@mattab opened this Issue on January 26th 2014 Owner

For added security, it would be useful to be able to only allow particular users to login from white listed IP addresses.

  • "Restrict login to Piwik only from these IP addresses" would be a global setting that would restrict all logins to a particular IP address.
  • "Restrict a particular username to login from these IP addresses" would be a setting, per user, optional, that would restrict login by this username.
    • UI: maybe we could extend the 'User Settings' mechanism , to also let Super User edit settings for other users.

Notes:

  • When a user goes to the login form, or tries to login, and the IP is not whitelisted, display a message "Access to this Piwik server is restricted. Please contact the admin to ask them to white list your IP address. more"
    • Learn more link goes to a FAQ on Piwik.org, explaining the WhiteList feature, and also explaining "How do I disable IP whitelisting?"
    • This would help a Super User deactivate the IP white listing feature, if he is locked out.
  • UI: Ips will accept ranges, similarly to the "Ips to exclude" in the Websites settings.
@hpvd commented on January 27th 2014

great idea!

Maybe we should think of a mechanism to prevent that e.g. non advanced users could lock their-selves or more worse all users for ever from their piwik installation....

this could happen

  • if they do not have a static IP (are not aware of this and put this in the restriction rule) and the next day dialling in they got a new IP-address from their provider
  • they put in the IP from somewhere where they now could not get access any-more (ex-girl, ex-employer...)
Powered by GitHub Issue Mirror