[rt-users] IP ACL for per-user access?

Thomas Sibley trs at bestpractical.com
Tue Feb 14 18:36:27 EST 2012


On 02/14/2012 06:22 PM, Mark D. Nagel wrote:
> Has anyone ever created a method to restrict access for users by IP?  It
> has never made me comfortable that superuser access is possible from
> anywhere.  I can mitigate the risk with tools like Fail2Ban, but I'd
> just as soon lock the interface down so they can't login at all except
> from trusted sources.  Reviewing RT 4.0 code, seems like the best method
> to override would be RT::User::HasPassword since it is short and least
> likely to be changed version to version.  Hoping someone else has
> already done this or similar and has some advice to share.  Otherwise, I
> shall just plow ahead and post my solution on the wiki!

There are better places to do that using callbacks rather than
overriding anything.  Look at the callbacks available in
RT::Interface::Web::HandleRequest and the way they're used in the
various RT-Authen-* extensions.

If you don't need it to be user-specific, just do it at the Apache level.

Thomas



More information about the rt-users mailing list