diff --git a/applications/admin/models/access.py b/applications/admin/models/access.py index ded471c4..56bbd6d6 100644 --- a/applications/admin/models/access.py +++ b/applications/admin/models/access.py @@ -6,7 +6,10 @@ from gluon.fileutils import read_file from gluon.utils import web2py_uuid from pydal.contrib import portalocker # ########################################################### -# ## make sure administrator is on localhost or https +# ## make sure administrator is on localhost or https, +# ## or from +# ## gluon.settings.global_settings.trusted_lan_prefix +# ## subnet # ########################################################### @@ -22,6 +25,9 @@ else: if request.is_https: session.secure() +elif request.env.trusted_lan_prefix and \ + request.client.startswith(request.env.trusted_lan_prefix): + request.is_local = True elif not request.is_local and not DEMO_MODE: raise HTTP(200, T('Admin is disabled because insecure channel')) diff --git a/applications/welcome/controllers/appadmin.py b/applications/welcome/controllers/appadmin.py index 77813ae0..15b5a2c7 100644 --- a/applications/welcome/controllers/appadmin.py +++ b/applications/welcome/controllers/appadmin.py @@ -30,6 +30,9 @@ except: if request.is_https: session.secure() +elif request.env.trusted_lan_prefix and \ + remote_addr.startswith(request.env.trusted_lan_prefix): + request.is_local = True elif (remote_addr not in hosts) and (remote_addr != '127.0.0.1') and \ (request.function != 'manage'): raise HTTP(200, T('appadmin is disabled because insecure channel')) diff --git a/gluon/settings.py b/gluon/settings.py index cb46648e..d07657da 100644 --- a/gluon/settings.py +++ b/gluon/settings.py @@ -43,3 +43,7 @@ global_settings.is_source = os.path.exists(os.path.join( global_settings.gluon_parent, 'web2py.py')) global_settings.is_py2 = PY2 + +# allow admin app for clients on trusted LAN when over plain http, +# default is to allow only from localhost or when serving https +#global_settings.trusted_lan_prefix = '192.168.0.'