From 5f494efeb0a81620a8426f25a84a53c23ef85c6e Mon Sep 17 00:00:00 2001
From: Matthew Saunders Brown <matthewsaundersbrown@gmail.com>
Date: Mon, 1 Apr 2024 15:51:24 -0700
Subject: [PATCH] update ADMINIP checks to work with array or single var

---
 panel/classes/Panel/Login.php | 21 ++++++++++++++++++---
 panel/config/config.ini       |  2 +-
 2 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/panel/classes/Panel/Login.php b/panel/classes/Panel/Login.php
index 909e9e1..5ec3d7b 100644
--- a/panel/classes/Panel/Login.php
+++ b/panel/classes/Panel/Login.php
@@ -19,15 +19,30 @@ class Login extends \Panel {
 
   static function get($f3) {
 
-    /* requests from ADMINIP are automatically authenticated */
-    if ($f3->get('ADMINIP') != '' && $f3->get('ADMINIP') == $f3->get('IP')) {
+    /**
+     * Requests from ADMINIP are automatically authenticated
+     * ADMINIP can either be a single IP, or an array
+     */
+
+    $autologin = FALSE;
+    if ($f3->get('ADMINIP') != '') {
+      if (is_array($f3->get('ADMINIP'))) {
+        if (in_array($f3->get('IP'), $f3->get('ADMINIP'))) {
+          $autologin = TRUE;
+        }
+      } elseif (($f3->get('ADMINIP') == $f3->get('IP'))) {
+        $autologin = TRUE;
+      }
+    }
+
+    if ($autologin === TRUE) {
       $f3->set('SESSION.expiration', time() + $f3->get('TIMEOUT'));
       $f3->set('SESSION.access', 'admin');
       $messages[] = "You have been automatically logged in with connection from Admin IP " . $f3->get('IP');
       $f3->set('SESSION.messages', $messages);
       $f3->reroute('/');
     } else {
-      /* all others must log in with valid username */
+      /* ADMINIP checks returned false, client must log in with valid username */
       echo \Template::instance()->render('login.html');
     }
 
diff --git a/panel/config/config.ini b/panel/config/config.ini
index 96c9a62..9f1f339 100644
--- a/panel/config/config.ini
+++ b/panel/config/config.ini
@@ -18,7 +18,7 @@ CASELESS=FALSE
 CACHE=TRUE
 ; Session lifetime in seconds
 TIMEOUT=900
-; Remote IP address that is automatically logged in without auth
+; Remote IP address that is automatically logged in without auth (can be single IP or comma separated array of IPs)
 ADMINIP=
 ; Jail new users by default. 1 = Yes, blank or 0 = No
 JAILUSER=1