X-Git-Url: http://wagnertech.de/git?a=blobdiff_plain;f=WEB-INF%2Flib%2Fcommon.lib.php;h=325ae73b42f29b436a4b759618acc18028b1ddc3;hb=1c55e1b9d6da2173f7e946011908c02dd80df26d;hp=3dce388f5193706cbca402054db09678fb2f694b;hpb=ecf7d911c95935f8cfb2403f645cd12f93d8c3f5;p=timetracker.git

diff --git a/WEB-INF/lib/common.lib.php b/WEB-INF/lib/common.lib.php
index 3dce388f..325ae73b 100644
--- a/WEB-INF/lib/common.lib.php
+++ b/WEB-INF/lib/common.lib.php
@@ -325,6 +325,26 @@ function ttValidCondition($val, $emptyValid = true)
   return true;
 }
 
+// ttValidIP is used to check user input to validate a comma-separated
+// list of IP subnet "prefixes", for example 192.168.0 (note: no .* in the end).
+// We keep regexp checks here simple - they are not precise.
+// For example, IPv4-mapped IPv6 addresses will fail. This may need to be fixed.
+function ttValidIP($val, $emptyValid = false)
+{
+  $val = trim($val);
+  if (strlen($val) == 0 && $emptyValid)
+    return true;
+
+  $subnets = explode(',', $val);
+  foreach ($subnets as $subnet) {
+    $ipv4 = preg_match('/^\d\d?\d?(\.\d\d?\d?){0,3}\.?$/', $subnet); // Not precise check.
+    $ipv6 = preg_match('/^([0-9a-fA-F]{4})(:[0-9a-fA-F]{4}){0,7}$/', $subnet); // Not precise check.
+    if (!$ipv4 && !$ipv6)
+      return false;
+  }
+  return true;
+}
+
 // ttAccessAllowed checks whether user is allowed access to a particular page.
 // It is used as an initial check on all publicly available pages
 // (except login.php, register.php, and others where we don't have to check).
@@ -339,8 +359,24 @@ function ttAccessAllowed($required_right)
     exit();
   }
 
+  // Check IP restriction, if set.
+  if ($user->allow_ip && !$user->can('override_allow_ip')) {
+    $access_allowed = false;
+    $user_ip = $_SERVER['REMOTE_ADDR'];
+    $allowed_ip_array = explode(',', $user->allow_ip);
+    foreach ($allowed_ip_array as $allowed_ip) {
+      $len = strlen($allowed_ip);
+      if (substr($user_ip, 0, $len) === $allowed_ip) { // startsWith check.
+         $access_allowed = true;
+         break;
+      }
+    }
+    if (!$access_allowed) return false;
+  }
+
   // Check if user has the right.
   if (in_array($required_right, $user->rights)) {
+    import('ttUserHelper');
     ttUserHelper::updateLastAccess();
     return true;
   }