We'd like to have the ability to restrict what IP addresses people can access repositories and code reviews from, while still allowing access to other resources on Phabricator. This is so that we can allow access to repositories from within the office and build servers, while preventing access from home.
You may be able to implement this as an extension (subclass PhabricatorPolicyRule).
Getting it right in non-web contexts seems tricky. For example:
- If we're generating mail in a daemon, we probably want to automatically pass these constraints, so these users can get email about repositories.
- But, if we're processing email, we probably want to automatically fail these constraints, so users can't interact with these objects when not on approved subnets?
So I think we'd have to add some new concept to cover the various cases where we don't have a reliable remote IP.
We haven't seen other requests for this in nearly two years, and it can likely be implemented as an extension, except possibly for the weird cases mentioned above.
I think this access pattern (versus using a VPN?) is fairly unusual. I do expect that tokens/keys will get more flexible ways to configure access in the future (e.g., T11277 and related tasks, possibly including the ability to restrict source IPs) which might address some of this, although not exactly the original use case.