FEATURE: add site setting use_admin_ip_whitelist to enable/disable the whitelisting of admins by IP address

2015-09-21 16:56:25 -04:00 · 2015-09-21 16:56:25 -04:00 · 5ca26a7707
parent 7d4dbc9962
commit 5ca26a7707
6 changed files with 62 additions and 28 deletions
--- a/app/assets/javascripts/admin/components/screened_ip_address_form_component.js
+++ b/app/assets/javascripts/admin/components/screened_ip_address_form_component.js
@ -18,14 +18,25 @@ Discourse.ScreenedIpAddressFormComponent = Ember.Component.extend({
  formSubmitted: false,
  actionName: 'block',

-  actionNames: function() {
-    return [
-      {id: 'block',       name: I18n.t('admin.logs.screened_ips.actions.block')},
-      {id: 'do_nothing',  name: I18n.t('admin.logs.screened_ips.actions.do_nothing')},
-      {id: 'allow_admin', name: I18n.t('admin.logs.screened_ips.actions.allow_admin')}
-    ];
+  adminWhitelistEnabled: function() {
+    return Discourse.SiteSettings.use_admin_ip_whitelist;
  }.property(),

+  actionNames: function() {
+    if (this.get('adminWhitelistEnabled')) {
+      return [
+        {id: 'block',       name: I18n.t('admin.logs.screened_ips.actions.block')},
+        {id: 'do_nothing',  name: I18n.t('admin.logs.screened_ips.actions.do_nothing')},
+        {id: 'allow_admin', name: I18n.t('admin.logs.screened_ips.actions.allow_admin')}
+      ];
+    } else {
+      return [
+        {id: 'block',       name: I18n.t('admin.logs.screened_ips.actions.block')},
+        {id: 'do_nothing',  name: I18n.t('admin.logs.screened_ips.actions.do_nothing')}
+      ];
+    }
+  }.property('adminWhitelistEnabled'),
+
  actions: {
    submit: function() {
      if (!this.get('formSubmitted')) {
--- a/app/models/screened_ip_address.rb
+++ b/app/models/screened_ip_address.rb
@ -75,6 +75,7 @@ class ScreenedIpAddress < ActiveRecord::Base
  end

  def self.block_admin_login?(user, ip_address)
+    return false unless SiteSetting.use_admin_ip_whitelist
    return false if user.nil?
    return false if !user.admin?
    return false if ScreenedIpAddress.where(action_type: actions[:allow_admin]).count == 0
--- a/config/locales/server.en.yml
+++ b/config/locales/server.en.yml
@ -862,6 +862,7 @@ en:
    enable_noscript_support: "Enable standard webcrawler search engine support via the noscript tag"
    allow_moderators_to_create_categories: "Allow moderators to create new categories"
    cors_origins: "Allowed origins for cross-origin requests (CORS). Each origin must include http:// or https://. The DISCOURSE_ENABLE_CORS env variable must be set to true to enable CORS."
+    use_admin_ip_whitelist: "Admins can only log in if they are at an IP address defined in the Screened IPs list (Admin > Logs > Screened Ips)."
    top_menu: "Determine which items appear in the homepage navigation, and in what order. Example latest|new|unread|categories|top|read|posted|bookmarks"
    post_menu: "Determine which items appear on the post menu, and in what order. Example like|edit|flag|delete|share|bookmark|reply"
    post_menu_hidden_items: "The menu items to hide by default in the post menu unless an expansion ellipsis is clicked on."
--- a/config/site_settings.yml
+++ b/config/site_settings.yml
@ -656,6 +656,9 @@ security:
  cors_origins:
    default: ''
    type: list
+  use_admin_ip_whitelist:
+    default: false
+    client: true

 onebox:
  enable_flash_video_onebox: false
--- a/spec/controllers/session_controller_spec.rb
+++ b/spec/controllers/session_controller_spec.rb
@ -507,6 +507,7 @@ describe SessionController do
        let(:permitted_ip_address) { '111.234.23.11' }
        before do
          Fabricate(:screened_ip_address, ip_address: permitted_ip_address, action_type: ScreenedIpAddress.actions[:allow_admin])
+          SiteSetting.stubs(:use_admin_ip_whitelist).returns(true)
        end

        it 'is successful for admin at the ip address' do
--- a/spec/models/screened_ip_address_spec.rb
+++ b/spec/models/screened_ip_address_spec.rb
@ -240,20 +240,29 @@ describe ScreenedIpAddress do

  describe '#block_admin_login?' do
    context 'no allow_admin records exist' do
-      it "returns false when user is nil" do
-        expect(described_class.block_admin_login?(nil, '123.12.12.12')).to eq(false)
-      end

-      it "returns false for non-admin user" do
+      it "returns false when use_admin_ip_whitelist is false" do
        expect(described_class.block_admin_login?(Fabricate.build(:user), '123.12.12.12')).to eq(false)
      end

-      it "returns false for admin user" do
-        expect(described_class.block_admin_login?(Fabricate.build(:admin), '123.12.12.12')).to eq(false)
-      end
+      context "use_admin_ip_whitelist is true" do
+        before { SiteSetting.stubs(:use_admin_ip_whitelist).returns(true) }

-      it "returns false for admin user and ip_address arg is nil" do
-        expect(described_class.block_admin_login?(Fabricate.build(:admin), nil)).to eq(false)
+        it "returns false when user is nil" do
+          expect(described_class.block_admin_login?(nil, '123.12.12.12')).to eq(false)
+        end
+
+        it "returns false for non-admin user" do
+          expect(described_class.block_admin_login?(Fabricate.build(:user), '123.12.12.12')).to eq(false)
+        end
+
+        it "returns false for admin user" do
+          expect(described_class.block_admin_login?(Fabricate.build(:admin), '123.12.12.12')).to eq(false)
+        end
+
+        it "returns false for admin user and ip_address arg is nil" do
+          expect(described_class.block_admin_login?(Fabricate.build(:admin), nil)).to eq(false)
+        end
      end
    end

@ -263,24 +272,32 @@ describe ScreenedIpAddress do
        Fabricate(:screened_ip_address, ip_address: @permitted_ip_address, action_type: described_class.actions[:allow_admin])
      end

-      it "returns false when user is nil" do
-        expect(described_class.block_admin_login?(nil, @permitted_ip_address)).to eq(false)
+      it "returns false when use_admin_ip_whitelist is false" do
+        expect(described_class.block_admin_login?(Fabricate.build(:admin), '123.12.12.12')).to eq(false)
      end

-      it "returns false for an admin user at the allowed ip address" do
-        expect(described_class.block_admin_login?(Fabricate.build(:admin), @permitted_ip_address)).to eq(false)
-      end
+      context "use_admin_ip_whitelist is true" do
+        before { SiteSetting.stubs(:use_admin_ip_whitelist).returns(true) }

-      it "returns true for an admin user at another ip address" do
-        expect(described_class.block_admin_login?(Fabricate.build(:admin), '123.12.12.12')).to eq(true)
-      end
+        it "returns false when user is nil" do
+          expect(described_class.block_admin_login?(nil, @permitted_ip_address)).to eq(false)
+        end

-      it "returns false for regular user at allowed ip address" do
-        expect(described_class.block_admin_login?(Fabricate.build(:user), @permitted_ip_address)).to eq(false)
-      end
+        it "returns false for an admin user at the allowed ip address" do
+          expect(described_class.block_admin_login?(Fabricate.build(:admin), @permitted_ip_address)).to eq(false)
+        end

-      it "returns false for regular user at another ip address" do
-        expect(described_class.block_admin_login?(Fabricate.build(:user), '123.12.12.12')).to eq(false)
+        it "returns true for an admin user at another ip address" do
+          expect(described_class.block_admin_login?(Fabricate.build(:admin), '123.12.12.12')).to eq(true)
+        end
+
+        it "returns false for regular user at allowed ip address" do
+          expect(described_class.block_admin_login?(Fabricate.build(:user), @permitted_ip_address)).to eq(false)
+        end
+
+        it "returns false for regular user at another ip address" do
+          expect(described_class.block_admin_login?(Fabricate.build(:user), '123.12.12.12')).to eq(false)
+        end
      end
    end
  end