[Bug 8492] New: Restrict OpacSuppression to IP adresses outside of an IP range
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=8492 Priority: P5 - low Change sponsored?: --- Bug ID: 8492 Assignee: 5p4m@gmx.de Summary: Restrict OpacSuppression to IP adresses outside of an IP range Severity: enhancement Classification: Unclassified OS: All Reporter: 5p4m@gmx.de Hardware: All Status: NEW Version: master Component: Searching Product: Koha This enhancement extends the OpacSuppression feature with an optional IP address range within which results are _not_ suppressed. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=8492 --- Comment #1 from Mirko Tietgen <5p4m@gmx.de> --- Created attachment 11094 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=11094&action=edit Bug 8492 [ENH] Restrict OpacSuppression to IP adresses outside of an IP range This enhancement extends the OpacSuppression feature with an optional IP address range within which results are _not_ suppressed. To test * turn on OpacSuppression (Administration->System preferences->Cataloging) and enter an IP address range in the OpacSuppressionByIPRange field. * set at least one bibliographic record to suppress=1 (enter '1' in 942$n) * fully reindex your data * do an OPAC search that should bring up your suppressed record * try with IP ranges that match your IP and ranges that don't -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=8492 Mirko Tietgen <5p4m@gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=8492 Jonathan Druart <jonathan.druart@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jonathan.druart@biblibre.co | |m --- Comment #2 from Jonathan Druart <jonathan.druart@biblibre.com> --- Hi Mirko, I am not an expert of the apache configuration but it seems it is possible to do that with the RewriteCond and RewriteRule directives. Did you have a look at these directives ? -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=8492 Chris Cormack <chris@bigballofwax.co.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |chris@bigballofwax.co.nz --- Comment #3 from Chris Cormack <chris@bigballofwax.co.nz> --- (In reply to comment #2)
Hi Mirko,
I am not an expert of the apache configuration but it seems it is possible to do that with the RewriteCond and RewriteRule directives.
Did you have a look at these directives ?
I'm not sure you could, in the same way. OpacSuppression lets you put something in 942 that makes an biblio not show in the OPAC. This would let those still show for certain ip ranges while suppressing them for others. I'm not sure how apache could know which items to hide. Unless you made a rule for every biblio. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=8492 Robin Sheat <robin@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |robin@catalyst.net.nz --- Comment #4 from Robin Sheat <robin@catalyst.net.nz> --- Mirko, something to consider is that many Koha systems are behind reverse-proxies of various forms. I'm not sure exactly what Apache puts into REMOTE_ADDR, but if it doesn't consider that, it may be worth checking the request headers too (e.g. if the request is from an RFC1918 address, check to see if there's an X-Forwarded-For: header too, or something like that) -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=8492 --- Comment #5 from Mirko Tietgen <5p4m@gmx.de> --- Jonathan: what Chris says. It's about filtering some, not all results (those marked in 942$c). I don't think that can be achieved with Apache config? Robin: good point, did a little reading on this. It seems like - it won't work with reverse proxies like it is now - you can spoof X-Forwarded-For headers, so using them should be optional A check for RFC1918 addresses sounds like an interesting idea, but is it safe to assume that there would always be a private address here? I doubt that, eg. my university uses external IP addresses everywhere. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=8492 --- Comment #6 from Mirko Tietgen <5p4m@gmx.de> --- Data::Validate::IP could do these (and more) things is_innet_ipv4 to see if ip is in network given in syspref is_private_ipv4 to see if ip is private Dependencies on Debian Squeeze are available libdata-validate-ip-perl libnet-ipv6addr-perl libnet-netmask-perl libnetwork-ipv4addr-perl What are the rules for introducing perl modules/ dependencies? It could be like this but would introduce a lot of sysprefs option: use OpacSuppression yes/no option: match REMOTE_ADDR and network option: if exists, match X-Forward-For instead of REMOTE_ADDR option: only if REMOTE_ADDR is private IP -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=8492 --- Comment #7 from Robin Sheat <robin@catalyst.net.nz> --- I wouldn't expect most systems to be on real-world IP addresses if they're behind a proxy anyway, there's no point. And it's only the address of the proxy you care about. Though, thinking about it more, if you're attempting to restrict to part of an RFC1918 set, this would leave forgery open. A better idea would be to specify what your proxy IP/IP pattern is and look for the header only in that case. X-Forwarded-For can be forged, also can (legitimately) have multiple IP addresses in it, but it is possible to be sure about what you're getting. For example, if you know you're behind a proxy you can rely on that header being there, and that the last entry is the real source IP address. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=8492 --- Comment #8 from Mirko Tietgen <mirko@abunchofthings.net> --- after thinking about it a little, I propose to - use this patch like it is to add the basic functionality without new dependencies to 3.8 - have a more advanced version using Data::Validate::IP in 3.10 Does that make sense? -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=8492 --- Comment #9 from Chris Cormack <chris@bigballofwax.co.nz> --- Makes sense to me, and a simple patch with no new dependencies, that does nothing until a syspref is checked is the perfect candidate for backport to 3.8.x. So if that makes this through QA and into master, im happy to put it into 3.8.x and then the follow up can extend it for master only. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=8492 Mirko Tietgen <mirko@abunchofthings.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #11094|0 |1 is obsolete| | --- Comment #10 from Mirko Tietgen <mirko@abunchofthings.net> --- Created attachment 11156 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=11156&action=edit Bug 8492 [ENH] Restrict OpacSuppression to IP adresses outside of an IP range This enhancement extends the OpacSuppression feature with an optional IP address range within which results are _not_ suppressed. To test * turn on OpacSuppression (Administration->System preferences->Cataloging) and enter an IP address range in the OpacSuppressionByIPRange field. * set at least one bibliographic record to suppress=1 (enter '1' in 942$n) * fully reindex your data * do an OPAC search that should bring up your suppressed record * try with IP ranges that match your IP and ranges that don't Rebased to master -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=8492 Marc Véron <veron@veron.ch> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #11156|0 |1 is obsolete| | --- Comment #11 from Marc Véron <veron@veron.ch> --- Created attachment 11206 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=11206&action=edit [SIGNED-OFF] Bug 8492 [ENH] Restrict OpacSuppression to IP adresses outside of an IP range This enhancement extends the OpacSuppression feature with an optional IP address range within which results are _not_ suppressed. To test * turn on OpacSuppression (Administration->System preferences->Cataloging) and enter an IP address range in the OpacSuppressionByIPRange field. * set at least one bibliographic record to suppress=1 (enter '1' in 942$n) * fully reindex your data * do an OPAC search that should bring up your suppressed record * try with IP ranges that match your IP and ranges that don't Signed-off-by: Marc Veron <veron@veron.ch> Tested following the scenario above. Works as expected. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=8492 Mirko Tietgen <mirko@abunchofthings.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=8492 Jonathan Druart <jonathan.druart@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #11206|0 |1 is obsolete| | --- Comment #12 from Jonathan Druart <jonathan.druart@biblibre.com> --- Created attachment 11692 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=11692&action=edit Bug 8492 [ENH] Restrict OpacSuppression to IP adresses outside of an IP range This enhancement extends the OpacSuppression feature with an optional IP address range within which results are _not_ suppressed. To test * turn on OpacSuppression (Administration->System preferences->Cataloging) and enter an IP address range in the OpacSuppressionByIPRange field. * set at least one bibliographic record to suppress=1 (enter '1' in 942$n) * fully reindex your data * do an OPAC search that should bring up your suppressed record * try with IP ranges that match your IP and ranges that don't Signed-off-by: Marc Veron <veron@veron.ch> Tested following the scenario above. Works as expected. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=8492 Jonathan Druart <jonathan.druart@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA --- Comment #13 from Jonathan Druart <jonathan.druart@biblibre.com> --- Last patch is a rebased patch (conflict on updatedatabase.pl). QA Comment: Add a new syspref OpacSuppressionByIPRange. According to the comment 8, a followup is required for 3.10. Marked as Passed QA. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=8492 Jonathan Druart <jonathan.druart@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- QA Contact| |jonathan.druart@biblibre.co | |m -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=8492 Paul Poulain <paul.poulain@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Passed QA |Pushed to Master CC| |paul.poulain@biblibre.com Version|master |rel_3_10 --- Comment #14 from Paul Poulain <paul.poulain@biblibre.com> --- Patch pushed, but a tiny question: isn't "Restrict the suppression to IP adresses outside of the IP range" a little bit complex to understand. Wouldn't it be more understandable as "Don't suppress items in this IP range" ? (note that I just tested my search is not broken, I haven't suppress index on my test computer) -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=8492 --- Comment #15 from Mirko Tietgen <mirko@abunchofthings.net> --- You are right, the wording is bad. I think it evolved from "restrict OpacSuppression to IP range" (which is technically wrong) to the monster "restrict to IP addresses outside of an IP range" which is quite hard to parse. I will try to avoid things like that in the future. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=8492 --- Comment #16 from Paul Poulain <paul.poulain@biblibre.com> --- (In reply to comment #15)
You are right, the wording is bad. I think it evolved from "restrict OpacSuppression to IP range" (which is technically wrong) to the monster "restrict to IP addresses outside of an IP range" which is quite hard to parse. I will try to avoid things like that in the future.
Feel free to add a follow-up to this one ;-) -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=8492 Paul Poulain <paul.poulain@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|Restrict OpacSuppression to |Restrict OpacSuppression to |IP adresses outside of an |IP addresses outside of an |IP range |IP range -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org