From 202e5b1e957a7692165a313710e38406ca4f6ff3 Mon Sep 17 00:00:00 2001
From: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
Date: Fri, 12 Jul 2024 16:25:49 +0200
Subject: feat(security): restrict admin actions to IP ranges

Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
---
 config/config.sample.php | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'config')

diff --git a/config/config.sample.php b/config/config.sample.php
index 67110a1844a..9840fcfc97c 100644
--- a/config/config.sample.php
+++ b/config/config.sample.php
@@ -2207,6 +2207,16 @@ $CONFIG = [
  */
 'forwarded_for_headers' => ['HTTP_X_FORWARDED', 'HTTP_FORWARDED_FOR'],
 
+/**
+ * List of trusted IP ranges for admin actions
+ *
+ * If this list is non-empty, all admin actions must be triggered from
+ * IP addresses inside theses ranges.
+ *
+ * Defaults to an empty array.
+ */
+'allowed_admin_ranges' => ['192.0.2.42/32', '233.252.0.0/24', '2001:db8::13:37/64'],
+
 /**
  * max file size for animating gifs on public-sharing-site.
  * If the gif is bigger, it'll show a static preview
-- 
cgit v1.2.3