diff --git a/docs/changelog/7.x.x.txt b/docs/changelog/7.x.x.txt index 5637cbc9b..bb456bd76 100644 --- a/docs/changelog/7.x.x.txt +++ b/docs/changelog/7.x.x.txt @@ -69,6 +69,8 @@ prices/totals. - fix: Uncommitted Collaborations and adding threads - fix: template variable displayLastReply is in none of the CS help files + - karma rfe: Faster rendering for editing interface + - karma rfe: Limiting access to admin mode to set of ip's 7.1.3 diff --git a/docs/upgrades/upgrade_7.1.3-7.2.0.pl b/docs/upgrades/upgrade_7.1.3-7.2.0.pl index 1c50b531f..b224d2d5c 100644 --- a/docs/upgrades/upgrade_7.1.3-7.2.0.pl +++ b/docs/upgrades/upgrade_7.1.3-7.2.0.pl @@ -21,6 +21,7 @@ my $quiet; # this line required my $session = start(); # this line required +addAdminModeSubnets($session); commerceSalesTax($session); createDictionaryStorage($session); addRssUrlMacroProcessing($session); @@ -34,6 +35,13 @@ fixAds($session); finish($session); # this line required +#-------------------------------------------------- +sub addAdminModeSubnets { + my $session = shift; + print "\tAllowing admin mode to be restricted to certain subnets in the config file.\n" unless ($quiet); + $session->config->set("adminModeSubnets",[]); +} + #-------------------------------------------------- sub addNewProfileSetting { my $session = shift; diff --git a/etc/WebGUI.conf.original b/etc/WebGUI.conf.original index ebce34db8..429192a8f 100644 --- a/etc/WebGUI.conf.original +++ b/etc/WebGUI.conf.original @@ -151,6 +151,11 @@ # "emailOverride" : "joe@example.com", +# By adding CIDR based subnets to the following array you can limit the +# subnets by which users can turn admin mode on. + +"adminModeSubnets" : [ ], + # List the authentication plug-ins you wish to be available on # this site. diff --git a/lib/WebGUI/Operation/Admin.pm b/lib/WebGUI/Operation/Admin.pm index 252503f23..25f5cb2ee 100644 --- a/lib/WebGUI/Operation/Admin.pm +++ b/lib/WebGUI/Operation/Admin.pm @@ -33,7 +33,7 @@ If the current user is in the Turn On Admin Group, then return an Admin Console. sub www_adminConsole { my $session = shift; - return "" unless ($session->user->isInGroup(12)); + return "" unless ($session->user->canUseAdminMode); my $ac = WebGUI::AdminConsole->new($session); return $ac->render; } @@ -50,7 +50,7 @@ via WebGUI::Session::Var::switchAdminOff() sub www_switchOffAdmin { my $session = shift; - return "" unless ($session->user->isInGroup(12)); + return "" unless ($session->user->canUseAdminMode); $session->http->setCacheControl("none"); $session->var->switchAdminOff(); return ""; @@ -66,7 +66,7 @@ If the current user is in the Turn On Admin Group, then allow them to turn on Ad sub www_switchOnAdmin { my $session = shift; - return "" unless ($session->user->isInGroup(12)); + return "" unless ($session->user->canUseAdminMode); $session->http->setCacheControl("none"); $session->var->switchAdminOn(); return ""; diff --git a/lib/WebGUI/User.pm b/lib/WebGUI/User.pm index 8562157f9..8e7a72f20 100644 --- a/lib/WebGUI/User.pm +++ b/lib/WebGUI/User.pm @@ -120,6 +120,24 @@ sub authMethod { #------------------------------------------------------------------- +=head2 canUseAdminMode ( ) + +Returns a boolean indicating whether the user has the basic privileges needed to turn on admin mode and use basic admin functions. Note this isn't checking for any special privileges like whether the user can create new users, etc. + +=cut + +sub canUseAdminMode { + my $self = shift; + my $pass = 1; + my $subnets = $self->session->config->get("adminModeSubnets"); + if (scalar(@$subnets)) { + $pass = isInSubnet($self->session->env->get("REMOTE_ADDR"), $subnets); + } + return $pass && $self->session->user->isInGroup(12) +} + +#------------------------------------------------------------------- + =head2 dateCreated ( ) Returns the epoch for when this user was created.