Security

Hi All,

I'm trying to customise a form validation rule for a client but can't seem to get the desired functionality in order to set it up how the client wants.

My current attempt is below.

What i am trying to acheieve is the following:

1)  Allow users with email addresses ending in domain1.com or domain2.com. This includes any subdomains eg staff.domain1.com.

2) Deny users from a specific sub domain and any other domain, eg user.domain1.com

The problem i'm having is that the wildcard in the allow list seems to be checked before the specific match in the deny list. Is there any way the order of evaluation can be changed to reflect the configuration i require?

Regards

Scott

array (

  'allow' =>

  array (

    0 => '*.domain1.com,

    1 => '*.domain2.com,

  ),

  'deny' =>

  array (

    0 => 'user.domain1.com',

    1=> '*',

  ),

)

I'm  not sure if you can do multiple allow and deny sentances, but if you can, perhaps something like this would work.  Deny specifics from domain1, then allow everything else from domain1 and domain2, then deny everything else. 

EDIT:  Actually, come to think of it, you may not need the last deny if everything not matched is just denied anyway.

array (

 'deny' =>

  array (

    0 => 'user.domain1.com',

    1 => 'user2.domain1.com',

  ),

  'allow' =>

  array (

    0 => '*.domain1.com,

    1 => '*.domain2.com,

  ),

  'deny' =>

  array (

    0 => '*',

  ),

)

Try the following instead:

array (

  'order' => 'deny,allow',

  'default' => 'deny',

  'deny' => array ('user.domain1.com'),

  'allow' => array ('*.domain1.com', '*.domain2.com'),

)

This changes the match order to check the deny list first, followed by the allow list.

It also changes the default to 'deny', so that any item not matched is excluded by default.  In this case you don't want the match-all "*" in the deny list, as it will never proceed to the allow list otherwise.

I'm doing something simlar and am having issues.  I'm trying to deny users from a specific email domain, and allow everything else.  We're trying to keep users on our specific email domain from using that address to register for guest services using ClearPass, latest version 3.9.   Its our poor mans "keep valid accounts off guest" approach.  I'm using the email field and here is what i've got in the validation section, based on this thread:

array (
  'order' => 'deny,allow',
  'default' => 'deny',
  'deny' =>
  array (
    0 => '*@xxx.edu',
  ),
  'allow' =>
  array (
    0 => '*',
  ),
)

No matter how many variations I use for the email domain, (*xxx.edu or *@xxx.edu) it allows me to register every time, when it should be denying me.  I'm using this directly in the email field, via the Validator Argument and with the "IsValidEmail" as the Validator and no Validator Param selected.   Am I missing something with this? Maybe a Typo or the wrong Validator maybe?

Any help would be greatly appreciated.

Found my answer thanks to a local CSE.  Unfortunately, I had a typo and missed a trailing "," which killed my code.  Here's some documentation from Aruba to help you format your own statements:

Starting in Amigopod v3.3, the isValidEmail validator allows you to specify a list of valid email addresses and a list of invalid ones, ie whitelist/blacklist. The person registering an account must use a valid email in the list or they will be denied access. To enable this feature, edit the "email" field of a form that creates a user. Most likely the form you will want to edit is the Register page of the self-registration page. Under the validator, choose IsValidEmail. The Validator Argument should pre-populate with the following:
 array (
   'allow' =>
   array (
   ),
   'deny' =>
   array (
   ),
)
 
If the allow array is empty, then it will accept any email not in the deny array. To only allow certain domains, edit the "allow" array and insert each valid domain.
 array (
   'allow' =>
   array (
     'goodemail.com',
     'alsovalid.edu',
   ),
   'deny' =>
   array (
   ),
)
Similarly, edit the "deny" array to block only certain domains.
 array (
   'allow' =>
   array (
   ),
   'deny' =>
   array (
     'invalid.org',
   ),
)
Save the page and test. It is also suggested to give a better error message to the end user if the email they entered is one of the blacklisted domains. This can be done in the same email field under Validation Error. Edit the error message text.
How it works
When using the IsValidEmail validator, the validator argument may be specified with a whitelist/blacklist of domain names. Use the syntax:
 array(
   'allow' => array(),
   'deny' => array(
     'gmail.com',
     'yahoo.com',
   )
)
The keys 'whitelist' and 'blacklist' may also be used for 'allow' and 'deny', respectively.
An 'allow' or 'deny' value that is a string is converted to a single element array.
Wildcard matching may be used on domain names: the prefix '*.' means match any domain that ends with the given suffix. A '*' component can also be used inside the hostname, and will match zero or more domain name components.
If the 'allow' list is empty or unset, the default behavior is to accept ALL domains other than those listed in the 'deny' list.
If the 'deny' list is empty or unset, the default behavior is to deny ALL domains other than those listed in the 'allow' list.
If both 'allow' and 'deny' lists are provided, the default behavior is to accept a domain name that does not match any of the patterns provided. The 'allow' list is checked first, followed by 'deny'. To obtain the opposite behavior, specify the wildcard '*' as the last entry in the 'deny' list.

Hi All,

Thanks for the suggestions, as soon as i can get in front of the clients server again i'll try some of these ideas out and advise.

Scott

I have gotten this to work with the following code:

array (
  'allow' =>
  array (
    0 => 'domain.ca',
  ),
  'deny' =>
  array (
  ),
)

But, when I try to specify the email address ('user.domain.ca' or 'user@domain.ca'), it doesn't work.  Has anyone gotten this to work using email addresses, not domains?