Add config option to allow DNSSEC changes only for admins

DNSSEC requires changes to the parent domain, which in many cases requires special access to a registry or the like.
For that reason, especially the option to disable DNSSEC can be dangerous - if DNSSEC is disabled in PowerDNS but not in the registry, the domain stops working.

For this reason, adding an option to disable DNSSEC changes for non-admins seems reasonable.

(cherry picked from commit 5cdfc0263b07f4658d51cf7c038fea9a8911152a)
This commit is contained in:
Thomas M Steenholdt 2018-06-06 08:42:57 -02:00
parent 0fb6e10cf5
commit 10f47039ec
3 changed files with 7 additions and 1 deletions

View File

@ -224,6 +224,7 @@
modal.modal('show');
});
{% if current_user.role.name == 'Administrator' or dnssec_adm_only == false %}
$(document.body).on("click", ".button_dnssec", function() {
var domain = $(this).prop('id');
getdnssec($SCRIPT_ROOT + '/domain/' + domain + '/dnssec', domain);
@ -240,6 +241,7 @@
enable_dns_sec($SCRIPT_ROOT + '/domain/' + domain + '/dnssec/disable');
});
{% endif %}
</script>
{% endblock %}
{% block modals %}

View File

@ -472,7 +472,8 @@ def dashboard():
uptime = list([uptime for uptime in statistics if uptime['name'] == 'uptime'])[0]['value']
else:
uptime = 0
return render_template('dashboard.html', domain_count=domain_count, users=users, history_number=history_number, uptime=uptime, histories=history,pdns_version=app.config['PDNS_VERSION'])
return render_template('dashboard.html', domain_count=domain_count, users=users, history_number=history_number, uptime=uptime, histories=history, dnssec_adm_only=app.config['DNSSEC_ADMINS_ONLY'], pdns_version=app.config['PDNS_VERSION'])
@app.route('/dashboard-domains', methods=['GET'])

View File

@ -125,5 +125,8 @@ RECORDS_ALLOW_EDIT = ['SOA', 'A', 'AAAA', 'CAA', 'CNAME', 'MX', 'PTR', 'SPF', 'S
FORWARD_RECORDS_ALLOW_EDIT = ['A', 'AAAA', 'CAA', 'CNAME', 'MX', 'PTR', 'SPF', 'SRV', 'TXT', 'LOC' 'NS']
REVERSE_RECORDS_ALLOW_EDIT = ['SOA', 'TXT', 'LOC', 'NS', 'PTR']
# ALLOW DNSSEC CHANGES FOR ADMINS ONLY
DNSSEC_ADMINS_ONLY = False
# EXPERIMENTAL FEATURES
PRETTY_IPV6_PTR = False