Possibility to limit user access to certain IPs and access method (Web or API)
There should be a possibility to limit the access of users to certain IP addresses and/or limit to either connect
via browser or via API. This is especially interesting for the admin user.
We have e.g. an admin user, which is used for a bot connecting to redmine; to increase security I would like to limit this bot to access only via the REST API and from a certain host.
#2 Updated by Marco Descher about 8 years ago
The webserver does not have a concept about the user that is targeted within redmine. Lets fix an example:
I have the redmine admin user, having admin rights, thus capable of executing anything. Also I have a simple user "user" without admin rights. I know that I am the only person that is using the admin user, and that I am always connecting from 126.96.36.199. Thus, to enhance security, I would like Redmine to be capable of limiting the access of the admin user to queries coming from 188.8.131.52.
The webserver can not block this, as he has no knowledge about the user, and its limitations.
Same should go for the differentiation of Web-base and REST access. So I could create an "Admin Bot" allowing Rest only access from a certain IP as I know, there is no human to use the interface via browser.
Are you okay with this explanation?
#3 Updated by Adnan Topçu almost 8 years ago
my opinion is that will be a plugin.
- one or more Subnet definition(s) in Administrative Settings for restrict to internal access,
- A checkbox on project settings for enable access from outside of local subnet (defined #1)
- A checkbox on user profile for enable access from outside of local subnet
- One or more IP/Subnet definition(s) in user profile for restrict internet access
If 3 is checked, 4 is active. If 3 is checked and 4 is empty, user can access from the all of the world if 2 is also active.
#4 Updated by Marco Descher almost 8 years ago
I am against the realization as a plugin. Security should be embedded deep in the core of the system, and a feature like this should be developed by the core developers in order to provide the required amount of security. I am not familiar with ruby development, however, how probable is it, that if this feature is realized as plugin it is capable by another plugin to circumvent the security measures?
AFAIK the code has to go deep into the first handler of incoming REST and Web requests, where all other stuff goes second; is it at all possible to hook a plugin at this specific point?
#5 Updated by Marco Descher almost 8 years ago
The following features would have to be realized:
- Allow to define per user what access method is applicable, where the possible access methods are
- Web Browser Interface
- Allow to define per user one or more subnet masks where the access may originate from, any access that does not originate from one of the given addresses should be answered with access denied.
#9 Updated by Mischa The Evil 5 months ago
Marco Descher wrote:
The fork in https://github.com/ngiger/redmine_access_filters works against redmine 4.1
I haven't looked deeply into this, but commit a0373b34574a72f6e83054c3c5662c2e9b634da5 comments-out the old
before_filter calls without any replacement. So this fork might not be functioning as expected.