!-- Blocked by ip, your ip: '.getremoteaddr('n/a').' -->';
}
if ({{USEALLOWEDIPS}} && !$ipblocked) {
echo '<!-- Your IP is allowed: '.getremoteaddr('n/a').' -->';
}
if ({{USEACCESSKEY}} && $accesskeyblocked) {
echo '<!-- Blocked by missing or incorrect access key, access key given: '. $useraccesskey .' -->';
}
if ({{USEACCESSKEY}} && !$accesskeyblocked) {
echo '<!-- Your access key is allowed: '. $useraccesskey .' -->';
}
if (!$isphpunit) {
if (file_exists($CFG->dataroot.'/climaintenance.template.html')) {
require($CFG->dataroot.'/climaintenance.template.html');
tests/local/outagelib_test.php
+16 -24
View File
@@ -335,10 +335,10 @@ if ((time() >= 123) && (time() < 456)) {
a.b.c.d
e.e.e.e/20');
$accesskeyblocked = $useraccesskey != '12345';
$blocked = (true && $accesskeyblocked) || (true && $ipblocked);
$allowed = (true && !$accesskeyblocked) || (true && !$ipblocked);
$isphpunit = defined('PHPUNIT_TEST');
if ($blocked) {
if (!$allowed) {
if (!$isphpunit) {
header($_SERVER['SERVER_PROTOCOL'] . ' 503 Moodle under maintenance');
header('Status: 503 Moodle under maintenance');
@@ -361,19 +361,11 @@ e.e.e.e/20');
if (true && $ipblocked) {
echo '<!-- Blocked by ip, your ip: '.getremoteaddr('n/a').' -->';
}
if (true && !$ipblocked) {
echo '<!-- Your IP is allowed: '.getremoteaddr('n/a').' -->';
}
if (true && $accesskeyblocked) {
echo '<!-- Blocked by missing or incorrect access key, access key given: '. $useraccesskey .' -->';
}
if (true && !$accesskeyblocked) {
echo '<!-- Your access key is allowed: '. $useraccesskey .' -->';
}
if (!$isphpunit) {
if (file_exists($CFG->dataroot.'/climaintenance.template.html')) {
require($CFG->dataroot.'/climaintenance.template.html');
@@ -422,10 +414,10 @@ if ((time() >= 123) && (time() < 456)) {
$ipblocked = !remoteip_in_list('127.0.0.1');
$accesskeyblocked = $useraccesskey != '5678';
$blocked = (true && $accesskeyblocked) || (true && $ipblocked);
$allowed = (true && !$accesskeyblocked) || (true && !$ipblocked);
$isphpunit = defined('PHPUNIT_TEST');
if ($blocked) {
if (!$allowed) {
if (!$isphpunit) {
header($_SERVER['SERVER_PROTOCOL'] . ' 503 Moodle under maintenance');
header('Status: 503 Moodle under maintenance');
@@ -448,19 +440,11 @@ if ((time() >= 123) && (time() < 456)) {
if (true && $ipblocked) {
echo '<!-- Blocked by ip, your ip: '.getremoteaddr('n/a').' -->';
}
if (true && !$ipblocked) {
echo '<!-- Your IP is allowed: '.getremoteaddr('n/a').' -->';
}
if (true && $accesskeyblocked) {
echo '<!-- Blocked by missing or incorrect access key, access key given: '. $useraccesskey .' -->';
}
if (true && !$accesskeyblocked) {
echo '<!-- Your access key is allowed: '. $useraccesskey .' -->';
}
if (!$isphpunit) {
if (file_exists($CFG->dataroot.'/climaintenance.template.html')) {
require($CFG->dataroot.'/climaintenance.template.html');
@@ -679,12 +663,11 @@ EOT;
* @return array
*/
public static function evaluation_maintenancepage_provider(): array {
$allowedipout = '<!-- Your IP is allowed:';
$blockedipout = '<!-- Blocked by ip, your ip:';
$allowedaccesskeyout = '<!-- Your access key is allowed:';
$blockedaccesskeyout = '<!-- Blocked by missing or incorrect access key, access key given:';
return [
// IP set up, access key not set up.
'ip allowed, no access key setup' => [
'allowedips' => '127.0.0.1',
'iptouse' => '127.0.0.1',
@@ -699,6 +682,7 @@ EOT;
'accesskeytouse' => null,
'expectedoutputs' => [$blockedipout],
],
// IP not set up, access key set up.
'access key incorrect, no ip setup' => [
'allowedips' => null,
'iptouse' => null,
@@ -713,19 +697,27 @@ EOT;
'accesskeytouse' => '12345',
'expectedoutputs' => [],
],
// Both IP and access key set up.
'access key incorrect, ip incorrect' => [
'allowedips' => '127.0.0.1',
'iptouse' => '5.5.5.5',
'accesskey' => '12345',
'accesskeytouse' => 'wrong',
'expectedoutputs' => [$blockedipout, $blockedaccesskeyout],
],
'access key correct, ip incorrect' => [
'allowedips' => '127.0.0.1',
'iptouse' => '5.5.5.5',
'accesskey' => '12345',
'accesskeytouse' => '12345',
'expectedoutputs' => [$allowedaccesskeyout, $blockedipout],
'expectedoutputs' => [],
],
'access key incorrect, ip correct' => [
'allowedips' => '127.0.0.1',
'iptouse' => '127.0.0.1',
'accesskey' => '12345',
'accesskeytouse' => 'wrong',
'expectedoutputs' => [$blockedaccesskeyout, $allowedipout],
'expectedoutputs' => [],
],
'access key correct, ip correct' => [
'allowedips' => '127.0.0.1',