Project:
RSS

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0009598New issuesSecuritypublic2017-04-22 12:402017-05-07 02:58
ReporterGrafu 
Assigned Toccw 
PrioritynormalSeverityfeatureReproducibilityalways
StatusresolvedResolutionfixed 
PlatformOSOS Version
Summary0009598: Cannot add mobile IP address to autorized IPs to access HTTP
DescriptionCannot add mobile IP address to autorized IPs to access HTTP. Would be nice to have a command to add IP through console instead of playing MTA on phone.
TagsNo tags attached.
Attached Files

- Relationships
has duplicate 0009599closedccw [Request] Consider removing HTTP IP authorization enforcement 

-  Notes
(0025831)
Grafu (viewer)
2017-04-22 13:51
edited on: 2017-04-22 13:59

Adding phone serial (if such exists) since IP can be dynamic. ****

authserial [account] after http attempt, but I guess HTTP doesn't accept serials. ********

(0025833)
ccw (administrator)
2017-04-22 19:16

One solution could be to have a secondary password for http access if the IP has not been authorized.
(0025834)
Drakath (viewer)
2017-04-22 19:24

Would sending a temporary key to the email defined in owner_email_address be possible?
(0025835)
ccw (administrator)
2017-04-22 19:41

How about a command which authorized the last ip attempted for http access.
eg:
authserial [account] http-ip
(0025836)
Grafu (viewer)
2017-04-22 19:56
edited on: 2017-04-22 20:09

The main problem that IP changes on every phone internet turn on/off. So "authserial [account] http-ip" is not a solution. It should be something static like phone's MAC address.

Secondary password is a nice idea. But registering it might be a problem, especially if developers wanted to register accounts in their own way. In this case HTTP could send a request and checking if account has a specific account data key with hashed password. If it doesn't, permission to HTTP would be only granted if IP is authorised the old way.

(0025838)
ccw (administrator)
2017-04-23 02:27

Please give an example of developers registering accounts in their own way
(0025839)
Drakath (viewer)
2017-04-23 08:36

Adding an event handler, which could be cancelled for failed HTTP logins would allow scripters to implement this however they want.
For example:
addEventHandler("onHttpLoginFailed", function(theCurrentAccount, isAuthorized, key)
    if theCurrentAccount and isObjectInACLGroup ("user."..getAccountName(theCurrentAccount), aclGetGroup ( "Admin" ) ) then
        if not isAuthorized then
            if key and key == getAccountData(theCurrentAccount, "customData") then
                cancelEvent()
            end
        end
    end
end)

Parameters: account theCurrentAccount, bool isAuthorized, string key
Cancelling the event would result in user logging in regardless of authorization.
This is backwards compatible with the regular way.
(0025914)
ccw (administrator)
2017-05-07 02:58

The following command was added for 1.5.4:
authserial <account_name> httppass

For details:
https://wiki.multitheftauto.com/wiki/Authorized_Serial_Account_Protection#How_to_use [^]

- Issue History
Date Modified Username Field Change
2017-04-22 12:40 Grafu New Issue
2017-04-22 13:51 Grafu Note Added: 0025831
2017-04-22 13:59 Grafu Note Edited: 0025831 View Revisions
2017-04-22 19:16 ccw Note Added: 0025833
2017-04-22 19:17 ccw Relationship added has duplicate 0009599
2017-04-22 19:24 Drakath Note Added: 0025834
2017-04-22 19:41 ccw Note Added: 0025835
2017-04-22 19:56 Grafu Note Added: 0025836
2017-04-22 20:09 Grafu Note Edited: 0025836 View Revisions
2017-04-23 02:27 ccw Note Added: 0025838
2017-04-23 08:36 Drakath Note Added: 0025839
2017-05-07 02:58 ccw Note Added: 0025914
2017-05-07 02:58 ccw Status new => resolved
2017-05-07 02:58 ccw Resolution open => fixed
2017-05-07 02:58 ccw Assigned To => ccw


Copyright © 2000 - 2017 MantisBT Team
Powered by Mantis Bugtracker