Feature #15707

Possibility to limit user access to certain IPs and access method (Web or API)

Added by Marco Descher almost 8 years ago. Updated 4 months ago.

Status:NewStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Security
Target version:-
Resolution:

Description

There should be a possibility to limit the access of users to certain IP addresses and/or limit to either connect
via browser or via API. This is especially interesting for the admin user.

Why?

We have e.g. an admin user, which is used for a bot connecting to redmine; to increase security I would like to limit this bot to access only via the REST API and from a certain host.

History

#1 Updated by Toshi MARUYAMA almost 8 years ago

What is difference with webserver (apache etc.) configuration?

#2 Updated by Marco Descher almost 8 years ago

The webserver does not have a concept about the user that is targeted within redmine. Lets fix an example:

I have the redmine admin user, having admin rights, thus capable of executing anything. Also I have a simple user "user" without admin rights. I know that I am the only person that is using the admin user, and that I am always connecting from 1.1.1.1. Thus, to enhance security, I would like Redmine to be capable of limiting the access of the admin user to queries coming from 1.1.1.1.

The webserver can not block this, as he has no knowledge about the user, and its limitations.

Same should go for the differentiation of Web-base and REST access. So I could create an "Admin Bot" allowing Rest only access from a certain IP as I know, there is no human to use the interface via browser.

Are you okay with this explanation?

#3 Updated by Adnan Topçu almost 8 years ago

+1

my opinion is that will be a plugin.

  1. one or more Subnet definition(s) in Administrative Settings for restrict to internal access,
  2. A checkbox on project settings for enable access from outside of local subnet (defined #1)
  3. A checkbox on user profile for enable access from outside of local subnet
  4. One or more IP/Subnet definition(s) in user profile for restrict internet access

If 3 is checked, 4 is active. If 3 is checked and 4 is empty, user can access from the all of the world if 2 is also active.

Best Regards,
Adnan

#4 Updated by Marco Descher almost 8 years ago

I am against the realization as a plugin. Security should be embedded deep in the core of the system, and a feature like this should be developed by the core developers in order to provide the required amount of security. I am not familiar with ruby development, however, how probable is it, that if this feature is realized as plugin it is capable by another plugin to circumvent the security measures?

AFAIK the code has to go deep into the first handler of incoming REST and Web requests, where all other stuff goes second; is it at all possible to hook a plugin at this specific point?

#5 Updated by Marco Descher over 7 years ago

The following features would have to be realized:

  • Allow to define per user what access method is applicable, where the possible access methods are
    • Web Browser Interface
    • REST
  • Allow to define per user one or more subnet masks where the access may originate from, any access that does not originate from one of the given addresses should be answered with access denied.

#6 Updated by Гордеев Алексей 6 months ago

Does anybody care about this issue? :(

#7 Updated by Go MAEDA 5 months ago

Гордеев Алексей wrote:

Does anybody care about this issue? :(

I suggest using this plugin: https://github.com/redmica/redmine_ip_filter

#8 Updated by Marco Descher 4 months ago

We sponsored the creation of an additional plugin for this a few years ago. See https://github.com/MEDEVIT/redmine_access_filters
The fork in https://github.com/ngiger/redmine_access_filters works against redmine 4.1

#9 Updated by Mischa The Evil 4 months ago

Marco Descher wrote:

The fork in https://github.com/ngiger/redmine_access_filters works against redmine 4.1

I haven't looked deeply into this, but commit a0373b34574a72f6e83054c3c5662c2e9b634da5 comments-out the old before_filter calls without any replacement. So this fork might not be functioning as expected.

#10 Updated by Marco Descher 4 months ago

Hey Mischa, thanks a lot for your comment - we'll look into this!

Also available in: Atom PDF