From f40d29b7bb01f0524dcd5fb286ac4067a35283cc Mon Sep 17 00:00:00 2001
From: Vitor Mattos <vitor@php.rio>
Date: Mon, 17 Feb 2025 12:43:27 -0300
Subject: [PATCH] chore: convert from IP to range of IP

Signed-off-by: Vitor Mattos <vitor@php.rio>
---
 README.md                              | 15 +++++++--------
 lib/Middleware/InjectionMiddleware.php | 20 +++++++++++++++-----
 2 files changed, 22 insertions(+), 13 deletions(-)

diff --git a/README.md b/README.md
index 09c5025..108fbb9 100644
--- a/README.md
+++ b/README.md
@@ -16,18 +16,17 @@ Available features:
 	occ app:enable admin_group_manager
 	occ app:enable groupquota
 	```
-- Allowed IP
+- Allowed IP range
 
-	By security, this API only receive requests from a specific IP.
-	- Run a tail with grep to watch by the word "Unauthorized access".
+	By security, this API only receive requests from a specific IP range. This could be enabled or not. To enable you will need to run the follow command:
+	```bash
+	occ config:system:set admin_group_manager_allowed_range 0 --value <theWordPressIp>
+	```
+
+	To test if your setting is working fine, use a IP range that don't match with WordPressIP and tun a tail with grep to watch by the word "Unauthorized access".
 		```bash
 		tail -f data/nextcloud.log|grep "Unauthorized access"
 		```
-	- Do a request to API endpoint and go back to terminal to check the logs and get the IP.
-	- With the IP, run the follow command:
-		```bash
-		occ config:system:set admin_group_manager_allowed_ip --value <theIdentifiedIp>
-		```
 
 ## Performance improving
 Systemd service
diff --git a/lib/Middleware/InjectionMiddleware.php b/lib/Middleware/InjectionMiddleware.php
index 461b13b..280a201 100644
--- a/lib/Middleware/InjectionMiddleware.php
+++ b/lib/Middleware/InjectionMiddleware.php
@@ -8,6 +8,8 @@
 
 namespace OCA\AdminGroupManager\Middleware;
 
+use OC\Security\Ip\Address;
+use OC\Security\Ip\Range;
 use OCA\AdminGroupManager\Controller\AEnvironmentAwareOCSController;
 use OCA\AdminGroupManager\Controller\Attribute\RestrictIp;
 use OCP\AppFramework\Controller;
@@ -48,11 +50,19 @@ public function beforeController(Controller $controller, string $methodName) {
 	}
 
 	private function restrictIp(): void {
-		$ip = $this->request->getRemoteAddress();
-		$allowed = $this->config->getSystemValue('admin_group_manager_allowed_ip');
-		if ($allowed !== $ip) {
-			$this->logger->error('Unauthorized access to API', ['IP' => $ip]);
-			throw new OCSException('', Http::STATUS_UNAUTHORIZED);
+		$ip = new Address(
+			$this->request->getRemoteAddress()
+		);
+		$ranges = $this->config->getSystemValue('admin_group_manager_allowed_range');
+		if (!is_array($ranges) || empty($ranges)) {
+			return;
 		}
+		foreach ($ranges as $range) {
+			if ((new Range($range))->contains($ip)) {
+				return;
+			}
+		}
+		$this->logger->error('Unauthorized access to API', ['IP' => $ip]);
+		throw new OCSException('', Http::STATUS_UNAUTHORIZED);
 	}
 }