Feature #15707
openPossibility to limit user access to certain IPs and access method (Web or API)
0%
Description
There should be a possibility to limit the access of users to certain IP addresses and/or limit to either connect
via browser or via API. This is especially interesting for the admin user.
Why?
We have e.g. an admin user, which is used for a bot connecting to redmine; to increase security I would like to limit this bot to access only via the REST API and from a certain host.
Updated by Toshi MARUYAMA almost 11 years ago
What is difference with webserver (apache etc.) configuration?
Updated by Marco Descher almost 11 years ago
The webserver does not have a concept about the user that is targeted within redmine. Lets fix an example:
I have the redmine admin user, having admin rights, thus capable of executing anything. Also I have a simple user "user" without admin rights. I know that I am the only person that is using the admin user, and that I am always connecting from 1.1.1.1. Thus, to enhance security, I would like Redmine to be capable of limiting the access of the admin user to queries coming from 1.1.1.1.
The webserver can not block this, as he has no knowledge about the user, and its limitations.
Same should go for the differentiation of Web-base and REST access. So I could create an "Admin Bot" allowing Rest only access from a certain IP as I know, there is no human to use the interface via browser.
Are you okay with this explanation?
Updated by Adnan Topçu over 10 years ago
+1
my opinion is that will be a plugin.
- one or more Subnet definition(s) in Administrative Settings for restrict to internal access,
- A checkbox on project settings for enable access from outside of local subnet (defined #1)
- A checkbox on user profile for enable access from outside of local subnet
- One or more IP/Subnet definition(s) in user profile for restrict internet access
If 3 is checked, 4 is active. If 3 is checked and 4 is empty, user can access from the all of the world if 2 is also active.
Best Regards,
Adnan
Updated by Marco Descher over 10 years ago
I am against the realization as a plugin. Security should be embedded deep in the core of the system, and a feature like this should be developed by the core developers in order to provide the required amount of security. I am not familiar with ruby development, however, how probable is it, that if this feature is realized as plugin it is capable by another plugin to circumvent the security measures?
AFAIK the code has to go deep into the first handler of incoming REST and Web requests, where all other stuff goes second; is it at all possible to hook a plugin at this specific point?
Updated by Marco Descher over 10 years ago
The following features would have to be realized:
- Allow to define per user what access method is applicable, where the possible access methods are
- Web Browser Interface
- REST
- Allow to define per user one or more subnet masks where the access may originate from, any access that does not originate from one of the given addresses should be answered with access denied.
Updated by Гордеев Алексей over 3 years ago
Does anybody care about this issue? :(
Updated by Go MAEDA over 3 years ago
Гордеев Алексей wrote:
Does anybody care about this issue? :(
I suggest using this plugin: https://github.com/redmica/redmine_ip_filter
Updated by Marco Descher about 3 years ago
We sponsored the creation of an additional plugin for this a few years ago. See https://github.com/MEDEVIT/redmine_access_filters
The fork in https://github.com/ngiger/redmine_access_filters works against redmine 4.1
Updated by Mischa The Evil about 3 years ago
Marco Descher wrote:
The fork in https://github.com/ngiger/redmine_access_filters works against redmine 4.1
I haven't looked deeply into this, but commit a0373b34574a72f6e83054c3c5662c2e9b634da5 comments-out the old before_filter
calls without any replacement. So this fork might not be functioning as expected.
Updated by Marco Descher about 3 years ago
Hey Mischa, thanks a lot for your comment - we'll look into this!