FEATURE: add site setting use_admin_ip_whitelist to enable/disable the whitelisting of admins by IP address

app/assets/javascripts/admin/components/screened_ip_address_form_component.js

@@ -18,14 +18,25 @@ Discourse.ScreenedIpAddressFormComponent = Ember.Component.extend({
   formSubmitted: false,
   actionName: 'block',
 
-  actionNames: function() {
+  adminWhitelistEnabled: function() {
-    return [
+    return Discourse.SiteSettings.use_admin_ip_whitelist;
-      {id: 'block',       name: I18n.t('admin.logs.screened_ips.actions.block')},
-      {id: 'do_nothing',  name: I18n.t('admin.logs.screened_ips.actions.do_nothing')},
-      {id: 'allow_admin', name: I18n.t('admin.logs.screened_ips.actions.allow_admin')}
-    ];
   }.property(),
 
+  actionNames: function() {
+    if (this.get('adminWhitelistEnabled')) {
+      return [
+        {id: 'block',       name: I18n.t('admin.logs.screened_ips.actions.block')},
+        {id: 'do_nothing',  name: I18n.t('admin.logs.screened_ips.actions.do_nothing')},
+        {id: 'allow_admin', name: I18n.t('admin.logs.screened_ips.actions.allow_admin')}
+      ];
+    } else {
+      return [
+        {id: 'block',       name: I18n.t('admin.logs.screened_ips.actions.block')},
+        {id: 'do_nothing',  name: I18n.t('admin.logs.screened_ips.actions.do_nothing')}
+      ];
+    }
+  }.property('adminWhitelistEnabled'),
+
   actions: {
     submit: function() {
       if (!this.get('formSubmitted')) {

app/models/screened_ip_address.rb

@@ -75,6 +75,7 @@ class ScreenedIpAddress < ActiveRecord::Base
   end
 
   def self.block_admin_login?(user, ip_address)
+    return false unless SiteSetting.use_admin_ip_whitelist
     return false if user.nil?
     return false if !user.admin?
     return false if ScreenedIpAddress.where(action_type: actions[:allow_admin]).count == 0

config/locales/server.en.yml

@@ -862,6 +862,7 @@ en:
     enable_noscript_support: "Enable standard webcrawler search engine support via the noscript tag"
     allow_moderators_to_create_categories: "Allow moderators to create new categories"
     cors_origins: "Allowed origins for cross-origin requests (CORS). Each origin must include http:// or https://. The DISCOURSE_ENABLE_CORS env variable must be set to true to enable CORS."
+    use_admin_ip_whitelist: "Admins can only log in if they are at an IP address defined in the Screened IPs list (Admin > Logs > Screened Ips)."
     top_menu: "Determine which items appear in the homepage navigation, and in what order. Example latest|new|unread|categories|top|read|posted|bookmarks"
     post_menu: "Determine which items appear on the post menu, and in what order. Example like|edit|flag|delete|share|bookmark|reply"
     post_menu_hidden_items: "The menu items to hide by default in the post menu unless an expansion ellipsis is clicked on."

config/site_settings.yml

@@ -656,6 +656,9 @@ security:
   cors_origins:
     default: ''
     type: list
+  use_admin_ip_whitelist:
+    default: false
+    client: true
 
 onebox:
   enable_flash_video_onebox: false

spec/controllers/session_controller_spec.rb

@@ -507,6 +507,7 @@ describe SessionController do
         let(:permitted_ip_address) { '111.234.23.11' }
         before do
           Fabricate(:screened_ip_address, ip_address: permitted_ip_address, action_type: ScreenedIpAddress.actions[:allow_admin])
+          SiteSetting.stubs(:use_admin_ip_whitelist).returns(true)
         end
 
         it 'is successful for admin at the ip address' do

spec/models/screened_ip_address_spec.rb

@@ -240,20 +240,29 @@ describe ScreenedIpAddress do
 
   describe '#block_admin_login?' do
     context 'no allow_admin records exist' do
-      it "returns false when user is nil" do
-        expect(described_class.block_admin_login?(nil, '123.12.12.12')).to eq(false)
-      end
 
-      it "returns false for non-admin user" do
+      it "returns false when use_admin_ip_whitelist is false" do
         expect(described_class.block_admin_login?(Fabricate.build(:user), '123.12.12.12')).to eq(false)
       end
 
-      it "returns false for admin user" do
+      context "use_admin_ip_whitelist is true" do
-        expect(described_class.block_admin_login?(Fabricate.build(:admin), '123.12.12.12')).to eq(false)
+        before { SiteSetting.stubs(:use_admin_ip_whitelist).returns(true) }
-      end
 
-      it "returns false for admin user and ip_address arg is nil" do
+        it "returns false when user is nil" do
-        expect(described_class.block_admin_login?(Fabricate.build(:admin), nil)).to eq(false)
+          expect(described_class.block_admin_login?(nil, '123.12.12.12')).to eq(false)
+        end
+
+        it "returns false for non-admin user" do
+          expect(described_class.block_admin_login?(Fabricate.build(:user), '123.12.12.12')).to eq(false)
+        end
+
+        it "returns false for admin user" do
+          expect(described_class.block_admin_login?(Fabricate.build(:admin), '123.12.12.12')).to eq(false)
+        end
+
+        it "returns false for admin user and ip_address arg is nil" do
+          expect(described_class.block_admin_login?(Fabricate.build(:admin), nil)).to eq(false)
+        end
       end
     end
 
@@ -263,24 +272,32 @@ describe ScreenedIpAddress do
         Fabricate(:screened_ip_address, ip_address: @permitted_ip_address, action_type: described_class.actions[:allow_admin])
       end
 
-      it "returns false when user is nil" do
+      it "returns false when use_admin_ip_whitelist is false" do
-        expect(described_class.block_admin_login?(nil, @permitted_ip_address)).to eq(false)
+        expect(described_class.block_admin_login?(Fabricate.build(:admin), '123.12.12.12')).to eq(false)
       end
 
-      it "returns false for an admin user at the allowed ip address" do
+      context "use_admin_ip_whitelist is true" do
-        expect(described_class.block_admin_login?(Fabricate.build(:admin), @permitted_ip_address)).to eq(false)
+        before { SiteSetting.stubs(:use_admin_ip_whitelist).returns(true) }
-      end
 
-      it "returns true for an admin user at another ip address" do
+        it "returns false when user is nil" do
-        expect(described_class.block_admin_login?(Fabricate.build(:admin), '123.12.12.12')).to eq(true)
+          expect(described_class.block_admin_login?(nil, @permitted_ip_address)).to eq(false)
-      end
+        end
 
-      it "returns false for regular user at allowed ip address" do
+        it "returns false for an admin user at the allowed ip address" do
-        expect(described_class.block_admin_login?(Fabricate.build(:user), @permitted_ip_address)).to eq(false)
+          expect(described_class.block_admin_login?(Fabricate.build(:admin), @permitted_ip_address)).to eq(false)
-      end
+        end
 
-      it "returns false for regular user at another ip address" do
+        it "returns true for an admin user at another ip address" do
-        expect(described_class.block_admin_login?(Fabricate.build(:user), '123.12.12.12')).to eq(false)
+          expect(described_class.block_admin_login?(Fabricate.build(:admin), '123.12.12.12')).to eq(true)
+        end
+
+        it "returns false for regular user at allowed ip address" do
+          expect(described_class.block_admin_login?(Fabricate.build(:user), @permitted_ip_address)).to eq(false)
+        end
+
+        it "returns false for regular user at another ip address" do
+          expect(described_class.block_admin_login?(Fabricate.build(:user), '123.12.12.12')).to eq(false)
+        end
       end
     end
   end