diff --git a/domain-server/resources/describe-settings.json b/domain-server/resources/describe-settings.json
index 11d21b3ab0..cfba2ae4f3 100644
--- a/domain-server/resources/describe-settings.json
+++ b/domain-server/resources/describe-settings.json
@@ -649,72 +649,7 @@
"span": 1
},
{
- "label": "Permissions ?",
- "span": 6
- }
- ],
-
- "columns": [
- {
- "name": "permissions_id",
- "label": ""
- },
- {
- "name": "id_can_connect",
- "label": "Connect",
- "type": "checkbox",
- "editable": true,
- "default": false
- },
- {
- "name": "id_can_adjust_locks",
- "label": "Lock / Unlock",
- "type": "checkbox",
- "editable": true,
- "default": false
- },
- {
- "name": "id_can_rez",
- "label": "Rez",
- "type": "checkbox",
- "editable": true,
- "default": false
- },
- {
- "name": "id_can_rez_tmp",
- "label": "Rez Temporary",
- "type": "checkbox",
- "editable": true,
- "default": false
- },
- {
- "name": "id_can_write_to_asset_server",
- "label": "Write Assets",
- "type": "checkbox",
- "editable": true,
- "default": false
- },
- {
- "name": "id_can_connect_past_max_capacity",
- "label": "Ignore Max Capacity",
- "type": "checkbox",
- "editable": true,
- "default": false
- }
- ]
- },
- {
- "name": "ip_forbiddens",
- "type": "table",
- "caption": "Permissions denied to Users from IP Addresses",
- "can_add_new_rows": true,
- "groups": [
- {
- "label": "IP",
- "span": 1
- },
- {
- "label": "Permissions ?",
+ "label": "Permissions ?",
"span": 6
}
],
diff --git a/domain-server/src/DomainGatekeeper.cpp b/domain-server/src/DomainGatekeeper.cpp
index 5b2e5a2bb0..0abbf38c72 100644
--- a/domain-server/src/DomainGatekeeper.cpp
+++ b/domain-server/src/DomainGatekeeper.cpp
@@ -120,8 +120,9 @@ void DomainGatekeeper::processConnectRequestPacket(QSharedPointer_settingsManager.hasPermissionsForIP(senderAddress)) {
+ // this user comes from an IP we have in our permissions table, apply those permissions
+ userPerms = _server->_settingsManager.getPermissionsForIP(senderAddress);
+
+#ifdef WANT_DEBUG
+ qDebug() << "| user-permissions: specific IP matches, so:" << userPerms;
+#endif
+ }
} else {
userPerms.setID(verifiedUsername);
if (_server->_settingsManager.havePermissionsForName(verifiedUsername)) {
userPerms = _server->_settingsManager.getPermissionsForName(verifiedUsername);
- userPerms.setVerifiedUserName(verifiedUsername);
#ifdef WANT_DEBUG
qDebug() << "| user-permissions: specific user matches, so:" << userPerms;
+#endif
+ } else if (_server->_settingsManager.hasPermissionsForIP(senderAddress)) {
+ // this user comes from an IP we have in our permissions table, apply those permissions
+ userPerms = _server->_settingsManager.getPermissionsForIP(senderAddress);
+
+#ifdef WANT_DEBUG
+ qDebug() << "| user-permissions: specific IP matches, so:" << userPerms;
#endif
} else {
- userPerms.setVerifiedUserName(verifiedUsername);
+
// they are logged into metaverse, but we don't have specific permissions for them.
userPerms |= _server->_settingsManager.getStandardPermissionsForName(NodePermissions::standardNameLoggedIn);
#ifdef WANT_DEBUG
@@ -191,6 +207,8 @@ NodePermissions DomainGatekeeper::setPermissionsForUser(bool isLocalUser, QStrin
}
}
}
+
+ userPerms.setVerifiedUserName(verifiedUsername);
}
#ifdef WANT_DEBUG
@@ -225,7 +243,12 @@ void DomainGatekeeper::updateNodePermissions() {
const QHostAddress& addr = node->getLocalSocket().getAddress();
bool isLocalUser = (addr == limitedNodeList->getLocalSockAddr().getAddress() ||
addr == QHostAddress::LocalHost);
- userPerms = setPermissionsForUser(isLocalUser, verifiedUsername);
+
+ // at this point we don't have a sending socket for packets from this node - assume it is the active socket
+ // or the public socket if we haven't activated a socket for the node yet
+ HifiSockAddr connectingAddr = node->getActiveSocket() ? node->getPublicSocket() : *node->getActiveSocket();
+
+ userPerms = setPermissionsForUser(isLocalUser, verifiedUsername, connectingAddr.getAddress());
}
node->setPermissions(userPerms);
@@ -337,7 +360,7 @@ SharedNodePointer DomainGatekeeper::processAgentConnectRequest(const NodeConnect
}
}
- userPerms = setPermissionsForUser(isLocalUser, verifiedUsername);
+ userPerms = setPermissionsForUser(isLocalUser, verifiedUsername, nodeConnection.senderSockAddr.getAddress());
if (!userPerms.can(NodePermissions::Permission::canConnectToDomain)) {
sendConnectionDeniedPacket("You lack the required permissions to connect to this domain.",
diff --git a/domain-server/src/DomainGatekeeper.h b/domain-server/src/DomainGatekeeper.h
index 12697b8f3b..06ecfcf285 100644
--- a/domain-server/src/DomainGatekeeper.h
+++ b/domain-server/src/DomainGatekeeper.h
@@ -106,7 +106,8 @@ private:
QSet _domainOwnerFriends; // keep track of friends of the domain owner
QSet _inFlightGroupMembershipsRequests; // keep track of which we've already asked for
- NodePermissions setPermissionsForUser(bool isLocalUser, QString verifiedUsername);
+ NodePermissions setPermissionsForUser(bool isLocalUser, QString verifiedUsername, const QHostAddress& senderAddress);
+
void getGroupMemberships(const QString& username);
// void getIsGroupMember(const QString& username, const QUuid groupID);
void getDomainOwnerFriendsList();
diff --git a/domain-server/src/DomainServerSettingsManager.cpp b/domain-server/src/DomainServerSettingsManager.cpp
index d5bc732c13..81794b2899 100644
--- a/domain-server/src/DomainServerSettingsManager.cpp
+++ b/domain-server/src/DomainServerSettingsManager.cpp
@@ -421,9 +421,6 @@ void DomainServerSettingsManager::packPermissions() {
// save settings for IP addresses
packPermissionsForMap("permissions", _ipPermissions, IP_PERMISSIONS_KEYPATH);
- // save settings for IP address blacklist
- packPermissionsForMap("permissions", _ipForbiddens, IP_FORBIDDENS_KEYPATH);
-
// save settings for groups
packPermissionsForMap("permissions", _groupPermissions, GROUP_PERMISSIONS_KEYPATH);
@@ -457,7 +454,7 @@ bool DomainServerSettingsManager::unpackPermissionsForKeypath(const QString& key
if (mapPointer->contains(idKey)) {
qDebug() << "Duplicate name in permissions table for" << keyPath << " - " << id;
- (*mapPointer)[idKey] |= perms;
+ *((*mapPointer)[idKey]) |= *perms;
needPack = true;
} else {
(*mapPointer)[idKey] = perms;
@@ -480,8 +477,8 @@ void DomainServerSettingsManager::unpackPermissions() {
needPack |= unpackPermissionsForKeypath(AGENT_STANDARD_PERMISSIONS_KEYPATH, &_standardAgentPermissions);
needPack |= unpackPermissionsForKeypath(AGENT_PERMISSIONS_KEYPATH, &_agentPermissions);
+
needPack |= unpackPermissionsForKeypath(IP_PERMISSIONS_KEYPATH, &_ipPermissions);
- needPack |= unpackPermissionsForKeypath(IP_FORBIDDENS_KEYPATH, &_ipForbiddens);
needPack |= unpackPermissionsForKeypath(GROUP_PERMISSIONS_KEYPATH, &_groupPermissions,
[&](NodePermissionsPointer perms){
@@ -634,6 +631,16 @@ NodePermissions DomainServerSettingsManager::getPermissionsForName(const QString
return nullPermissions;
}
+NodePermissions DomainServerSettingsManager::getPermissionsForIP(const QHostAddress& address) const {
+ NodePermissionsKey ipKey = NodePermissionsKey(address.toString(), 0);
+ if (_ipPermissions.contains(ipKey)) {
+ return *(_ipPermissions[ipKey].get());
+ }
+ NodePermissions nullPermissions;
+ nullPermissions.setAll(false);
+ return nullPermissions;
+}
+
NodePermissions DomainServerSettingsManager::getPermissionsForGroup(const QString& groupName, QUuid rankID) const {
NodePermissionsKey groupRankKey = NodePermissionsKey(groupName, rankID);
if (_groupPermissions.contains(groupRankKey)) {
diff --git a/domain-server/src/DomainServerSettingsManager.h b/domain-server/src/DomainServerSettingsManager.h
index 754b62a72b..440cd8fe24 100644
--- a/domain-server/src/DomainServerSettingsManager.h
+++ b/domain-server/src/DomainServerSettingsManager.h
@@ -28,7 +28,6 @@ const QString SETTINGS_PATH_JSON = SETTINGS_PATH + ".json";
const QString AGENT_STANDARD_PERMISSIONS_KEYPATH = "security.standard_permissions";
const QString AGENT_PERMISSIONS_KEYPATH = "security.permissions";
const QString IP_PERMISSIONS_KEYPATH = "security.ip_permissions";
-const QString IP_FORBIDDENS_KEYPATH = "security.ip_forbiddens";
const QString GROUP_PERMISSIONS_KEYPATH = "security.group_permissions";
const QString GROUP_FORBIDDENS_KEYPATH = "security.group_forbiddens";
@@ -61,13 +60,9 @@ public:
QStringList getAllNames() const;
// these give access to permissions for specific IPs from the domain-server settings page
- bool havePermissionsForIP(const QHostAddress& address) const { return _ipPermissions.contains(address.toString(), 0); }
+ bool hasPermissionsForIP(const QHostAddress& address) const { return _ipPermissions.contains(address.toString(), 0); }
NodePermissions getPermissionsForIP(const QHostAddress& address) const;
- // these remove permissions from users connecting from specific IPs
- bool haveForbiddensForIP(const QHostAddress& address) const { return _ipForbiddens.contains(address.toString(), 0); }
- NodePermissions getForbiddensForIP(const QHostAddress& address) const;
-
// these give access to permissions for specific groups from the domain-server settings page
bool havePermissionsForGroup(const QString& groupName, QUuid rankID) const {
return _groupPermissions.contains(groupName, rankID);