feat: Option to forbid the creation of domain if it exists as a record (#1127)

When enabled, forbids the creation of a domain if it exists as a record in one of its parent domains (administrators and operators are not limited though).
2025-07-06 22:24:05 +00:00 · 2022-06-17 18:50:51 +03:00
parent 1112105683
commit 1926b862b8
7 changed files with 120 additions and 5 deletions
--- a/powerdnsadmin/decorators.py
+++ b/powerdnsadmin/decorators.py
@ -6,7 +6,7 @@ from flask_login import current_user

 from .models import User, ApiKey, Setting, Domain, Setting
 from .lib.errors import RequestIsNotJSON, NotEnoughPrivileges
-from .lib.errors import DomainAccessForbidden
+from .lib.errors import DomainAccessForbidden, DomainOverrideForbidden

 def admin_role_required(f):
    """
@ -259,6 +259,13 @@ def api_can_create_domain(f):
            msg = "User {0} does not have enough privileges to create domain"
            current_app.logger.error(msg.format(current_user.username))
            raise NotEnoughPrivileges()
+        
+        if Setting().get('deny_domain_override'):
+            req = request.get_json(force=True)
+            domain = Domain()
+            if req['name'] and domain.is_overriding(req['name']):
+                raise DomainOverrideForbidden()
+
        return f(*args, **kwargs)

    return decorated_function
@ -269,6 +276,9 @@ def apikey_can_create_domain(f):
    Grant access if:
        - user is in Operator role or higher, or
        - allow_user_create_domain is on
+        and
+        - deny_domain_override is off or
+        - override_domain is true (from request)
    """
    @wraps(f)
    def decorated_function(*args, **kwargs):
@ -278,6 +288,13 @@ def apikey_can_create_domain(f):
            msg = "ApiKey #{0} does not have enough privileges to create domain"
            current_app.logger.error(msg.format(g.apikey.id))
            raise NotEnoughPrivileges()
+
+        if Setting().get('deny_domain_override'):
+            req = request.get_json(force=True)
+            domain = Domain()
+            if req['name'] and domain.is_overriding(req['name']):
+                raise DomainOverrideForbidden()
+
        return f(*args, **kwargs)

    return decorated_function