User's code stored in fir_log table in order to avoid banning users who share the same IP.

2023-02-10 10:02:21 +01:00 · 2023-02-10 10:02:21 +01:00 · b6ceee9e24
parent b0c3dab482
commit b6ceee9e24
6 changed files with 29 additions and 12 deletions
--- a/swad_changelog.h
+++ b/swad_changelog.h
@ -606,7 +606,7 @@ TODO: Attach pdf files in multimedia.

 TODO: BUG al intentar crear un fichero ZIP con los trabajos de una asignatura si un estudiante con nombre cirílico está entre los alumnos que seleccionas para ver los trabajos. Reported by Víctor Vázquez Rodríguez el 22 de enero de 2023.
 */
-#define Log_PLATFORM_VERSION	"SWAD 22.60 (2022-11-29)"
+#define Log_PLATFORM_VERSION	"SWAD 22.62 (2023-02-10)"
 #define CSS_FILE		"swad22.57.1.css"
 #define JS_FILE			"swad22.49.js"
 /*
@ -626,6 +626,11 @@ son planteamientos que facilitar

 siempre atento a sus comentarios y agradecido de antemano por la ayuda que siempre nos ha brindado.........Saludos Caribeños desde Venezuela

+	Version 22.62:	  Feb 10, 2023  User's code stored in fir_log table in order to avoid banning users who share the same IP. (334157 lines)
+					2 changes necessary in database:
+ALTER TABLE fir_log ADD COLUMN UsrCod INT NOT NULL DEFAULT -1 AFTER IP,ADD INDEX (UsrCod);
+DELETE FROM fir_log;
+
 	Version 22.61:	  Feb 08, 2023  Fixed bug in figures about hierarchy. (334142 lines)
 	Version 22.60:    Nov 29, 2022  Fixed bug sending notification emails. Reported by Manuel Rodríguez Álvarez and Eva Martínez Ortigosa. (334114 lines)
 	Version 22.59.1:  Nov 23, 2022  Fixed bug in file browser. Reported by Javier Fernández Baldomero. (334070 lines)
--- a/swad_database.c
+++ b/swad_database.c
@ -1460,14 +1460,17 @@ mysql> DESCRIBE fir_log;
 +-----------+----------+------+-----+---------+-------+
 | ClickTime | datetime | NO   | MUL | NULL    |       |
 | IP        | char(15) | NO   | MUL | NULL    |       |
+| UsrCod    | int      | NO   | MUL | -1      |       |
 +-----------+----------+------+-----+---------+-------+
-2 rows in set (0.00 sec)
+3 rows in set (0,00 sec)
 */
   DB_CreateTable ("CREATE TABLE IF NOT EXISTS fir_log ("
 			"ClickTime DATETIME NOT NULL,"
 			"IP CHAR(15) NOT NULL,"	// Cns_MAX_BYTES_IP
+			"UsrCod INT NOT NULL DEFAULT -1,"
 		   "INDEX(ClickTime),"
-		   "INDEX(IP))");
+		   "INDEX(IP),"
+		   "INDEX(UsrCod))");

   /***** Table for_clipboards *****/
 /*
--- a/swad_firewall.h
+++ b/swad_firewall.h
@ -27,7 +27,7 @@
 /************************** Public types and constants ***********************/
 /*****************************************************************************/

-/* The maximum number of clicks in the interval
+/* The maximum number of clicks from the same IP-user in the interval
   should be large enough to prevent an IP from being banned
   due to automatic refresh when the user is viewing the last clicks. */
 #define Fw_CHECK_INTERVAL		((time_t)(30UL))	// Check clicks in the last 30 seconds
--- a/swad_firewall_database.c
+++ b/swad_firewall_database.c
@ -46,10 +46,11 @@ void Fir_DB_LogAccess (void)
  {
   DB_QueryINSERT ("can not log access into firewall_log",
 		   "INSERT INTO fir_log"
-		   " (ClickTime,IP)"
+		   " (ClickTime,IP,UsrCod)"
 		   " VALUES"
-		   " (NOW(),'%s')",
-		   Par_GetIP ());
+		   " (NOW(),'%s',%ld)",
+		   Par_GetIP (),
+		   Gbl.Usrs.Me.UsrDat.UsrCod);
  }

 /*****************************************************************************/
@ -63,8 +64,10 @@ unsigned Fir_DB_GetNumClicksFromLog (void)
 		  "SELECT COUNT(*)"
 		   " FROM fir_log"
 		  " WHERE IP='%s'"
+		    " AND UsrCod=%ld"
 		    " AND ClickTime>FROM_UNIXTIME(UNIX_TIMESTAMP()-%lu)",
 		  Par_GetIP (),
+		  Gbl.Usrs.Me.UsrDat.UsrCod,
 		  Fw_CHECK_INTERVAL);
  }

--- a/swad_main.c
+++ b/swad_main.c
@ -107,11 +107,10 @@ int main (void)
      Par_CreateListOfParams ();
      Par_GetMainParams ();

-      /***** Mitigate DoS attacks *****/
+      /***** Kick out banned IPs *****/
      Fir_CheckFirewallAndExitIfBanned ();
-      Fir_DB_LogAccess ();
-      Fir_CheckFirewallAndExitIfTooManyRequests ();

+      /**** Initialize current country, institution, center, degree and course *****/
      Hie_InitHierarchy ();

      if (!Gbl.WebService.IsWebService)
@ -140,6 +139,13 @@ int main (void)
 	 Usr_ChkUsrAndGetUsrData ();
 	}

+      /***** Mitigate automatized attacks from the same IP-user *****/
+      // If this execution is web service, no user is logged at this moment...
+      // ...so only IP is checked and it could be banned...
+      // ...if many users use the web service from the same IP
+      Fir_DB_LogAccess ();
+      Fir_CheckFirewallAndExitIfTooManyRequests ();
+
      /***** Check if the user have permission to execute the action *****/
      if (!Act_CheckIfIHavePermissionToExecuteAction (Gbl.Action.Act))
 	 Err_NoPermissionExit ();
--- a/swad_text_action.c
+++ b/swad_text_action.c
@ -25117,11 +25117,11 @@ const char *Txt_Actions[ActLst_NUM_ACTIONS] =
 #elif L==3	// en
 	"List the full data of students"
 #elif L==4	// es
-	"Listar los datos completos de estudiantes"
+	"Listar los datos completos de los estudiantes"
 #elif L==5	// fr
 	"List the full data of students"		// Besoin de traduction
 #elif L==6	// gn
-	"Listar los datos completos de estudiantes"	// Okoteve traducción
+	"Listar los datos completos de los estudiantes"	// Okoteve traducción
 #elif L==7	// it
 	"List the full data of students"		// Bisogno di traduzione
 #elif L==8	// pl