Allow enabling only for specified groups

[Magissia]

Greetings,
Being able to enable the plugin only for specific users/groups would be useful.

[jalcine]

Something like this would require a new table to be created.

[Tsuroerusu]

I would like to emphasize the ability to restrict user login for specific users. That way, I could have my admin account only be accessible from my local LAN, and my non-admin accounts from anywhere else.

[christophermstaats]

I'm going to have to throw in with this idea. From an enterprise security standpoint I can't sacrifice functionality for security if it means the primary purpose of the application cannot be fulfilled. Restricting down accounts with admin permissions is a must, restricting a traveling sales engineer will result in serious issues since they go from hotel to hotel and there is no way to predict what network he will be hitting the server from on login.

[tiandiyiqi]

This is very userful ,
Hypothetical working environment:
A user can login at anywhere;
B user can login at (192.168.. ; 200.23.45.34;...)
C user can login at (192.168.. )
I'm looking forward to having this function.
Please!

[prakash9999in]

Can we expect this for specific user/group anytime soon. It would be very useful.

Thanks and Regards

[dalagr]

I would like to put emphasis on this. We would love the ability to restrict administrators to only be able to login within the internal network,

[Luticus]

I'm interested in this as well, specifically for admin/service accounts. For those it would make since to say they could only log in from the local ip range, where other users have either no restriction or their own custom restrictions as well. I think that would make this app a lot more useful.

[pierrecorsini]

This feature is required, access rule on file does only cover file access and is limited (no OR rule).

[szaimen]

This feature would definitely be great to have!

[jospoortvliet]

Contributions are welcome - this app is pretty simple, it should not be terribly hard to do a PR that adds this functionality. In the mean time, thanks for sharing the idea - please refrain from posting more "me too" replies, better use the Github feature to up-vote a comment or something to signal your agreement. Otherwise this gets very long ;-)

[ihsystems]

I would like to put emphasis on this. We would love the ability to restrict administrators to only be able to login within the internal network,

Agree this will be a very desirable enhancement . also a comment line for each IP address to associate

[NoobTroll]

+1
this would be extremely usefully for me

[SinghNanak]

+1
I'm also interested. this will be a game changer

[SinghNanak]

any update if this would be supported for latest nextcloud version.

[SinghNanak]

I was looking for something like this Authorised Networks.

[gonzalo]

+1 here. This definitely must have feature of this app. We would like to apply this for admin accounts making it available only for local network or vpn connection.

[captainstarfish]

Do you really need a table? Seems you might be able to provide a lot of functionality by enriching the config value format.

Perhaps add a couple of options to the start of each ip address:
IPLIST = IPBLOCK[,IPLIST]
IPBLOCK = [!][group name#][cidr]

! indicates a blacklist, ie !192.168.1.0/8 means anything but that range.
omitting the group spot or replacing with a wildcard * is "anyone"
omitting the address spot or replacing with a wildcard * is "anywhere"

Evaluate left to right, action on first match(ish). Examples:

Backward compatibility. Allow access to all from local network and host
occ config:app:set limit_login_to_ip whitelisted.ranges --value IPLIST 127.0.0.0/24,192.168.0.0/24

Allow access to a restricted group only from the local network, everyone else can connect from outside
--value IPLIST LocalOnly#127.0.0.0/24,LocalOnly#192.168.0.0/24,!LocalOnly#,
Note trailing comma has a value with empty IPBLOCK meaning "everyone, anywhere". LocalOnly members will match and be allowed from local host or network, be blocked anywhere else, non-members will drop through to the open access. It could also be specified as
--value IPLIST LocalOnly#127.0.0.0/24,LocalOnly#192.168.0.0/24,!LocalOnly#,#*

Similarly, allowing access to restricted IDs from the internet but defaulting local otherwise:
--value IPLIST 127.0.0.0/24,192.168.0.0/24,RemoteOnly#,!#*
or
-- value IPLIST 127.0.0.0/24,192.168.0.0/24,RemoteOnly#,!

Is that maybe something you could parse and walk within IsRequestAllowed?