User ban
Review Request #175 - Created Sept. 15, 2011 and updated
Information | |
---|---|
Serban Andrei Stan | |
infoarena | |
Reviewers | |
hackers | |
I've implemented most of the banip utility. At the request of some admins, I've posted my work, to ease the debugging while there are still few lines of code. The banip utility works in the following way: There are two types of ban: for username, and for userip. At user login, it verifies if the user is banned. If he is banned, then access to his account is not permitted (though access to the site is unrestrained). Now for the ban functions: - migrate-ban-ip was created in order to modify the db - I've modified login.php to acces the verify ban functions (placed in common/ban.php) - The ban functions verify if a user is banned, and if he is, he is not permitted login, otherwise if he was banned and the ban date expired, he is removed from the ban tables [DONE with keeping the user in the ban tables] - I've created a ban form in www/views/form_ban, very similar to the login form - Ban.php in /controllers retrieves the information from the form and accesses the functions in common/ban.php What remains to be done: 1)FIRST of all, permissions for the ban page [DONE] 2)the possibility to ban a substring for an ip (i.e. 192.168.0.*, but 192.16*.0.1 does not work) [DONE] 3)adding a button on each user's profile page, that redirects the current admin to the ban page, autocomplete-ing the username and IP form fields [DONE] 4)the automatic logout of a banned user [DONE] 5)on the ban page, for each userip the possibility to show all the accounts that utilised the current ip. 6)an unban page (the functions that work with the database are already implemented in /common/ban.php) (eventualy the possibility to show all the elements in the ban tables). How I have tested the changes so far: -I've tested the ban functions directly in a mysql console, adding users and deleting them to test the variables introduced -I didn't test the banip form so thoroughly, seems it works though
Issues
- 2
- 30
- 2
- 34
Description | From | Last Updated |
---|---|---|
If you want a single line add to the MySql query LIMIT 1, otherwise the query will go through all ... | Adrian Budau | |
use SELECT COUNT FROM so it returns just the number. It's faster | Adrian Budau |
This looks pretty good for someone who never worked with php before. Good job. There a lot of comments, but this how we all start, trust me :). Also I think you have quite a problems with your identation, add these lines to your .vimrc file: Add this to you vimrc. set expandtab set tabstop=4 set shiftwidth=4 set smartindent Also, add screenshot. Reviewboard supports adding screenshot to a review request, if you look carefully at this page, there is an "Add screenshot" button.
-
trunk/apache.conf (Diff revision 4) -
Why are apache.conf and config.php in the here? These should not be versioned. CC: Bogdan Tataroiu... any idea what this is?
-
trunk/common/ban.php (Diff revision 4) -
Coding styles: 4-spaces tabs. Also tabs mustn't be the tab character, they must be 4 spaces.
-
trunk/common/ban.php (Diff revision 4) -
No mysql_query. Use db_query instead.
-
trunk/common/ban.php (Diff revision 4) -
No trailing spaces
-
trunk/common/ban.php (Diff revision 4) -
You can do WHERE username = '$safe_user' AND expire > '$current_date' and you can get rid of the of the code that tests this. This will make your thing run a lot faster for users with several bans (we have some) as the amount of data sent from mysql to php is smaller and this is usually a huge bottleneck. Also I don't think we should remove the ban records. This table should never reach an amount of records so big to be incredibly slow, and this way we can keep records of how many bans a user had over time.
-
trunk/common/ban.php (Diff revision 4) -
Same comment.
-
trunk/scripts/migrate-ban-ip.php (Diff revision 4) -
align this
-
trunk/www/controllers/ban.php (Diff revision 4) -
No tabs needed here. Move everything one tab to the left.
-
trunk/www/controllers/ban.php (Diff revision 4) -
No trailing spaces
-
trunk/www/controllers/ban.php (Diff revision 4) -
wtf?? align your code properly.
-
trunk/www/controllers/ban.php (Diff revision 4) -
*This
-
trunk/www/controllers/ban.php (Diff revision 4) -
if else construction is like this: if (condition) { ... } else { ... }
-
trunk/www/controllers/ban.php (Diff revision 4) -
Trailing spaces.
-
trunk/www/controllers/ban.php (Diff revision 4) -
trailing spaces
-
trunk/www/controllers/login.php (Diff revision 4) -
Align your code properly.
-
trunk/www/controllers/login.php (Diff revision 4) -
you need to { } even if there is only one instruction. Like this if ($ban_user) { $errors = true; } I hope this what you meant with this code.
-
trunk/www/controllers/login.php (Diff revision 4) -
Indent.
-
trunk/www/controllers/login.php (Diff revision 4) -
Spaces, not tab charactes.
-
trunk/www/controllers/login.php (Diff revision 4) -
"Incearcati"? Not very Romanian. Also what was the problem with "Incearca"?. I like "Incearca" more. You can use "Ip-ul tau a fost suspendata" for consistency.
-
trunk/www/index.php (Diff revision 4) -
Try to put this somewhere near the cases for users or login shit. Not in the middle of the newsletter cases. We definetly a better system to dispatch. We should put it in our "To Refactor" excel, not to forget about it.
-
trunk/www/views/ban.php (Diff revision 4) -
Spaces
Change Summary:
I've added permissions for the ban page. If you want me to publish changes more rarely please tell me.
Description: |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Diff: |
Revision 7 (+398 -3) |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Screenshots: |
|
Change Summary:
The ban interface is pretty usable at this point. Even though point 5 is pretty neat, it involves some tweaking with javascript, ajax, etc. I'm not so comfortable with those, and don't really think I'll be able to do anything consistent in a short period of time. Because this ticket has already been delayed for some time now, I think it would be a good idea to skip this point, at least at the moment. Same for the unban page. I left the unban page behind, because I believe that point 5 (a little modified) can be very similar to it.
Description: |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Diff: |
Revision 8 (+313 -9) |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Screenshots: |
|
-
trunk/common/ban.php (Diff revision 8) -
in php NULL is null (lowercase)
-
trunk/common/ban.php (Diff revision 8) -
in the db schema you should have "AUTO INCREMENT" on the id field which should also be primary key. This way you can just do: INSERT INTO ia_user_ip (username, userip) VALUES ($user, $ip)
-
trunk/common/ban.php (Diff revision 8) -
"for a certain user" not "current user"
-
trunk/common/ban.php (Diff revision 8) -
same thing as above.
-
trunk/common/ban.php (Diff revision 8) -
same
-
trunk/common/ban.php (Diff revision 8) -
not "current user". In /common we put function that interact with the database, but do not interact in any way with the web context.
-
trunk/common/ban.php (Diff revision 8) -
{ } and null. Also you can just use !$rows
-
trunk/common/ban.php (Diff revision 8) -
english
-
trunk/common/ban.php (Diff revision 8) -
You should build an array with all the ips you want to test and then do something like: SELECT * FROM ia_ban_ip WHERE (user_ip = $ip[1] OR user_ip = $ip[2] ..) AND expire > $current_date It's not good to do so many mysql queryies because the network latency would be very high. Bassically for each query your program has to do the following things: 1. open db connection 2. send query 3. do query 4. send results 5. close connection In your code you are doing all theese steps 16 times, while in my code each one is done only once, increasing a bit the time for steps 2 and 3, but it's not noticeable. Also use SELECT COUNT(*) ... This you count how many rows you have that pass the filters in the db and check if that value is 0 or not.
-
trunk/scripts/migrate-ban-ip.php (Diff revision 8) -
PRIMARY KEY, AUTO INCREMENT
-
trunk/scripts/migrate-ban-ip.php (Diff revision 8) -
What is this for?
-
trunk/www/controllers/ban.php (Diff revision 8) -
Permissions?? This should be admin only
-
trunk/www/controllers/ban.php (Diff revision 8) -
I think we have special functions for getting things from _GET and from _POST.
-
trunk/www/controllers/ban.php (Diff revision 8) -
align
-
trunk/www/controllers/ban.php (Diff revision 8) -
I think the function is "request('username')" - not sure though, but I am pretty sure we have something like that.
-
trunk/www/controllers/ban.php (Diff revision 8) -
do the flash after you do the ban
-
trunk/www/controllers/login.php (Diff revision 8) -
I think we have some function called remote_ip_info() which gives you info about the ip.
-
trunk/www/controllers/login.php (Diff revision 8) -
I don't get it, Why is this necessary?
-
trunk/www/index.php (Diff revision 8) -
??? Move this back here. It's easier to read, as all the configs should be included at the beginning.
-
trunk/www/index.php (Diff revision 8) -
move this comment so that it makes sense
-
trunk/www/utilities.php (Diff revision 8) -
REQUEST_URI not URL is ok
-
trunk/www/views/ban.php (Diff revision 8) -
This should be in the controller
-
trunk/www/views/user.php (Diff revision 8) -
No db queries in views. This should go in /common, call the function from the controller and just pass the data to the controller.
-
trunk/www/views/user.php (Diff revision 8) -
is this 80 chars??
-
trunk/www/controllers/ban.php (Diff revision 8) -
Never do security in the viewer! The fact that ban options only appear to admins is not secure. Maybe some other developer decides to implement another viewer that uses this same controller. And maybe he doesn't check admin right. Or what if a user forges a POST to a page that calls this controller? :) Well, you get the idea, always (re)check security in the controllers.
-
trunk/www/controllers/ban.php (Diff revision 8) -
In other controllers this is: $view['user'] = request('user'); I know it's not much, but let's be consistent. This also enables the controller to be more flexible and callable by POST as well as GET. You could change the other gettattr($_GET, ...) with request(...). You can leave the $_POST the same if it was for security reasons.
-
trunk/www/url.php (Diff revision 8) -
Check indentation.
-
trunk/common/ban.php (Diff revision 9) -
You don't need the information from the db_query now. You can remove $query =
-
trunk/common/ban.php (Diff revision 9) -
If you want a single line add to the MySql query LIMIT 1, otherwise the query will go through all the records.
-
trunk/common/ban.php (Diff revision 9) -
use SELECT COUNT FROM so it returns just the number. It's faster
-
trunk/common/ban.php (Diff revision 9) -
return true Don't do extra stuff unnecessary
-
trunk/common/ban.php (Diff revision 9) -
the same. And also for comparing things with * you should've used the LIKE keyword. I don't see it here
-
trunk/scripts/migrate-ban-ip.php (Diff revision 9) -
add INDEX for username and expire so the query will go faster. After PRIMARY KEY (id) and before the closing bracket add this , INDEX username(`username`) , INDEX expire(`expire`)
-
trunk/scripts/migrate-ban-ip.php (Diff revision 9) -
same here just for username. I don't think you'll use a query SELECT * FROM ia_user_ip WHERE ip = something.
-
trunk/www/controllers/login.php (Diff revision 9) -
If the user is good and he is banned $errors is true while $user is also true. Shouldn't this else go elsewhere?