Access keys and allowed IPs should be indpendant of each other and when at least one of them is satisfied the user should be allowed in.
The implementation of https://github.com/catalyst/moodle-auth_outage/issues/340 made it if both access key and allowed IP was used if one of them failed the user was blocked. The correct use case was allowed IP was still to be used but an access key could be used so someone outside of that IP range could still get in with the provided key.
Test plan
Test
Expected
Result
No access key setup, no IP range setup
Not blocked ever
✅ Not blocked
Access key setup, no IP range setup. Access key incorrect
Blocked
✅ Blocked
Access key setup, no IP range setup. Access key correct
Not blocked
✅ Not blocked
No Access key setup, IP range setup. Inside of IP range.
Not blocked
✅ Not blocked
No Access key setup, IP range setup. Outside of IP range.
Blocked
✅ Blocked
Access key setup and IP range setup. Inside of IP range, access key incorrect
Not blocked
✅ Not blocked
Access key setup and IP range setup. Outside of IP range, access key correct
Not blocked
✅ Not blocked
Access key setup and IP range setup. Inside of IP range, access key correct
Not blocked
✅ Not blocked
Access key setup and IP range setup. Outside of IP range, access key incorrect
Access keys and allowed IPs should be indpendant of each other and when at least one of them is satisfied the user should be allowed in.
The implementation of https://github.com/catalyst/moodle-auth_outage/issues/340 made it if both access key and allowed IP was used if one of them failed the user was blocked. The correct use case was allowed IP was still to be used but an access key could be used so someone outside of that IP range could still get in with the provided key.