diff --git a/app/assets/javascripts/admin/components/screened_ip_address_form_component.js b/app/assets/javascripts/admin/components/screened_ip_address_form_component.js index 69c517f00bd..1bf90b0227b 100644 --- a/app/assets/javascripts/admin/components/screened_ip_address_form_component.js +++ b/app/assets/javascripts/admin/components/screened_ip_address_form_component.js @@ -18,14 +18,25 @@ Discourse.ScreenedIpAddressFormComponent = Ember.Component.extend({ formSubmitted: false, actionName: 'block', - actionNames: function() { - return [ - {id: 'block', name: I18n.t('admin.logs.screened_ips.actions.block')}, - {id: 'do_nothing', name: I18n.t('admin.logs.screened_ips.actions.do_nothing')}, - {id: 'allow_admin', name: I18n.t('admin.logs.screened_ips.actions.allow_admin')} - ]; + adminWhitelistEnabled: function() { + return Discourse.SiteSettings.use_admin_ip_whitelist; }.property(), + actionNames: function() { + if (this.get('adminWhitelistEnabled')) { + return [ + {id: 'block', name: I18n.t('admin.logs.screened_ips.actions.block')}, + {id: 'do_nothing', name: I18n.t('admin.logs.screened_ips.actions.do_nothing')}, + {id: 'allow_admin', name: I18n.t('admin.logs.screened_ips.actions.allow_admin')} + ]; + } else { + return [ + {id: 'block', name: I18n.t('admin.logs.screened_ips.actions.block')}, + {id: 'do_nothing', name: I18n.t('admin.logs.screened_ips.actions.do_nothing')} + ]; + } + }.property('adminWhitelistEnabled'), + actions: { submit: function() { if (!this.get('formSubmitted')) { diff --git a/app/models/screened_ip_address.rb b/app/models/screened_ip_address.rb index 287a7dd0612..82d63cdcd93 100644 --- a/app/models/screened_ip_address.rb +++ b/app/models/screened_ip_address.rb @@ -75,6 +75,7 @@ class ScreenedIpAddress < ActiveRecord::Base end def self.block_admin_login?(user, ip_address) + return false unless SiteSetting.use_admin_ip_whitelist return false if user.nil? return false if !user.admin? return false if ScreenedIpAddress.where(action_type: actions[:allow_admin]).count == 0 diff --git a/config/locales/server.en.yml b/config/locales/server.en.yml index c3a0b253bf3..21e4d67e856 100644 --- a/config/locales/server.en.yml +++ b/config/locales/server.en.yml @@ -862,6 +862,7 @@ en: enable_noscript_support: "Enable standard webcrawler search engine support via the noscript tag" allow_moderators_to_create_categories: "Allow moderators to create new categories" cors_origins: "Allowed origins for cross-origin requests (CORS). Each origin must include http:// or https://. The DISCOURSE_ENABLE_CORS env variable must be set to true to enable CORS." + use_admin_ip_whitelist: "Admins can only log in if they are at an IP address defined in the Screened IPs list (Admin > Logs > Screened Ips)." top_menu: "Determine which items appear in the homepage navigation, and in what order. Example latest|new|unread|categories|top|read|posted|bookmarks" post_menu: "Determine which items appear on the post menu, and in what order. Example like|edit|flag|delete|share|bookmark|reply" post_menu_hidden_items: "The menu items to hide by default in the post menu unless an expansion ellipsis is clicked on." diff --git a/config/site_settings.yml b/config/site_settings.yml index f0822e1aaa0..3b9acbcbaa1 100644 --- a/config/site_settings.yml +++ b/config/site_settings.yml @@ -656,6 +656,9 @@ security: cors_origins: default: '' type: list + use_admin_ip_whitelist: + default: false + client: true onebox: enable_flash_video_onebox: false diff --git a/spec/controllers/session_controller_spec.rb b/spec/controllers/session_controller_spec.rb index 59a838a52f4..26d9b7f579c 100644 --- a/spec/controllers/session_controller_spec.rb +++ b/spec/controllers/session_controller_spec.rb @@ -507,6 +507,7 @@ describe SessionController do let(:permitted_ip_address) { '111.234.23.11' } before do Fabricate(:screened_ip_address, ip_address: permitted_ip_address, action_type: ScreenedIpAddress.actions[:allow_admin]) + SiteSetting.stubs(:use_admin_ip_whitelist).returns(true) end it 'is successful for admin at the ip address' do diff --git a/spec/models/screened_ip_address_spec.rb b/spec/models/screened_ip_address_spec.rb index ef176fb2cda..37385784f34 100644 --- a/spec/models/screened_ip_address_spec.rb +++ b/spec/models/screened_ip_address_spec.rb @@ -240,20 +240,29 @@ describe ScreenedIpAddress do describe '#block_admin_login?' do context 'no allow_admin records exist' do - it "returns false when user is nil" do - expect(described_class.block_admin_login?(nil, '123.12.12.12')).to eq(false) - end - it "returns false for non-admin user" do + it "returns false when use_admin_ip_whitelist is false" do expect(described_class.block_admin_login?(Fabricate.build(:user), '123.12.12.12')).to eq(false) end - it "returns false for admin user" do - expect(described_class.block_admin_login?(Fabricate.build(:admin), '123.12.12.12')).to eq(false) - end + context "use_admin_ip_whitelist is true" do + before { SiteSetting.stubs(:use_admin_ip_whitelist).returns(true) } - it "returns false for admin user and ip_address arg is nil" do - expect(described_class.block_admin_login?(Fabricate.build(:admin), nil)).to eq(false) + it "returns false when user is nil" do + expect(described_class.block_admin_login?(nil, '123.12.12.12')).to eq(false) + end + + it "returns false for non-admin user" do + expect(described_class.block_admin_login?(Fabricate.build(:user), '123.12.12.12')).to eq(false) + end + + it "returns false for admin user" do + expect(described_class.block_admin_login?(Fabricate.build(:admin), '123.12.12.12')).to eq(false) + end + + it "returns false for admin user and ip_address arg is nil" do + expect(described_class.block_admin_login?(Fabricate.build(:admin), nil)).to eq(false) + end end end @@ -263,24 +272,32 @@ describe ScreenedIpAddress do Fabricate(:screened_ip_address, ip_address: @permitted_ip_address, action_type: described_class.actions[:allow_admin]) end - it "returns false when user is nil" do - expect(described_class.block_admin_login?(nil, @permitted_ip_address)).to eq(false) + it "returns false when use_admin_ip_whitelist is false" do + expect(described_class.block_admin_login?(Fabricate.build(:admin), '123.12.12.12')).to eq(false) end - it "returns false for an admin user at the allowed ip address" do - expect(described_class.block_admin_login?(Fabricate.build(:admin), @permitted_ip_address)).to eq(false) - end + context "use_admin_ip_whitelist is true" do + before { SiteSetting.stubs(:use_admin_ip_whitelist).returns(true) } - it "returns true for an admin user at another ip address" do - expect(described_class.block_admin_login?(Fabricate.build(:admin), '123.12.12.12')).to eq(true) - end + it "returns false when user is nil" do + expect(described_class.block_admin_login?(nil, @permitted_ip_address)).to eq(false) + end - it "returns false for regular user at allowed ip address" do - expect(described_class.block_admin_login?(Fabricate.build(:user), @permitted_ip_address)).to eq(false) - end + it "returns false for an admin user at the allowed ip address" do + expect(described_class.block_admin_login?(Fabricate.build(:admin), @permitted_ip_address)).to eq(false) + end - it "returns false for regular user at another ip address" do - expect(described_class.block_admin_login?(Fabricate.build(:user), '123.12.12.12')).to eq(false) + it "returns true for an admin user at another ip address" do + expect(described_class.block_admin_login?(Fabricate.build(:admin), '123.12.12.12')).to eq(true) + end + + it "returns false for regular user at allowed ip address" do + expect(described_class.block_admin_login?(Fabricate.build(:user), @permitted_ip_address)).to eq(false) + end + + it "returns false for regular user at another ip address" do + expect(described_class.block_admin_login?(Fabricate.build(:user), '123.12.12.12')).to eq(false) + end end end end