Topic: how to deny access to operator tab ?

[koolance]

Dear Team,
Please help. My situation is like:

I have a server (10.0.0.10) internal. I have external IP address and port 80 forwarded to 10.0.0.10. Everything works like a charm. But i want to disable operators log in from outside and leave only local users.

So in version 1.6.X i was using htaccess file near operator php like:

Order deny,allow
Deny from all
Allow from 10.0.0.0/24
Allow from 10.0.1.0/24
Allow from 10.0.2.0/24

it was working. Now i have upgraded to latest version 2.0. As i see it used YII.
I am trying to restrict access to http:/IP/index.php/operator where IP is IPs external one.
But i do not understand where should i put htaccess that was working in 1.6.X?
Thank you

[Dmitriy Simushev]

I don't think you can achieve it with .htaccess file.

It seems that you have to create a plugin which alter routes and replaces access checks with custom ones.

[koolance]

But this was working in 1.6 version. (Basically i need to know what path is affected for operator and need to put there htaccess ... by logic)
Can you please advise, plugin solution ?

[Dmitriy Simushev]

Mibew now uses dynamic routing and all requests are processed by the front controller. There is no operator directory anymore so there is no place you can put .htaccess file.

I've already told you that the only option it to create a plugin which alter routes. If you need a point where to start with plugins development take a look at https://github.com/Mibew/boilerplate-plugin and "ROUTES_ALTER" event description at http://docs.mibew.org/development/server-side-events.html#routing-events page.

[koolance]

Dear Dmitriy,
Sorry had no time to develop plugin, but i have modified: logincontroller.php to accept only internal IP address, here is file:

<?php
/*
 * This file is a part of Mibew Messenger.
 *
 * Copyright 2005-2015 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

namespace Mibew\Controller;

use Symfony\Component\HttpFoundation\Request;

/**
 * Contains acctions related with operator login process.
 */

function get_IP_address()
{
    foreach (array('HTTP_CLIENT_IP',
                   'HTTP_X_FORWARDED_FOR',
                   'HTTP_X_FORWARDED',
                   'HTTP_X_CLUSTER_CLIENT_IP',
                   'HTTP_FORWARDED_FOR',
                   'HTTP_FORWARDED',
                   'REMOTE_ADDR') as $key){
        if (array_key_exists($key, $_SERVER) === true){
            foreach (explode(',', $_SERVER[$key]) as $IPaddress){
                $IPaddress = trim($IPaddress); // Just to be safe

                if (filter_var($IPaddress,
                               FILTER_VALIDATE_IP,
                               FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)
                    !== false) {

                    return $IPaddress;
                }
            }
        }
    }
}

$PublicIP = get_IP_address();
if ($PublicIP== "") {
class LoginController extends AbstractController
{
    /**
     * Builds a page with login form.
     *
     * @param Request $request Incoming request.
     * @return string Rendered page content.
     */
    public function showFormAction(Request $request)
    {
        // Check if the operator already logged in
        if ($this->getOperator()) {
            // Redirect the operator to home page.
            // TODO: Use a route for URI generation.
            return $this->redirect($request->getUriForPath('/operator'));
        }

        $page = array(
            'formisRemember' => true,
            'version' => MIBEW_VERSION,
            // Use errors list stored in the request. We need to do so to have
            // an ability to pass the request from the "submitForm" action.
            'errors' => $request->attributes->get('errors', array()),
        );

        // Try to get login from the request.
        if ($request->request->has('login')) {
            $page['formlogin'] = $request->request->get('login');
        } elseif ($request->query->has('login')) {
            $login = $request->query->get('login');
            if (preg_match("/^(\w{1,15})$/", $login)) {
                $page['formlogin'] = $login;
            }
        }

        $page['localeLinks'] = get_locale_links();
        $page['title'] = getlocal('Login');
        $page['headertitle'] = getlocal('Mibew Messenger');
        $page['show_small_login'] = false;
        $page['fixedwrap'] = true;

        return $this->render('login', $page);
    }

    /**
     * Processes submitting of the form which is generated in
     * {@link \Mibew\Controller\LoginController::showFormAction()} method.
     *
     * Triggers 'operatorLogin' event after operator logged in and pass to it an
     * associative array with following items:
     *  - 'operator': array of the logged in operator info;
     *  - 'remember': boolean, indicates if system should remember operator.
     *
     * @param Request $request Incoming request.
     * @return string Rendered page content.
     */
    public function submitFormAction(Request $request)
    {
        csrf_check_token($request);

        $login = $request->request->get('login');
        $password = $request->request->get('password');
        $remember = $request->request->get('isRemember') == 'on';
        $errors = array();

        $operator = operator_by_login($login);
        $operator_can_login = $operator
            && isset($operator['vcpassword'])
            && check_password_hash($operator['vclogin'], $password, $operator['vcpassword'])
            && !operator_is_disabled($operator);

        if ($operator_can_login) {
            // Login the operator to the system
            $this->getAuthenticationManager()->loginOperator($operator, $remember);

            // Redirect the current operator to the needed page.
            $target = isset($_SESSION[SESSION_PREFIX . 'backpath'])
                ? $_SESSION[SESSION_PREFIX . 'backpath']
                : $request->getUriForPath('/operator');

            return $this->redirect($target);
        } else {
            if (operator_is_disabled($operator)) {
                $errors[] = getlocal('Your account is temporarily blocked. Please contact system administrator.');
            } else {
                $errors[] = getlocal("Entered login/password is incorrect");
            }
        }

        // Rebuild login form
        $request->attributes->set('errors', $errors);

        return $this->showFormAction($request);
    }
}
}

[Dmitriy Simushev]

Good for you. And what the question is? 

Please, don't post such amount of code here or you'll be banned. If you want to make changes available for others just attach the modified file.