Restricted Site Access - Version 6.1.0

Version Description

Correct a PHP notice when running PHP >

Release Info

Developer	adamsilverstein
Plugin	Restricted Site Access
Version	6.1.0
Comparing to
See all releases

Code changes from version 6.0.2 to 6.1.0

Files changed (2) hide show

readme.txt +11 -1
restricted_site_access.php +69 -39

readme.txt CHANGED Viewed

	@@ -3,7 +3,7 @@ Contributors: jakemgold, rcbth, 10up, thinkoomph, tlovett1
3	Donate link: http://10up.com/plugins/restricted-site-access-wordpress/
4	Tags: privacy, restricted, restrict, privacy, limited, permissions, security, block
5	Requires at least: 3.5
6	- Tested up to: 4.9
7	Stable tag: trunk
8
9	Limit access to visitors who are logged in or allowed by IP addresses. Includes many options for handling blocked visitors.
	@@ -73,6 +73,11 @@ Page caching plugins often hook into WordPress to quickly serve the last cached
73
74	== Changelog ==
75





76	= 6.0.2 =
77	* Add a 'restrict_site_access_ip_match' action which fires when an ip match occurs. Enables adding session_start() to the IP check, ensuring Varnish type cache will not cache the request.
78
	@@ -159,3 +164,8 @@ Drops support for versions of WordPress prior to 3.5.
159
160	= 4.0 =
161	This update improves performance, refines the user interface, and adds support for showing restricted visitors a specific page. Please be advised that this udpate is specifically designed for WordPress 3.2+, and like WordPress 3.2, <strong>no longer supports PHP < 5.2.4</strong>.


3	Donate link: http://10up.com/plugins/restricted-site-access-wordpress/
4	Tags: privacy, restricted, restrict, privacy, limited, permissions, security, block
5	Requires at least: 3.5
6	+ Tested up to: 4.9.4
7	Stable tag: trunk
8
9	Limit access to visitors who are logged in or allowed by IP addresses. Includes many options for handling blocked visitors.

73
74	== Changelog ==
75
76	+ = 6.1.0 =
77	+ * Correct a PHP notice when running PHP >= 7.1.
78	+ * Refactor logic for checking ip address is in masked ip range.
79	+ * Add PHPUnit tests validating the ip_in_mask functionality.
80	+
81	= 6.0.2 =
82	* Add a 'restrict_site_access_ip_match' action which fires when an ip match occurs. Enables adding session_start() to the IP check, ensuring Varnish type cache will not cache the request.
83

164
165	= 4.0 =
166	This update improves performance, refines the user interface, and adds support for showing restricted visitors a specific page. Please be advised that this udpate is specifically designed for WordPress 3.2+, and like WordPress 3.2, <strong>no longer supports PHP < 5.2.4</strong>.
167	+
168	+ == Upgrade Notice ==
169	+
170	+ = 6.1.0 =
171	+ * Important: version 6.1 improves testing visitors for allowed IP addresses ("Unrestricted IP addresses"). We recommend testing IP based restrictions after updating.

restricted_site_access.php CHANGED Viewed

	@@ -3,13 +3,13 @@
3	* Plugin Name: Restricted Site Access
4	* Plugin URI: http://10up.com/plugins/restricted-site-access-wordpress/
5	* Description: <strong>Limit access your site</strong> to visitors who are logged in or accessing the site from a set of specific IP addresses. Send restricted visitors to the log in page, redirect them, or display a message or page. <strong>Powerful control over redirection</strong>, including <strong>SEO friendly redirect headers</strong>. Great solution for Extranets, publicly hosted Intranets, or parallel development sites.
6	- * Version: 6.0.2
7	* Author: Jake Goldman, 10up, Oomph
8	* Author URI: http://10up.com
9	* License: GPLv2 or later
10	*/
11
12	- define( 'RSA_VERSION', '6.0.2' );
13
14	class Restricted_Site_Access {
15
	@@ -193,10 +193,6 @@ class Restricted_Site_Access {
193	* @param array $wp WordPress request
194	*/
195	public static function restrict_access( $wp ) {
196	- if ( empty( $wp->query_vars['rest_route'] ) ) {
197	- remove_action( 'parse_request', array( __CLASS__, 'restrict_access' ), 1 ); // only need it the first time
198	- }
199	-
200	self::$rsa_options = self::get_options();
201	$mode = self::get_network_mode();
202
	@@ -220,47 +216,25 @@ class Restricted_Site_Access {
220
221	// check for the allow list, if its empty block everything
222	if ( ! empty( self::$rsa_options['allowed'] ) && is_array( self::$rsa_options['allowed'] ) ) {
223	- $remote_ip = ~~$_SERVER['REMOTE_ADDR']~~; ~~// save the remote ip~~
224	- if ( strpos( $remote_ip, '.' ) ) {
225	- $remote_ip = str_replace( '::ffff:', '', $remote_ip ); // handle dual-stack addresses
226	- }
227	- $remote_ip = inet_pton( $remote_ip ); // parse the remote ip
228
229	// iterate through the allow list
230	- foreach ( self::$rsa_options['allowed'] as $line ) {
231	- ~~list~~( ~~$ip,~~ $~~mask ) = explode( '/'~~, $line . ~~'/128'~~ )~~; // get the ip and mask from the list~~
232	-
233	- $mask = str_repeat( 'f', $mask >> 2 ); // render the mask as bits, similar to info on the php.net man page discussion for inet_pton
234	-
235	- switch ( $mask % 4 ) {
236	- case 1:
237	- $mask .= '8';
238	- break;
239	- case 2:
240	- $mask .= 'c';
241	- break;
242	- case 3:
243	- $mask .= 'e';
244	- break;
245	- }
246	-
247	- $mask = pack( 'H*', $mask );
248	-
249	- // check if the masked versions match
250	- if ( ( inet_pton( $ip ) & $mask ) == ( $remote_ip & $mask ) ) {
251
252	/**
253	* Fires when an ip address match occurs.
254	*
255	- * Enables adding session_start() to the IP check, ensuring Varnish type cache will ~~not cache the request.~~


256	*
257	* @since 6.0.2
258	*
259	* @param string $remote_ip The remote IP address being checked.
260	- * @param string $ip The matched IP address.
261	- * @param string $mast The IP mask used in the match.
262	*/
263	- do_action( 'restrict_site_access_ip_match', $remote_ip, $~~ip,~~ ~~$mask~~ );
264	return;
265	}
266	}
	@@ -532,7 +506,7 @@ class Restricted_Site_Access {
532	self::enqueue_settings_script();
533
534	self::$rsa_options = self::get_options( true );
535	-
536	add_action( 'wpmu_options', array( __CLASS__, 'show_network_settings' ) );
537	add_action( 'update_wpmu_options', array( __CLASS__, 'save_network_settings' ) );
538	}
	@@ -717,7 +691,7 @@ class Restricted_Site_Access {
717	<br />
718	<input id="rsa-display-message" name="rsa_options[approach]" type="radio" value="3" <?php checked( self::$rsa_options['approach'], 3 ); ?> />
719	<label for="rsa-display-message"><?php esc_html_e( 'Show them a simple message', 'restricted-site-access' ); ?></label>
720	-
721	<?php if ( ! is_network_admin() ) : ?>
722	<br />
723	<input id="rsa-unblocked-page" name="rsa_options[approach]" type="radio" value="4" <?php checked( self::$rsa_options['approach'], 4 ); ?> />
	@@ -750,7 +724,7 @@ class Restricted_Site_Access {
750	<input type="text" name="newip" id="newip" /> <input class="button" type="button" id="addip" value="<?php _e( 'Add' ); ?>" />
751	<p class="description" style="display: inline;"><label for="newip"><?php esc_html_e( 'Enter a single IP address or a range using a subnet prefix', 'restricted-site-access' ); ?></label></p>
752	</div>
753	- <?php if ( ! empty( $_SERVER['REMOTE_ADDR'] ) ) { ?><input class="button" type="button" id="rsa_myip" value="<?php esc_attr_e( 'Add My Current IP Address', 'restricted-site-access' ); ?>" style="margin-top: 5px;" data-myip="<?php echo esc_attr( ~~$_SERVER['REMOTE_ADDR']~~ ); ?>" /><br /><?php } ?>
754	</div>
755	<p class="hide-if-js"><strong><?php esc_html_e( 'To manage IP addresses, you must use a JavaScript enabled browser.', 'restricted-site-access' ); ?></strong></p>
756	<?php
	@@ -940,6 +914,62 @@ class Restricted_Site_Access {
940	return false;
941
942	}
























































943	}
944
945	define( 'RSA_IS_NETWORK', Restricted_Site_Access::is_network( plugin_basename( __FILE__ ) ) );


3	* Plugin Name: Restricted Site Access
4	* Plugin URI: http://10up.com/plugins/restricted-site-access-wordpress/
5	* Description: <strong>Limit access your site</strong> to visitors who are logged in or accessing the site from a set of specific IP addresses. Send restricted visitors to the log in page, redirect them, or display a message or page. <strong>Powerful control over redirection</strong>, including <strong>SEO friendly redirect headers</strong>. Great solution for Extranets, publicly hosted Intranets, or parallel development sites.
6	+ * Version: 6.1.0
7	* Author: Jake Goldman, 10up, Oomph
8	* Author URI: http://10up.com
9	* License: GPLv2 or later
10	*/
11
12	+ define( 'RSA_VERSION', '6.1.0' );
13
14	class Restricted_Site_Access {
15

193	* @param array $wp WordPress request
194	*/
195	public static function restrict_access( $wp ) {




196	self::$rsa_options = self::get_options();
197	$mode = self::get_network_mode();
198

216
217	// check for the allow list, if its empty block everything
218	if ( ! empty( self::$rsa_options['allowed'] ) && is_array( self::$rsa_options['allowed'] ) ) {
219	+ $remote_ip = self::get_client_ip_address();




220
221	// iterate through the allow list
222	+ foreach( self::$rsa_options['allowed'] as $line ) {
223	+ if( self::ip_in_range( $remote_ip, $line ) ){



















224
225	/**
226	* Fires when an ip address match occurs.
227	*
228	+ * Enables adding session_start() to the IP check, ensuring Varnish type cache will
229	+ * not cache the request. Passes the matched line; previous to 6.1.0 this action passed
230	+ * the matched ip and mask.
231	*
232	* @since 6.0.2
233	*
234	* @param string $remote_ip The remote IP address being checked.
235	+ * @param string $line The matched masked IP address.

236	*/
237	+ do_action( 'restrict_site_access_ip_match', $remote_ip, $line );
238	return;
239	}
240	}

506	self::enqueue_settings_script();
507
508	self::$rsa_options = self::get_options( true );
509	+
510	add_action( 'wpmu_options', array( __CLASS__, 'show_network_settings' ) );
511	add_action( 'update_wpmu_options', array( __CLASS__, 'save_network_settings' ) );
512	}

691	<br />
692	<input id="rsa-display-message" name="rsa_options[approach]" type="radio" value="3" <?php checked( self::$rsa_options['approach'], 3 ); ?> />
693	<label for="rsa-display-message"><?php esc_html_e( 'Show them a simple message', 'restricted-site-access' ); ?></label>
694	+
695	<?php if ( ! is_network_admin() ) : ?>
696	<br />
697	<input id="rsa-unblocked-page" name="rsa_options[approach]" type="radio" value="4" <?php checked( self::$rsa_options['approach'], 4 ); ?> />

724	<input type="text" name="newip" id="newip" /> <input class="button" type="button" id="addip" value="<?php _e( 'Add' ); ?>" />
725	<p class="description" style="display: inline;"><label for="newip"><?php esc_html_e( 'Enter a single IP address or a range using a subnet prefix', 'restricted-site-access' ); ?></label></p>
726	</div>
727	+ <?php if ( ! empty( $_SERVER['REMOTE_ADDR'] ) ) { ?><input class="button" type="button" id="rsa_myip" value="<?php esc_attr_e( 'Add My Current IP Address', 'restricted-site-access' ); ?>" style="margin-top: 5px;" data-myip="<?php echo esc_attr( self::get_client_ip_address() ); ?>" /><br /><?php } ?>
728	</div>
729	<p class="hide-if-js"><strong><?php esc_html_e( 'To manage IP addresses, you must use a JavaScript enabled browser.', 'restricted-site-access' ); ?></strong></p>
730	<?php

914	return false;
915
916	}
917	+
918	+ /**
919	+ * Check if a given ip is in a network.
920	+ * Source: https://gist.github.com/tott/7684443
921	+ *
922	+ * @param string $ip IP to check in IPV4 format eg. 127.0.0.1
923	+ * @param string $range IP/CIDR netmask eg. 127.0.0.0/24, also 127.0.0.1 is accepted and /32 assumed
924	+ * @return boolean true if the ip is in this range / false if not.
925	+ */
926	+ public static function ip_in_range( $ip, $range ) {
927	+ if ( strpos( $range, '/' ) == false ) {
928	+ $range .= '/32';
929	+ }
930	+ // $range is in IP/CIDR format eg 127.0.0.1/24
931	+ list( $range, $netmask ) = explode( '/', $range, 2 );
932	+ $range_decimal = ip2long( $range );
933	+ $ip_decimal = ip2long( $ip );
934	+ $wildcard_decimal = pow( 2, ( 32 - $netmask ) ) - 1;
935	+ $netmask_decimal = ~ $wildcard_decimal;
936	+ return ( ( $ip_decimal & $netmask_decimal ) == ( $range_decimal & $netmask_decimal ) );
937	+ }
938	+
939	+ /**
940	+ * Retrieve the visitor ip address, even it is behind a proxy.
941	+ *
942	+ * @return string
943	+ */
944	+ public static function get_client_ip_address() {
945	+ $ip = '';
946	+ $headers = array(
947	+ 'HTTP_CLIENT_IP',
948	+ 'HTTP_X_FORWARDED_FOR',
949	+ 'HTTP_X_FORWARDED',
950	+ 'HTTP_X_CLUSTER_CLIENT_IP',
951	+ 'HTTP_FORWARDED_FOR',
952	+ 'HTTP_FORWARDED',
953	+ 'REMOTE_ADDR',
954	+ );
955	+ foreach ( $headers as $key ) {
956	+
957	+ if ( ! isset( $_SERVER[ $key ] ) ) {
958	+ continue;
959	+ }
960	+
961	+ foreach ( explode( ',',
962	+ $_SERVER[ $key ] ) as $ip ) {
963	+ $ip = trim( $ip ); // just to be safe
964	+
965	+ if ( filter_var( $ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE \| FILTER_FLAG_NO_RES_RANGE) !== false ) {
966	+ return $ip;
967	+ }
968	+ }
969	+ }
970	+
971	+ return $ip;
972	+ }
973	}
974
975	define( 'RSA_IS_NETWORK', Restricted_Site_Access::is_network( plugin_basename( __FILE__ ) ) );