From 4a70dc99faa0f87ede80a2913bd3a89549cb7739 Mon Sep 17 00:00:00 2001
From: Himanshu Warekar <himanshuwarekar@yahoo.com>
Date: Thu, 19 Sep 2019 11:08:07 +0530
Subject: [PATCH] fix: check ip restriction before resume

---
 frappe/auth.py     | 46 +++++++++++++++++++++++-----------------------
 frappe/sessions.py |  3 ++-
 2 files changed, 25 insertions(+), 24 deletions(-)

diff --git a/frappe/auth.py b/frappe/auth.py
index 3a58330e11..753d9b0bc8 100644
--- a/frappe/auth.py
+++ b/frappe/auth.py
@@ -138,7 +138,7 @@ class LoginManager:
 
 	def post_login(self):
 		self.run_trigger('on_login')
-		self.validate_ip_address()
+		validate_ip_address(self.user)
 		self.validate_hour()
 		self.get_user_info()
 		self.make_session()
@@ -271,28 +271,6 @@ class LoginManager:
 		for method in frappe.get_hooks().get(event, []):
 			frappe.call(frappe.get_attr(method), login_manager=self)
 
-	def validate_ip_address(self):
-		"""check if IP Address is valid"""
-		user = frappe.get_doc("User", self.user)
-		ip_list = user.get_restricted_ip_list()
-		if not ip_list:
-			return
-
-		bypass_restrict_ip_check = 0
-		# check if two factor auth is enabled
-		enabled = int(frappe.get_system_settings('enable_two_factor_auth') or 0)
-		if enabled:
-			#check if bypass restrict ip is enabled for all users
-			bypass_restrict_ip_check = int(frappe.get_system_settings('bypass_restrict_ip_check_if_2fa_enabled') or 0)
-			if not bypass_restrict_ip_check:
-				#check if bypass restrict ip is enabled for login user
-				bypass_restrict_ip_check = int(frappe.db.get_value('User', self.user, 'bypass_restrict_ip_check_if_2fa_enabled') or 0)
-		for ip in ip_list:
-			if frappe.local.request_ip.startswith(ip) or bypass_restrict_ip_check:
-				return
-
-		frappe.throw(_("Not allowed from this IP Address"), frappe.AuthenticationError)
-
 	def validate_hour(self):
 		"""check if user is logging in during restricted hours"""
 		login_before = int(frappe.db.get_value('User', self.user, 'login_before', ignore=True) or 0)
@@ -416,3 +394,25 @@ def check_consecutive_login_attempts(user, doc):
 				.format(doc.allow_login_after_fail), frappe.SecurityException)
 		else:
 			delete_login_failed_cache(user)
+
+def validate_ip_address(user):
+	"""check if IP Address is valid"""
+	user = frappe.get_doc("User", user)
+	ip_list = user.get_restricted_ip_list()
+	if not ip_list:
+		return
+
+	bypass_restrict_ip_check = 0
+	# check if two factor auth is enabled
+	enabled = int(frappe.get_system_settings('enable_two_factor_auth') or 0)
+	if enabled:
+		#check if bypass restrict ip is enabled for all users
+		bypass_restrict_ip_check = int(frappe.get_system_settings('bypass_restrict_ip_check_if_2fa_enabled') or 0)
+		if not bypass_restrict_ip_check:
+			#check if bypass restrict ip is enabled for login user
+			bypass_restrict_ip_check = int(frappe.db.get_value('User', user, 'bypass_restrict_ip_check_if_2fa_enabled') or 0)
+	for ip in ip_list:
+		if frappe.local.request_ip.startswith(ip) or bypass_restrict_ip_check:
+			return
+
+	frappe.throw(_("Not allowed from this IP Address"), frappe.AuthenticationError)
\ No newline at end of file
diff --git a/frappe/sessions.py b/frappe/sessions.py
index d16a8fbfd6..8b5900fe51 100644
--- a/frappe/sessions.py
+++ b/frappe/sessions.py
@@ -254,13 +254,14 @@ class Session:
 	def resume(self):
 		"""non-login request: load a session"""
 		import frappe
-
+		from frappe.auth import validate_ip_address
 		data = self.get_session_record()
 
 		if data:
 			# set language
 			self.data.update({'data': data, 'user':data.user, 'sid': self.sid})
 			self.user = data.user
+			validate_ip_address(self.user)
 			self.device = data.device
 		else:
 			self.start_as_guest()