Forum OpenACS Q&A: Restrict access to a package based on IP address range?

Request notifications

Good morning all.

I was wondering what was the best way to restrict access to a package based on IP address. I reckon I need to register a filter (postauth?) that looks at the IP address and restricts access based pm that.
Where though would I put this filter in OpenACS 5?
Will this over-ride the permissions and Sitemap settings for this package (or am I mixing up apples and oranges here)?

Any other ways of achieving this functionality?

thanks,
Brian

Collapse
Posted by Malte Sussdorff on
This is a great idea, which is most likely useful on a mixed intranet/extranet site.

Ideally we would add permission checks based on IP Address into the permission system. But this might take a while and I'm not utterly sure how we would go about this anyway (we could have "named networks", which we could select in the permission granting scheme of things, but this might add to much of a burden on the already fairly complex permission system).

Quick fix: Register an URL based filter in /tcl/0-acs-init.tcl or even better: /packages/acs-subsite/tcl/acs-subsite-init.tcl. You can take the preauth filter for /doc/ as an example to work off from. Create a procedure that checks for the IP Addresses and off you go.

Collapse
Posted by Brian Fenton on
Cool! Thanks Malte. So, it's preauth I want, not postauth? The AOLserver docs say that postauth means "before page data has been returned to the user" so I guess that's too late in the process. So preauth it is.

I took a look in /packages/acs-subsite/tcl/acs-subsite-init.tcl but all the code is commented out.  /tcl/0-acs-init.tcl doesn't have any filters either. Is there another place to put filters?

Brian, a postauth filter should be just fine, you don't need preauth. (But nor do I remember why you should prefer one over the other; I recommend checking the AOLserver docs.) Way back when (with ACS 4.2), I did some IP based access control by registering a filter like this:

ad_register_filter -critical t -debug t postauth * /foo/* my_access_control_proc

Note that in my case the URLs I was dealing with were not part of any OpenACS package, so the my_access_control_proc above was doing a big nasty query implementing all the different access control rules (IP based, OpenACS user/group based, etc.) at once. If the query said access is approved, the proc just returns filter_ok. If query said denied, send a nice templated access denied yada yada page to the user, and return filter_return.

You'll probably also want to cache the results of that access control proc for a limited time with util_memoize, but you can worry about that later once you have it working.

Collapse
Posted by Jeff Davis on
I think its tricky to use postauth filters since the request processor hijacks everything and runs as a preauth filter (iirc). You should definitely be careful to make sure the filter is in fact invoked for all requests.