diff --git a/rhodecode/lib/base.py b/rhodecode/lib/base.py
--- a/rhodecode/lib/base.py
+++ b/rhodecode/lib/base.py
@@ -20,7 +20,7 @@ from rhodecode import __version__, BACKE
 from rhodecode.lib.utils2 import str2bool, safe_unicode, AttributeDict,\
     safe_str, safe_int
 from rhodecode.lib.auth import AuthUser, get_container_username, authfunc,\
-    HasPermissionAnyMiddleware, CookieStoreWrapper
+    HasPermissionAnyMiddleware, CookieStoreWrapper, check_ip_access
 from rhodecode.lib.utils import get_repo_slug, invalidate_cache
 from rhodecode.model import meta
 
@@ -101,7 +101,7 @@ class BaseVCSController(object):
         #authenticate this mercurial request using authfunc
         self.authenticate = BasicAuth('', authfunc,
                                       config.get('auth_ret_code'))
-        self.ipaddr = '0.0.0.0'
+        self.ip_addr = '0.0.0.0'
 
     def _handle_request(self, environ, start_response):
         raise NotImplementedError()
@@ -136,7 +136,7 @@ class BaseVCSController(object):
         """
         invalidate_cache('get_repo_cached_%s' % repo_name)
 
-    def _check_permission(self, action, user, repo_name):
+    def _check_permission(self, action, user, repo_name, ip_addr=None):
         """
         Checks permissions using action (push/pull) user and repository
         name
@@ -145,6 +145,14 @@ class BaseVCSController(object):
         :param user: user instance
         :param repo_name: repository name
         """
+        #check IP
+        allowed_ips = AuthUser.get_allowed_ips(user.user_id)
+        if check_ip_access(source_ip=ip_addr, allowed_ips=allowed_ips) is False:
+            log.info('Access for IP:%s forbidden, '
+                     'not in %s' % (ip_addr, allowed_ips))
+            return False
+        else:
+            log.info('Access for IP:%s allowed' % (ip_addr))
         if action == 'push':
             if not HasPermissionAnyMiddleware('repository.write',
                                               'repository.admin')(user,
@@ -235,6 +243,9 @@ class BaseVCSController(object):
 class BaseController(WSGIController):
 
     def __before__(self):
+        """
+        __before__ is called before controller methods and after __call__
+        """
         c.rhodecode_version = __version__
         c.rhodecode_instanceid = config.get('instance_id')
         c.rhodecode_name = config.get('rhodecode_title')
@@ -258,7 +269,6 @@ class BaseController(WSGIController):
 
         self.sa = meta.Session
         self.scm_model = ScmModel(self.sa)
-        self.ip_addr = ''
 
     def __call__(self, environ, start_response):
         """Invoke the Controller"""
@@ -273,7 +283,7 @@ class BaseController(WSGIController):
             cookie_store = CookieStoreWrapper(session.get('rhodecode_user'))
             user_id = cookie_store.get('user_id', None)
             username = get_container_username(environ, config)
-            auth_user = AuthUser(user_id, api_key, username)
+            auth_user = AuthUser(user_id, api_key, username, self.ip_addr)
             request.user = auth_user
             self.rhodecode_user = c.rhodecode_user = auth_user
             if not self.rhodecode_user.is_authenticated and \