? 228594-65.patch ? 228594-68.patch Index: CHANGELOG.txt =================================================================== RCS file: /cvs/drupal/drupal/CHANGELOG.txt,v retrieving revision 1.259 diff -u -p -r1.259 CHANGELOG.txt --- CHANGELOG.txt 31 Mar 2008 20:50:05 -0000 1.259 +++ CHANGELOG.txt 6 Apr 2008 21:03:52 -0000 @@ -15,6 +15,11 @@ Drupal 7.0, xxxx-xx-xx (development vers - Removed ping module: * This module has been removed from the core download. Contributed alternatives are available. +- Removed access rules: + * The access rules capability of user module has been stripped down to a + simple method for blocking IP addresses. E-mail and username restrictions + are now available in a contributed module. IP address range blocking is + no longer supported and should be done at the server level. Drupal 6.0, 2008-02-13 ---------------------- Index: includes/bootstrap.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/bootstrap.inc,v retrieving revision 1.206 diff -u -p -r1.206 bootstrap.inc --- includes/bootstrap.inc 10 Jan 2008 22:47:17 -0000 1.206 +++ includes/bootstrap.inc 6 Apr 2008 21:03:53 -0000 @@ -847,31 +847,30 @@ function drupal_get_messages($type = NUL } /** - * Perform an access check for a given mask and rule type. Rules are usually - * created via admin/user/rules page. + * Check to see if an IP address has been blocked. * - * If any allow rule matches, access is allowed. Otherwise, if any deny rule - * matches, access is denied. If no rule matches, access is allowed. + * Blocked IP addresses are stored in the database by default. However for + * performance reasons we allow an override in settings.php. This allows us + * to avoid querying the database at this critical stage of the bootstrap if + * an administrative interface for IP address blocking is not required. * - * @param $type string - * Type of access to check: Allowed values are: - * - 'host': host name or IP address - * - 'mail': e-mail address - * - 'user': username - * @param $mask string - * String or mask to test: '_' matches any character, '%' matches any - * number of characters. + * @param $ip string + * IP address to check. * @return bool * TRUE if access is denied, FALSE if access is allowed. */ -function drupal_is_denied($type, $mask) { - // Because this function is called for every page request, both cached - // and non-cached pages, we tried to optimize it as much as possible. - // We deny access if the only matching records in the {access} table have - // status 0 (deny). If any have status 1 (allow), or if there are no - // matching records, we allow access. - $sql = "SELECT 1 FROM {access} WHERE type = '%s' AND LOWER('%s') LIKE LOWER(mask) AND status = %d"; - return db_result(db_query_range($sql, $type, $mask, 0, 0, 1)) && !db_result(db_query_range($sql, $type, $mask, 1, 0, 1)); +function drupal_is_denied($ip) { + // Because this function is called on every page request, we first check + // for an array of IP addresses in settings.php before querying the + // database. + $blocked_ips = variable_get('blocked_ips', NULL); + if (isset($blocked_ips) && is_array($blocked_ips)) { + return in_array($ip, $blocked_ips); + } + else { + $sql = "SELECT 1 FROM {blocked_ips} WHERE ip = '%s'"; + return db_result(db_query($sql, $ip)); + } } /** @@ -953,8 +952,8 @@ function _drupal_bootstrap($phase) { break; case DRUPAL_BOOTSTRAP_ACCESS: - // Deny access to hosts which were banned - t() is not yet available. - if (drupal_is_denied('host', ip_address())) { + // Deny access to blocked IP addresses - t() is not yet available. + if (drupal_is_denied(ip_address())) { header('HTTP/1.1 403 Forbidden'); print 'Sorry, '. check_plain(ip_address()) .' has been banned.'; exit(); Index: modules/system/system.admin.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/system/system.admin.inc,v retrieving revision 1.67 diff -u -p -r1.67 system.admin.inc --- modules/system/system.admin.inc 6 Apr 2008 18:50:12 -0000 1.67 +++ modules/system/system.admin.inc 6 Apr 2008 21:03:56 -0000 @@ -1106,6 +1106,94 @@ function system_modules_uninstall_submit } /** + * Menu callback. Display blocked IP addresses. + */ +function system_ip_blocking() { + $output = ''; + $rows = array(); + $header = array(t('IP address'), t('Operations')); + $result = db_query('SELECT * FROM {blocked_ips}'); + while ($ip = db_fetch_object($result)) { + $rows[] = array( + $ip->ip, + l(t('delete'), "admin/settings/ip-blocking/delete/$ip->iid"), + ); + } + + $output .= theme('table', $header, $rows); + + $output .= drupal_get_form('system_ip_blocking_form'); + + return $output; +} + +/** + * Define the form for blocking IP addresses. + * + * @ingroup forms + * @see system_ip_blocking_form_validate() + * @see system_ip_blocking_form_submit() + */ +function system_ip_blocking_form($form_state) { + $form['ip'] = array( + '#title' => t('IP address.'), + '#type' => 'textfield', + '#size' => 64, + '#maxlength' => 32, + '#description' => t('Enter a valid IP address.'), + ); + $form['submit'] = array( + '#type' => 'submit', + '#value' => t('Save'), + ); + $form['#submit'][] = 'system_ip_blocking_form_submit'; + $form['#validate'][] = 'system_ip_blocking_form_validate'; + return $form; +} + +function system_ip_blocking_form_validate($form, &$form_state) { + $ip = $form_state['values']['ip']; + if (db_result(db_query("SELECT * FROM {blocked_ips} WHERE ip = '%s'", $ip))) { + form_set_error('ip', t('This IP address is already blocked')); + } + else if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_RES_RANGE) == FALSE) { + form_set_error('ip', t('Please enter a valid IP address.')); + } +} + +function system_ip_blocking_form_submit($form, &$form_state) { + $ip = $form_state['values']['ip']; + db_query("INSERT INTO {blocked_ips} (ip) VALUES ('%s')", $ip); + drupal_set_message(t('The IP address %ip has been blocked.', array('%ip' => $ip))); + $form_state['redirect'] = 'admin/settings/ip-blocking'; + return; +} + +/** + * IP deletion confirm page. + * + * @see system_ip_blocking_delete_submit() + */ +function system_ip_blocking_delete(&$form_state, $iid) { + $form['blocked_ip'] = array( + '#type' => 'value', + '#value' => $iid, + ); + return confirm_form($form, t('Are you sure you want to delete %ip?', array('%ip' => $iid['ip'])), 'admin/settings/ip-blocking', t('This action cannot be undone.'), t('Delete'), t('Cancel')); +} + +/** + * Process system_ip_blocking_delete form submissions. + */ +function system_ip_blocking_delete_submit($form, &$form_state) { + $blocked_ip = $form_state['values']['blocked_ip']; + db_query("DELETE FROM {blocked_ips} WHERE iid = %d", $blocked_ip['iid']); + watchdog('user', 'Deleted %ip', array('%ip' => $blocked_ip['ip'],)); + drupal_set_message(t('%ip was deleted', array('%ip' => $blocked_ip['ip']))); + $form_state['redirect'] = 'admin/settings/ip-blocking'; +} + +/** * Form builder; The general site information form. * * @ingroup forms Index: modules/system/system.install =================================================================== RCS file: /cvs/drupal/drupal/modules/system/system.install,v retrieving revision 1.244 diff -u -p -r1.244 system.install --- modules/system/system.install 21 Mar 2008 08:52:25 -0000 1.244 +++ modules/system/system.install 6 Apr 2008 21:04:02 -0000 @@ -526,6 +526,29 @@ function system_schema() { 'token' => array('token'), ), ); + + $schema['blocked_ips'] = array( + 'description' => t('Stores blocked IP addresses.'), + 'fields' => array( + 'iid' => array( + 'description' => t('Primary Key: unique ID for IP addresses.'), + 'type' => 'serial', + 'unsigned' => TRUE, + 'not null' => TRUE, + ), + 'ip' => array( + 'description' => t('IP address'), + 'type' => 'varchar', + 'length' => 32, + 'not null' => TRUE, + 'default' => '', + ), + ), + 'indexes' => array( + 'blocked_ip' => array('ip'), + ), + 'primary key' => array('iid'), + ); $schema['cache'] = array( 'description' => t('Generic cache table for caching things not separated out into their own tables. Contributed modules may also use this to store cached items.'), @@ -580,7 +603,7 @@ function system_schema() { $schema['cache_page']['description'] = t('Cache table used to store compressed pages for anonymous users, if page caching is enabled.'); $schema['cache_menu'] = $schema['cache']; $schema['cache_menu']['description'] = t('Cache table for the menu system to store router information as well as generated link trees for various menu/page/user combinations.'); - + $schema['files'] = array( 'description' => t('Stores information for uploaded files.'), 'fields' => array( @@ -2668,6 +2691,59 @@ function system_update_7001() { return $ret; } +/** + * Add a table to store blocked IP addresses. + */ +function system_update_7002() { + $ret = array(); + $schema['blocked_ips'] = array( + 'description' => t('Stores blocked IP addresses.'), + 'fields' => array( + 'iid' => array( + 'description' => t('Primary Key: unique ID for IP addresses.'), + 'type' => 'serial', + 'unsigned' => TRUE, + 'not null' => TRUE, + ), + 'ip' => array( + 'description' => t('IP address'), + 'type' => 'varchar', + 'length' => 32, + 'not null' => TRUE, + 'default' => '', + ), + ), + 'indexes' => array( + 'blocked_ip' => array('ip'), + ), + 'primary key' => array('iid'), + ); + + db_create_table($ret, 'blocked_ips', $schema['blocked_ips']); + + return $ret; +} + +/** + * Update {blocked_ips} with valid IP address + * from {access}. + */ +function system_update_7003() { + $ret = array(); + $type = 'host'; + $result = db_query("SELECT mask FROM {access} WHERE status = %d AND TYPE = '%s'", 0, $type); + while ($access = db_fetch_object($result)) { + if (filter_var($access->mask, FILTER_VALIDATE_IP, FILTER_FLAG_NO_RES_RANGE) !== FALSE) { + $ret[] = update_sql("INSERT INTO {blocked_ips} (ip) VALUES ('$access->mask')"); + } + else { + drupal_set_message('The host '. $access->mask .' is no longer blocked because it is not a valid IP address, or contains wildcards.'); + $ret[] = array('success' => TRUE, 'query' => 'Wildcard IP address blocking is no longer supported.'); + } + } + return $ret; +} + /** * @} End of "defgroup updates-6.x-to-7.x" Index: modules/system/system.module =================================================================== RCS file: /cvs/drupal/drupal/modules/system/system.module,v retrieving revision 1.594 diff -u -p -r1.594 system.module --- modules/system/system.module 1 Apr 2008 20:05:15 -0000 1.594 +++ modules/system/system.module 6 Apr 2008 21:04:03 -0000 @@ -99,6 +99,8 @@ function system_help($path, $arg) { return $output; case 'admin/settings/actions/configure': return t('An advanced action offers additional configuration options which may be filled out below. Changing the Description field is recommended, in order to better identify the precise action taking place. This description will be displayed in modules such as the trigger module when assigning actions to system events, so it is best if it is as descriptive as possible (for example, "Send e-mail to Moderation Team" rather than simply "Send e-mail").'); + case 'admin/settings/ip-blocking': + return '
'. t('IP addresses listed here are blocked from your site before any modules are loaded. You may add IP addresses to the list, or delete existing entries.') .'
'; case 'admin/reports/status': return ''. t("Here you can find a short overview of your site's parameters as well as any problems detected with your installation. It may be useful to copy and paste this information into support requests filed on drupal.org's support forums and project issue queues.") .'
'; } @@ -163,6 +165,7 @@ function system_perm() { 'access site reports' => t('View reports from system logs and other status information.'), 'select different theme' => t('Select a theme other than the default theme set by the site administrator.'), 'administer files' => t('Manage user-uploaded files.'), + 'block IP addresses' => t('Block IP addresses from accessing your site.'), ); } @@ -486,6 +489,23 @@ function system_menu() { 'type' => MENU_CALLBACK, ); + // IP address blocking. + $items['admin/settings/ip-blocking'] = array( + 'title' => 'IP address blocking', + 'description' => 'Manage blocked IP addresses.', + 'page callback' => 'system_ip_blocking', + 'access arguments' => array('block IP addresses'), + 'file' => 'system.admin.inc', + ); + $items['admin/settings/ip-blocking/delete/%blocked_ip'] = array( + 'title' => 'Delete IP address', + 'page callback' => 'drupal_get_form', + 'page arguments' => array('system_ip_blocking_delete', 4), + 'access arguments' => array('block IP addresses'), + 'type' => MENU_CALLBACK, + 'file' => 'system.admin.inc', + ); + // Settings: $items['admin/settings/site-information'] = array( 'title' => 'Site information', @@ -636,6 +656,20 @@ function system_menu() { } /** + * Retrieve a blocked IP address from the database. + * + * @param $iid integer + * The ID of the blocked IP address to retrieve. + * + * @return + * The blocked IP address from the database as an array. + */ +function blocked_ip_load($iid) { + $blocked_ip = db_fetch_array(db_query("SELECT * FROM {blocked_ips} WHERE iid = %d", $iid)); + return $blocked_ip; +} + +/** * Menu item access callback - only admin or enabled themes can be accessed. */ function _system_themes_access($theme) { @@ -1408,6 +1442,12 @@ function system_action_info() { 'taxonomy' => array('insert', 'update', 'delete'), ) ), + 'system_block_ip_action' => array( + 'description' => t('Ban IP address of current user'), + 'type' => 'user', + 'configurable' => FALSE, + 'hooks' => array(), + ), 'system_goto_action' => array( 'description' => t('Redirect to URL'), 'type' => 'system', @@ -1964,6 +2004,16 @@ function system_goto_action($object, $co } /** + * Implementation of a Drupal action. + * Blocks the user's IP address. + */ +function system_block_ip_action() { + $ip = ip_address(); + db_query("INSERT INTO {blocked_ips} (ip) VALUES ('%s')", $ip);; + watchdog('action', 'Banned IP address %ip', array('%ip' => $ip)); +} + +/** * Generate an array of time zones and their local time&date. */ function _system_zonelist() { Index: modules/user/user-rtl.css =================================================================== RCS file: /cvs/drupal/drupal/modules/user/user-rtl.css,v retrieving revision 1.3 diff -u -p -r1.3 user-rtl.css --- modules/user/user-rtl.css 27 Nov 2007 12:09:26 -0000 1.3 +++ modules/user/user-rtl.css 6 Apr 2008 21:04:03 -0000 @@ -4,11 +4,6 @@ padding-left: 0; padding-right: 1.5em; } -#access-rules .access-type, #access-rules .rule-type { - margin-right: 0; - margin-left: 1em; - float: right; -} #user-admin-buttons { float: right; margin-left: 0; Index: modules/user/user.admin.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/user/user.admin.inc,v retrieving revision 1.19 diff -u -p -r1.19 user.admin.inc --- modules/user/user.admin.inc 20 Feb 2008 13:46:43 -0000 1.19 +++ modules/user/user.admin.inc 6 Apr 2008 21:04:04 -0000 @@ -712,206 +712,6 @@ function user_admin_role_submit($form, & } /** - * Menu callback: list all access rules - */ -function user_admin_access_check() { - $output = drupal_get_form('user_admin_check_user'); - $output .= drupal_get_form('user_admin_check_mail'); - $output .= drupal_get_form('user_admin_check_host'); - return $output; -} - -/** - * Menu callback: add an access rule - */ -function user_admin_access_add($mask = NULL, $type = NULL) { - if ($edit = $_POST) { - if (!$edit['mask']) { - form_set_error('mask', t('You must enter a mask.')); - } - else { - db_query("INSERT INTO {access} (mask, type, status) VALUES ('%s', '%s', %d)", $edit['mask'], $edit['type'], $edit['status']); - $aid = db_last_insert_id('access', 'aid'); - drupal_set_message(t('The access rule has been added.')); - drupal_goto('admin/user/rules'); - } - } - else { - $edit['mask'] = $mask; - $edit['type'] = $type; - } - return drupal_get_form('user_admin_access_add_form', $edit, t('Add rule')); -} - -/** - * Menu callback: edit an access rule - */ -function user_admin_access_edit($aid = 0) { - if ($edit = $_POST) { - if (!$edit['mask']) { - form_set_error('mask', t('You must enter a mask.')); - } - else { - db_query("UPDATE {access} SET mask = '%s', type = '%s', status = '%s' WHERE aid = %d", $edit['mask'], $edit['type'], $edit['status'], $aid); - drupal_set_message(t('The access rule has been saved.')); - drupal_goto('admin/user/rules'); - } - } - else { - $edit = db_fetch_array(db_query('SELECT aid, type, status, mask FROM {access} WHERE aid = %d', $aid)); - } - return drupal_get_form('user_admin_access_edit_form', $edit, t('Save rule')); -} - -/** - * Form builder; Configure access rules. - * - * @ingroup forms - */ -function user_admin_access_form(&$form_state, $edit, $submit) { - $form['status'] = array( - '#type' => 'radios', - '#title' => t('Access type'), - '#default_value' => isset($edit['status']) ? $edit['status'] : 0, - '#options' => array('1' => t('Allow'), '0' => t('Deny')), - ); - $type_options = array('user' => t('Username'), 'mail' => t('E-mail'), 'host' => t('Host')); - $form['type'] = array( - '#type' => 'radios', - '#title' => t('Rule type'), - '#default_value' => (isset($type_options[$edit['type']]) ? $edit['type'] : 'user'), - '#options' => $type_options, - ); - $form['mask'] = array( - '#type' => 'textfield', - '#title' => t('Mask'), - '#size' => 30, - '#maxlength' => 64, - '#default_value' => $edit['mask'], - '#description' => '%: '. t('Matches any number of characters, even zero characters') .'.'. t("This web page allows administrators to register new users. Users' e-mail addresses and usernames must be unique.") .'
'; - case 'admin/user/rules': - return ''. t('Set up username and e-mail address access rules for new and existing accounts (currently logged in accounts will not be logged out). If a username or e-mail address for an account matches any deny rule, but not an allow rule, then the account will not be allowed to be created or to log in. A host rule is effective for every page view, not just registrations.') .'
'; case 'admin/user/permissions': return ''. t('Permissions let you control what users can do on your site. Each user role (defined on the user roles page) has its own set of permissions. For example, you could give users classified as "Administrators" permission to "administer nodes" but deny this power to ordinary, "authenticated" users. You can use permissions to reveal new features to privileged users (those with subscriptions, for example). Permissions also allow trusted users to share the administrative burden of running a busy site.', array('@role' => url('admin/user/roles'))) .'
'; case 'admin/user/roles': @@ -2181,12 +2131,6 @@ function user_action_info() { 'configurable' => FALSE, 'hooks' => array(), ), - 'user_block_ip_action' => array( - 'description' => t('Ban IP address of current user'), - 'type' => 'user', - 'configurable' => FALSE, - 'hooks' => array(), - ), ); } @@ -2211,16 +2155,6 @@ function user_block_user_action(&$object } /** - * Implementation of a Drupal action. - * Adds an access rule that blocks the user's IP address. - */ -function user_block_ip_action() { - $ip = ip_address(); - db_query("INSERT INTO {access} (mask, type, status) VALUES ('%s', '%s', %d)", $ip, 'host', 0); - watchdog('action', 'Banned IP address %ip', array('%ip' => $ip)); -} - -/** * Submit handler for the user registration form. * * This function is shared by the installation form and the normal registration form, Index: sites/default/default.settings.php =================================================================== RCS file: /cvs/drupal/drupal/sites/default/default.settings.php,v retrieving revision 1.9 diff -u -p -r1.9 default.settings.php --- sites/default/default.settings.php 21 Mar 2008 09:16:37 -0000 1.9 +++ sites/default/default.settings.php 6 Apr 2008 21:04:07 -0000 @@ -226,3 +226,26 @@ ini_set('url_rewriter.tags', ''); # 'forum' => 'Discussion board', # '@count min' => '@count minutes', # ); + +/** + * + * IP blocking: + * + * To bypass database queries for denied IP addresses, use this setting. + * Drupal queries the {blocked_ips} table by default on every page request + * for both authenticated and anonymous users. This allows the system to + * block IP addresses from within the administrative interface and before any + * modules are loaded. However on high traffic websites you may want to avoid + * this query, allowing you to bypass database access altogether for anonymous + * users under certain caching configurations. + * + * If using this setting, you will need to add back any IP addresses which + * you may have blocked via the administrative interface. Each element of this + * array represents a blocked IP address. Uncommenting the array and leaving it + * empty will have the effect of disabling IP blocking on your site. + * + * Remove the leading hash signs to enable. + */ +# $conf['blocked_ips'] = array( +# 'a.b.c.d', +# );