search

nextcloud / limit_login_to_ip

Nextcloud app that lets you Limit login to IP ranges
https://apps.nextcloud.com/apps/limit_login_to_ip
GNU Affero General Public License v3.0
24 stars 17 forks source link

Allow enabling only for specified groups #20

Open Magissia opened 6 years ago

Magissia commented 6 years ago

Greetings, Being able to enable the plugin only for specific users/groups would be useful.

jalcine commented 6 years ago

Something like this would require a new table to be created.

Tsuroerusu commented 6 years ago

I would like to emphasize the ability to restrict user login for specific users. That way, I could have my admin account only be accessible from my local LAN, and my non-admin accounts from anywhere else.

christophermstaats commented 6 years ago

I'm going to have to throw in with this idea. From an enterprise security standpoint I can't sacrifice functionality for security if it means the primary purpose of the application cannot be fulfilled. Restricting down accounts with admin permissions is a must, restricting a traveling sales engineer will result in serious issues since they go from hotel to hotel and there is no way to predict what network he will be hitting the server from on login.

tiandiyiqi commented 6 years ago

This is very userful , Hypothetical working environment: A user can login at anywhere; B user can login at (192.168.. ; 200.23.45.34;...) C user can login at (192.168.. ) I'm looking forward to having this function. Please!

prakash9999in commented 5 years ago

Can we expect this for specific user/group anytime soon. It would be very useful.

Thanks and Regards

dalagr commented 5 years ago

I would like to put emphasis on this. We would love the ability to restrict administrators to only be able to login within the internal network,

Luticus commented 4 years ago

I'm interested in this as well, specifically for admin/service accounts. For those it would make since to say they could only log in from the local ip range, where other users have either no restriction or their own custom restrictions as well. I think that would make this app a lot more useful.

pierrecorsini commented 4 years ago

This feature is required, access rule on file does only cover file access and is limited (no OR rule).

szaimen commented 4 years ago

This feature would definitely be great to have!

jospoortvliet commented 4 years ago

Contributions are welcome - this app is pretty simple, it should not be terribly hard to do a PR that adds this functionality. In the mean time, thanks for sharing the idea - please refrain from posting more "me too" replies, better use the Github feature to up-vote a comment or something to signal your agreement. Otherwise this gets very long ;-)

ihsystems commented 3 years ago

I would like to put emphasis on this. We would love the ability to restrict administrators to only be able to login within the internal network,

Agree this will be a very desirable enhancement . also a comment line for each IP address to associate

NoobTroll commented 3 years ago

+1 this would be extremely usefully for me

SinghNanak commented 1 year ago

+1 I'm also interested. this will be a game changer

SinghNanak commented 1 year ago

any update if this would be supported for latest nextcloud version.

SinghNanak commented 1 year ago

I was looking for something like this Authorised Networks.

gonzalo commented 5 months ago

+1 here. This definitely must have feature of this app. We would like to apply this for admin accounts making it available only for local network or vpn connection.

captainstarfish commented 2 months ago

Do you really need a table? Seems you might be able to provide a lot of functionality by enriching the config value format.

Perhaps add a couple of options to the start of each ip address: IPLIST = IPBLOCK[,IPLIST] IPBLOCK = [!][group name#][cidr]

! indicates a blacklist, ie !192.168.1.0/8 means anything but that range. omitting the group spot or replacing with a wildcard is "anyone" omitting the address spot or replacing with a wildcard is "anywhere"

Evaluate left to right, action on first match(ish). Examples:

Backward compatibility. Allow access to all from local network and host occ config:app:set limit_login_to_ip whitelisted.ranges --value IPLIST 127.0.0.0/24,192.168.0.0/24

Allow access to a restricted group only from the local network, everyone else can connect from outside --value IPLIST LocalOnly#127.0.0.0/24,LocalOnly#192.168.0.0/24,!LocalOnly#, Note trailing comma has a value with empty IPBLOCK meaning "everyone, anywhere". LocalOnly members will match and be allowed from local host or network, be blocked anywhere else, non-members will drop through to the open access. It could also be specified as --value IPLIST LocalOnly#127.0.0.0/24,LocalOnly#192.168.0.0/24,!LocalOnly#,#*

Similarly, allowing access to restricted IDs from the internet but defaulting local otherwise: --value IPLIST 127.0.0.0/24,192.168.0.0/24,RemoteOnly#,!#* or -- value IPLIST 127.0.0.0/24,192.168.0.0/24,RemoteOnly#,!

Is that maybe something you could parse and walk within IsRequestAllowed?