Added an option for a console god user
This commit is contained in:
Eldad Fux
parent
7eb4206e6d
commit
c10500c882
3
.env
3
.env
|
|
@ -1,5 +1,8 @@
|
|||
_APP_ENV=production
|
||||
_APP_ENV=development
|
||||
_APP_CONSOLE_WHITELIST_GOD=enabled
|
||||
_APP_CONSOLE_WHITELIST_EMAILS=
|
||||
_APP_CONSOLE_WHITELIST_IPS=
|
||||
_APP_SYSTEM_EMAIL_NAME=Appwrite
|
||||
_APP_SYSTEM_EMAIL_ADDRESS=team@appwrite.io
|
||||
_APP_SYSTEM_SECURITY_EMAIL_ADDRESS=security@appwrite.io
|
||||
|
|
|
|||
|
|
@ -72,6 +72,13 @@ ENV _APP_SERVER=swoole \
|
|||
_APP_DOMAIN_TARGET=localhost \
|
||||
_APP_HOME=https://appwrite.io \
|
||||
_APP_EDITION=community \
|
||||
_APP_CONSOLE_WHITELIST_GOD=enabled \
|
||||
_APP_CONSOLE_WHITELIST_EMAILS= \
|
||||
_APP_CONSOLE_WHITELIST_IPS= \
|
||||
_APP_SYSTEM_EMAIL_NAME= \
|
||||
_APP_SYSTEM_EMAIL_ADDRESS= \
|
||||
_APP_SYSTEM_RESPONSE_FORMAT= \
|
||||
_APP_SYSTEM_SECURITY_EMAIL_ADDRESS= \
|
||||
_APP_OPTIONS_ABUSE=enabled \
|
||||
_APP_OPTIONS_FORCE_HTTPS=disabled \
|
||||
_APP_OPENSSL_KEY_V1=your-secret-key \
|
||||
|
|
|
|||
|
|
@ -43,6 +43,7 @@ $collections = [
|
|||
'legalCity' => '',
|
||||
'legalAddress' => '',
|
||||
'legalTaxId' => '',
|
||||
'authWhitelistGod' => App::getEnv('_APP_CONSOLE_WHITELIST_GOD', 'enabled'),
|
||||
'authWhitelistEmails' => (!empty(App::getEnv('_APP_CONSOLE_WHITELIST_EMAILS', null))) ? \explode(',', App::getEnv('_APP_CONSOLE_WHITELIST_EMAILS', null)) : [],
|
||||
'authWhitelistIPs' => (!empty(App::getEnv('_APP_CONSOLE_WHITELIST_IPS', null))) ? \explode(',', App::getEnv('_APP_CONSOLE_WHITELIST_IPS', null)) : [],
|
||||
'authWhitelistDomains' => (!empty(App::getEnv('_APP_CONSOLE_WHITELIST_DOMAINS', null))) ? \explode(',', App::getEnv('_APP_CONSOLE_WHITELIST_DOMAINS', null)) : [],
|
||||
|
|
|
|||
|
|
@ -55,9 +55,17 @@ return [
|
|||
'required' => true,
|
||||
'question' => 'Enter a DNS A record hostname to serve as a CNAME for your custom domains.\nYou can use the same value as used for the Appwrite hostname.',
|
||||
],
|
||||
[
|
||||
'name' => '_APP_CONSOLE_WHITELIST_GOD',
|
||||
'description' => 'This option allows you to disable the creation of new users on the Appwrite console. When enabled only 1 user will be able to use the registartion form. New users can be added by invting them to your project. By default this option is enabled.',
|
||||
'introduction' => '',
|
||||
'default' => 'enabled',
|
||||
'required' => false,
|
||||
'question' => '',
|
||||
],
|
||||
[
|
||||
'name' => '_APP_CONSOLE_WHITELIST_EMAILS',
|
||||
'description' => 'This option allows you to limit creation of users to Appwrite console. This option is very useful for small teams or sole developers. To enable it, pass a list of allowed email addresses separated by a comma.',
|
||||
'description' => 'This option allows you to limit creation of new users on the Appwrite console. This option is very useful for small teams or sole developers. To enable it, pass a list of allowed email addresses separated by a comma.',
|
||||
'introduction' => '',
|
||||
'default' => '',
|
||||
'required' => false,
|
||||
|
|
|
|||
|
|
@ -58,10 +58,24 @@ App::post('/v1/account')
|
|||
/** @var Appwrite\Event\Event $audits */
|
||||
|
||||
if ('console' === $project->getId()) {
|
||||
$whitlistGod = $project->getAttribute('authWhitelistGod');
|
||||
$whitlistEmails = $project->getAttribute('authWhitelistEmails');
|
||||
$whitlistIPs = $project->getAttribute('authWhitelistIPs');
|
||||
$whitlistDomains = $project->getAttribute('authWhitelistDomains');
|
||||
|
||||
if($whitlistGod !== 'disabled') {
|
||||
$sum = $projectDB->getCount([ // Count users
|
||||
'limit' => 1,
|
||||
'filters' => [
|
||||
'$collection='.Database::SYSTEM_COLLECTION_USERS,
|
||||
],
|
||||
]);
|
||||
|
||||
if($sum !== 0) {
|
||||
throw new Exception('Console registration is restricted. Contact your administrator for more information.', 401);
|
||||
}
|
||||
}
|
||||
|
||||
if (!empty($whitlistEmails) && !\in_array($email, $whitlistEmails)) {
|
||||
throw new Exception('Console registration is restricted to specific emails. Contact your administrator for more information.', 401);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
<?php
|
||||
|
||||
use Appwrite\Database\Database;
|
||||
use Appwrite\Specification\Format\OpenAPI3;
|
||||
use Appwrite\Specification\Format\Swagger2;
|
||||
use Appwrite\Specification\Specification;
|
||||
|
|
@ -42,10 +43,37 @@ App::get('/')
|
|||
->label('permission', 'public')
|
||||
->label('scope', 'home')
|
||||
->inject('response')
|
||||
->action(function ($response) {
|
||||
->inject('project')
|
||||
->inject('projectDB')
|
||||
->action(function ($response, $projectDB, $project) {
|
||||
/** @var Appwrite\Utopia\Response $response */
|
||||
/** @var Appwrite\Database\Database $projectDB */
|
||||
/** @var Appwrite\Database\Document $project */
|
||||
|
||||
$response->redirect('/auth/signin');
|
||||
$response
|
||||
->addHeader('Cache-Control', 'no-store, no-cache, must-revalidate, max-age=0')
|
||||
->addHeader('Expires', 0)
|
||||
->addHeader('Pragma', 'no-cache')
|
||||
;
|
||||
|
||||
if ('console' === $project->getId()) {
|
||||
$whitlistGod = $project->getAttribute('authWhitelistGod');
|
||||
|
||||
if($whitlistGod !== 'disabled') {
|
||||
$sum = $projectDB->getCount([ // Count users
|
||||
'limit' => 1,
|
||||
'filters' => [
|
||||
'$collection='.Database::SYSTEM_COLLECTION_USERS,
|
||||
],
|
||||
]);
|
||||
|
||||
if($sum !== 0) {
|
||||
return $response->redirect('/auth/signin');
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
$response->redirect('/auth/signup');
|
||||
});
|
||||
|
||||
App::get('/auth/signin')
|
||||
|
|
@ -58,6 +86,10 @@ App::get('/auth/signin')
|
|||
|
||||
$page = new View(__DIR__.'/../../views/home/auth/signin.phtml');
|
||||
|
||||
$page
|
||||
->setParam('god', App::getEnv('_APP_CONSOLE_WHITELIST_GOD', 'enabled'))
|
||||
;
|
||||
|
||||
$layout
|
||||
->setParam('title', 'Sign In - '.APP_NAME)
|
||||
->setParam('body', $page);
|
||||
|
|
@ -72,6 +104,10 @@ App::get('/auth/signup')
|
|||
/** @var Utopia\View $layout */
|
||||
$page = new View(__DIR__.'/../../views/home/auth/signup.phtml');
|
||||
|
||||
$page
|
||||
->setParam('god', App::getEnv('_APP_CONSOLE_WHITELIST_GOD', 'enabled'))
|
||||
;
|
||||
|
||||
$layout
|
||||
->setParam('title', 'Sign Up - '.APP_NAME)
|
||||
->setParam('body', $page);
|
||||
|
|
|
|||
|
|
@ -61,11 +61,13 @@ $cli
|
|||
Console::log('🟢 Abuse protection is enabled');
|
||||
}
|
||||
|
||||
$authWhitelistGod = App::getEnv('_APP_CONSOLE_WHITELIST_GOD', null);
|
||||
$authWhitelistEmails = App::getEnv('_APP_CONSOLE_WHITELIST_EMAILS', null);
|
||||
$authWhitelistIPs = App::getEnv('_APP_CONSOLE_WHITELIST_IPS', null);
|
||||
$authWhitelistDomains = App::getEnv('_APP_CONSOLE_WHITELIST_DOMAINS', null);
|
||||
|
||||
if(empty($authWhitelistEmails)
|
||||
if(empty($authWhitelistGod)
|
||||
&& empty($authWhitelistEmails)
|
||||
&& empty($authWhitelistDomains)
|
||||
&& empty($authWhitelistIPs)
|
||||
) {
|
||||
|
|
|
|||
|
|
@ -1,3 +1,6 @@
|
|||
<?php
|
||||
$god = ($this->getParam('god') !== 'disabled');
|
||||
?>
|
||||
<div class="zone medium"
|
||||
data-service="account.get"
|
||||
data-name="account"
|
||||
|
|
@ -43,7 +46,7 @@
|
|||
<br />
|
||||
|
||||
<div class="text-line-high-large text-align-center">
|
||||
<a href="/auth/recovery">Forgot password?</a> or don't have an account? <b><a href="/auth/signup">Sign up now</a></b>
|
||||
<a href="/auth/recovery">Forgot password?</a><?php if(!$god): ?> or don't have an account? <b><a href="/auth/signup">Sign up now</a></b><?php endif; ?>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
|
|
|
|||
|
|
@ -1,3 +1,6 @@
|
|||
<?php
|
||||
$god = ($this->getParam('god') !== 'disabled');
|
||||
?>
|
||||
<div class="zone medium signup">
|
||||
<h1 class="zone xl margin-bottom-large margin-top">
|
||||
Sign Up
|
||||
|
|
@ -44,6 +47,8 @@
|
|||
|
||||
</div>
|
||||
|
||||
<?php if(!$god): ?>
|
||||
<div class="zone medium text-align-center">
|
||||
<a href="/auth/signin">Already have an account?</a>
|
||||
</div>
|
||||
</div>
|
||||
<?PHP endif; ?>
|
||||
Loading…
Reference in a new issue