Forum OpenACS Q&A: Restrict access to a package based on IP address range?
I was wondering what was the best way to restrict access to a package based on IP address. I reckon I need to register a filter (postauth?) that looks at the IP address and restricts access based pm that.
Where though would I put this filter in OpenACS 5?
Will this over-ride the permissions and Sitemap settings for this package (or am I mixing up apples and oranges here)?
Any other ways of achieving this functionality?
Ideally we would add permission checks based on IP Address into the permission system. But this might take a while and I'm not utterly sure how we would go about this anyway (we could have "named networks", which we could select in the permission granting scheme of things, but this might add to much of a burden on the already fairly complex permission system).
Quick fix: Register an URL based filter in /tcl/0-acs-init.tcl or even better: /packages/acs-subsite/tcl/acs-subsite-init.tcl. You can take the preauth filter for /doc/ as an example to work off from. Create a procedure that checks for the IP Addresses and off you go.
I took a look in /packages/acs-subsite/tcl/acs-subsite-init.tcl but all the code is commented out. /tcl/0-acs-init.tcl doesn't have any filters either. Is there another place to put filters?
ad_register_filter -critical t -debug t postauth * /foo/* my_access_control_proc
Note that in my case the URLs I was dealing with were not
part of any OpenACS package, so the
my_access_control_proc above was doing a big nasty query
implementing all the different access control rules (IP based, OpenACS
user/group based, etc.) at once. If the query said access is
approved, the proc just returns
filter_ok. If query said
denied, send a nice templated access denied yada yada page to the
user, and return
You'll probably also want to cache the results of that access control proc for a limited time with util_memoize, but you can worry about that later once you have it working.