Lack of interest [Developer Tool] Allow custom IpMatch entries

This suggestion has been closed automatically because it did not receive enough votes over an extended period of time. If you wish to see this, please search for an open suggestion and, if you don't find any, post a new one.
DragonByte Tech

DragonByte Tech

Well-known member
The IpMatch system has the potential to be used by 3rd party add-ons to automatically ban IP addresses for various infractions, but currently using the XF:Banning :: banIp method requires that a valid user record is either passed as an argument, or exists in \XF::visitor().

This is problematic because of things like automatically updating IP block lists, where even if the Cron job is executed by an user, that user should not be recorded as the banner of the IP address.

Therefore I suggest removing the 'required' => true part of the IpMatch entity, and either change the existing banIp method to allow for passing "no user, and don't default to visitor", or creating a new method like banIpAutomatic which doesn't take a user argument.

Use case: Our Security addon has an option to block TOR Exit Nodes, and a cron job that periodically updates the list of exit nodes for the server IP in question. While it's technically possible to insert records into the xf_ip_match table manually and rebuild the banned IPs cache manually, for compatibility with other 3rd party mods I would prefer if I was able to use the repository method for banning IP addresses.

---------------
EDIT: This is no longer needed thanks to the instructions from Mike đź‘Ť

The IpMatch system has the potential to be used by 3rd party add-ons to create their own filtering lists separate from Discouraged and Banned, but unfortunately the match_type column in the xf_ip_match table is an ENUM with fixed value options, rather than a VARCHAR.

The Banning repository is already dynamic enough that addons wishing to add their own types of bans can do so without any further coding changes.

Use case: Our Security addon has an option to block TOR Exit Nodes, and a cron job that periodically updates the list of exit nodes for the server IP in question. While it's technically possible to insert these IPs as ban entries, the problem is that toggling that setting via the AdminCP would necessitate pruning those IPs (approx. 850 entries) and re-adding them whenever the setting is toggled.

If I had the ability to add a new match type, I could add the "dbtech_security_tornode" match type and only rebuild that cache whenever the IP list is updated, and the setting I mentioned above would only toggle whether this ban was in effect.


Fillip
 
Last edited:
Upvote 1
This suggestion has been closed. Votes are no longer accepted.
Just to point out, the enum isn't inherently a blocker, at least in the manner it was in XF1. The schema manager has the ability to add and remove values from an enum without affecting the full list, so if other add-ons/a new version changes the list, your changes won't interfere with them.

As an example, from the 2.0 upgrade:
Code: 
$table->changeColumn('user_state')->addValues(['rejected', 'disabled']);
 
Mike said:
The schema manager has the ability to add and remove values from an enum without affecting the full list, so if other add-ons/a new version changes the list, your changes won't interfere with them.
Click to expand...
Interesting, thanks for that :)

It is still a bit more trouble than necessary because I'd also have to hook into the entity to update the allowedValues but it's nice to know it isn't a total blocker.


Fillip
 
DragonByte Tech said:
It is still a bit more trouble than necessary because I'd also have to hook into the entity to update the allowedValues but it's nice to know it isn't a total blocker.
Click to expand...
To be fair, even if it was already a VARCHAR, we would probably still use allowedValues in the entity to constrain it to known types. So you'd likely need to do that either way :)
 
Chris D said:
To be fair, even if it was already a VARCHAR, we would probably still use allowedValues in the entity to constrain it to known types. So you'd likely need to do that either way :)
Click to expand...
Fair enough 🙂

The only other thing I'd suggest is removing the "required" flag from the create_user_id column, since auto added bans via things like a cron job or automatically configured actions won't have a valid and/or correct user record.

The use case for this is again our Security mod; we have various "Watchers" that can trigger on certain actions, e.g. "5 failed AdminCP login attempts from the same IP address in the past 1 hour(s)", and admins will be able to configure the automatic banning of that IP address.

I've updated the OP with a revised suggestion :)


Fillip
 
In terms of the creation user ID, required in the context of an integer generally just means that you have to try to set a value for it. 0 would be valid (and would likely make sense in the context of automated actions).
 
Mike said:
In terms of the creation user ID, required in the context of an integer generally just means that you have to try to set a value for it. 0 would be valid (and would likely make sense in the context of automated actions).
Click to expand...
Fair enough, although the second half of the suggestion still applies; the existing banIp method forces a user record, so a new method in the Banning repository would still be appropriate IMO.


Fillip
 

Similar threads

Black Tiger
  • Solved
XF 2.2 Bug? Server error: Error on ip ban wildcard
Replies
2
Views
544
Black Tiger
Black Tiger
radon
  • Question Question
XF 2.2 Confusion about applying a new tropy to users
Replies
2
Views
634
kholland28
kholland28
K
Consent Management
2
Replies
20
Views
3K
twollert
twollert
R
  • Question Question
How do you deal with SMART Russian bots? Any tips? Banning Russian IPs didn't do anything, because they learned how to use VPNs from European and US.
2
Replies
21
Views
2K
GW2
GW2
M
Add-on Custom Add-on Request: Live Voice Chat [Paid]
Replies
0
Views
586
MarenLBC
M
Top Bottom