Issues Fixes techjoomla#62,techjoomla#122

vinayak-patil · Feb 20, 2023 · 16a8b8f · 16a8b8f
1 parent 05cea7a
commit 16a8b8f
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 4 deletions.
diff --git a/code/admin/config.xml b/code/admin/config.xml
@@ -3,6 +3,13 @@
 	<fieldset label="COM_API" name="api">
 		<field name="force_output" type="text" label="COM_API_FORM_LBL_FORCE_OUTPUT"
 			description="COM_API_FORM_DESC_FORCE_OUTPUT" />
+		<field name="request_limit_time" type="radio" default="hour"
+			label="COM_API_CONFIG_REQ_LT_LBL" description="COM_API_CONFIG_REQ_LT_DESC"
+			class="btn-group">
+			<option value="hour">Hour</option>
+			<option value="minute">Minute</option>
+			<option value="day">Day</option>
+		</field>
 		<field name="request_limit" type="text" label="COM_API_FORM_LBL_RATE_LIMIT"
 			description="COM_API_FORM_LBL_RATE_LIMIT_DESC" />
 		<field name="log_requests" type="radio" default="0"
@@ -23,6 +30,8 @@
 			<option value="get">GET</option>
 			<option value="*">ALL</option>
 		</field>
+        <field name="ip_address" type="textarea" default="*" columns="5"
+            label="COM_API_CONFIG_IPS_LBL" description="COM_API_CONFIG_IPS_DESC" />
         <field name="cors" type="textarea" default="*" columns="5"
             label="COM_API_CONFIG_CORS_LBL" description="COM_API_CONFIG_CORS_DESC" />
         <field name="allow_headers" type="textarea" default="Authorization, Access-Control-Allow-Origin, Access-Control-Allow-Methods, X-Authorization, X-Compatibility-Mode, Content-Type, Accept" columns="5"

diff --git a/code/admin/language/en-GB/en-GB.com_api.ini b/code/admin/language/en-GB/en-GB.com_api.ini
@@ -86,7 +86,7 @@ COM_API_CONFIG_ALLOW_CORS_LBL="Allow Cross Origin Requests"
 COM_API_CONFIG_ALLOW_CORS_DESC="This configuration enables CORS support. Choose if you wish to enable CORS for only GET method or for all methods."
 COM_API_CONFIG_CORS_LBL="CORS URLs / Domains"
 COM_API_CONFIG_CORS_DESC="List of URLs for which to allow CORS requests. Put an asterisk (*) to allow CORS requests from all domains. Alternately put a comma separated list of URL's. Ex. https://techjoomla.com, http://example.com"
-COM_API_FORM_LBL_RATE_LIMIT="Hourly Rate Limit for Requests"
+COM_API_FORM_LBL_RATE_LIMIT="Rate Limit for Requests"
 COM_API_FORM_LBL_RATE_LIMIT_DESC="Put a number if you want to limit the number of requests made by a token in an hour to the configured value. An empty or 0 value allows unlimited requests"
 COM_API_EXCLD_WORDS="Exclude request variables from log"
 COM_API_EXCLD_WORDS_DESC="A comma separated list of request variables that will be redacted before being added to the API Request log"
@@ -97,6 +97,11 @@ COM_API_CONFIG_ALLOW_HEADER_DESC="Add comma separated values for Access-Control-
 COM_API_FILTER_DESC="Searches in User name, hash, Request URL, POST Data. <br />uid:number searches logs for a particular user"
 UNASSIGNED_HASH="No user for this API Key"
 
+COM_API_CONFIG_IPS_DESC="Ristrict APIs to specific IP address"
+COM_API_CONFIG_IPS_LBL="IP Address/IP Range/CIDR Block"
+COM_API_CONFIG_REQ_LT_LBL="Rate Frequency"
+COM_API_CONFIG_REQ_LT_DESC="Request limit frequency"
+
 ; Permissions
 JACTION_MANAGELOGS="Manage Logs"
 JACTION_MANAGELOGS_DESC="Allows users in this group to manage API logs."

diff --git a/code/site/language/en-GB/en-GB.com_api.ini b/code/site/language/en-GB/en-GB.com_api.ini
@@ -40,6 +40,7 @@ COM_API_NOT_AUTH_MSG="You are not authorized to view this resource."
 COM_API_RATE_LIMIT_EXCEEDED="API Rate Limit Exceeded"
 COM_API_UNAUTHORIZED_REGISTER="You are not authorized to create a key."
 COM_API_PLUGIN_NO_ENCODER="Content type cannot be encoded."
+COM_API_IP_RISRICTED="API Acess Is Not Allowed from your IP."
 
 COM_API_PUBLISHED="Published"
 COM_API_UNPUBLISHED="Unpublished"

diff --git a/code/site/libraries/plugin.php b/code/site/libraries/plugin.php
@@ -280,7 +280,7 @@ final public function getResourceAccess($resource, $method = 'GET', $returnParam
 	final public function fetchResource($resource_name = null)
 	{
 		$this->log();
-
+		$app = Factory::getApplication();
 		if ($resource_name == null)
 		{
 			$resource_name = $this->get('resource');
@@ -311,6 +311,16 @@ final public function fetchResource($resource_name = null)
 			ApiError::raiseError(403, Text::_('COM_API_RATE_LIMIT_EXCEEDED'), 'APIUnauthorisedException');
 		}
 
+		$ip_address = $app->input->server->get('REMOTE_ADDR', '', 'STRING');
+		$ips = $this->params->get('ip_address', '*');
+
+		if ($ips === "*"){}else{
+			if (!IpHelper::IPinList($ip_address,$ips))
+			{
+				ApiError::raiseError(403, Text::_('COM_API_IP_RISRICTED'), 'APIUnauthorisedException');
+			} 
+		}
+
 		$this->lastUsed();
 
 		if ($resource_obj !== false)
@@ -370,24 +380,27 @@ final private function checkRequestLimit()
 		$ip_address = $app->input->server->get('REMOTE_ADDR', '', 'STRING');
 
 		$time = $this->params->get('request_limit_time', 'hour');
-
+		$now = Factory::getDate();
 		switch ($time)
 		{
 			case 'day':
 				$offset = 60 * 60 * 24;
+				$now->modify('-1 day');
 				break;
 
 			case 'minute':
 				$offset = 60;
+				$now->modify('-1 minute');
 				break;
 
 			case 'hour':
 			default:
 				$offset = 60 * 60;
+				$now->modify('-1 hour');
 				break;
 		}
 
-		$query_time = time() - $offset;
+		$query_time = $now->toSql();
 
 		$db = Factory::getDBO();
 		$query = $db->getQuery(true);