diff --git a/docs/policies/expression.md b/docs/policies/expression.md index 0796cb5ed..9c137646d 100644 --- a/docs/policies/expression.md +++ b/docs/policies/expression.md @@ -26,7 +26,11 @@ return False - `request.obj`: A Django Model instance. This is only set if the policy is ran against an object. - `request.context`: A dictionary with dynamic data. This depends on the origin of the execution. - `pb_is_sso_flow`: Boolean which is true if request was initiated by authenticating through an external provider. -- `pb_client_ip`: Client's IP Address or '255.255.255.255' if no IP Address could be extracted. Can be [compared](../expressions/index.md#comparing-ip-addresses) +- `pb_client_ip`: Client's IP Address or 255.255.255.255 if no IP Address could be extracted. Can be [compared](../expressions/index.md#comparing-ip-addresses), for example + + ```python + return pb_client_ip in ip_network('10.0.0.0/24') + ``` Additionally, when the policy is executed from a flow, every variable from the flow's current context is accessible under the `context` object. diff --git a/passbook/policies/expression/evaluator.py b/passbook/policies/expression/evaluator.py index d50bca8f1..dcbb8e6a6 100644 --- a/passbook/policies/expression/evaluator.py +++ b/passbook/policies/expression/evaluator.py @@ -1,5 +1,5 @@ """passbook expression policy evaluator""" -from ipaddress import ip_address +from ipaddress import ip_address, ip_network from typing import List from django.http import HttpRequest @@ -22,6 +22,8 @@ class PolicyEvaluator(BaseEvaluator): super().__init__() self._messages = [] self._context["pb_message"] = self.expr_func_message + self._context["ip_address"] = ip_address + self._context["ip_network"] = ip_network self._filename = policy_name or "PolicyEvaluator" def expr_func_message(self, message: str):