fix: remove whitespace from restrict ip and always check request_ip (#29867)

* fix: remove whitespace in restrict ip in validate * fix: added check for request_ip * fix: return if no restrict ip * fix: set to localhost if none, refactor validate_ip_addr * fix: validate ip_address cleanup and removed uncessary comments * fix: validate ip_addr cleanup * fix: remove unecessary check
2025-01-24 18:42:58 +05:30 · 2025-01-24 18:42:58 +05:30 · c067fd4b62
commit c067fd4b62
parent bea4dc68fe
3 changed files with 14 additions and 2 deletions
--- a/frappe/app.py
+++ b/frappe/app.py
@ -22,7 +22,7 @@ import frappe.rate_limiter
 import frappe.recorder
 import frappe.utils.response
 from frappe import _
-from frappe.auth import SAFE_HTTP_METHODS, UNSAFE_HTTP_METHODS, HTTPRequest, validate_auth
+from frappe.auth import SAFE_HTTP_METHODS, UNSAFE_HTTP_METHODS, HTTPRequest, check_request_ip, validate_auth
 from frappe.middlewares import StaticDataMiddleware
 from frappe.utils import CallbackManager, cint, get_site_name
 from frappe.utils.data import escape_html
--- a/frappe/auth.py
+++ b/frappe/auth.py
@ -460,9 +460,11 @@ def validate_ip_address(user):

 	user_info = frappe.get_cached_doc("User", user)
 	ip_list = user_info.get_restricted_ip_list()
+
 	if not ip_list:
 		return

+	check_request_ip()
 	for ip in ip_list:
 		if frappe.local.request_ip.startswith(ip):
 			return
@ -713,3 +715,8 @@ def validate_api_key_secret(api_key, api_secret, frappe_authorization_source=Non
 def validate_auth_via_hooks():
 	for auth_hook in frappe.get_hooks("auth_hooks", []):
 		frappe.get_attr(auth_hook)()
+
+
+def check_request_ip():
+	if frappe.local.request_ip is None:
+		frappe.local.request_ip = "127.0.0.1"
--- a/frappe/core/doctype/user/user.py
+++ b/frappe/core/doctype/user/user.py
@ -196,6 +196,8 @@ class User(Document):
 		self.validate_allowed_modules()
 		self.validate_user_image()
 		self.set_time_zone()
+		if self.restrict_ip:
+			self.validate_ip_addr()

 		if self.language == "Loading...":
 			self.language = None
@ -811,6 +813,9 @@ class User(Document):
 			},
 		)

+	def validate_ip_addr(self):
+		self.restrict_ip = ",".join(self.get_restricted_ip_list())
+

@frappe.whitelist()
 def get_timezones():
@ -1314,7 +1319,7 @@ def get_restricted_ip_list(user):
 	if not user.restrict_ip:
 		return

-	return [i.strip() for i in user.restrict_ip.split(",")]
+	return [i.strip() for i in user.restrict_ip.strip().split(",")]


@frappe.whitelist(methods=["POST"])