Validate user role and DNSSEC_ADMINS_ONLY config on DNSSEC related routes

app/decorators.py

@@ -26,3 +26,13 @@ def can_access_domain(f):
 
         return f(*args, **kwargs)
     return decorated_function
+
+
+def can_configure_dnssec(f):
+    @wraps(f)
+    def decorated_function(*args, **kwargs):
+        if g.user.role.name != 'Administrator' and app.config['DNSSEC_ADMINS_ONLY']:
+                return redirect(url_for('error', code=401))
+
+        return f(*args, **kwargs)
+    return decorated_function

app/models.py

@@ -849,7 +849,7 @@ class Domain(db.Model):
             try:
                 jdata = utils.fetch_json(urljoin(PDNS_STATS_URL, API_EXTENDED_URL + '/servers/localhost/zones/{0}/cryptokeys'.format(domain.name)), headers=headers, method='POST',data=post_data)
                 if 'error' in jdata:
-                    return {'status': 'error', 'msg': 'DNSSEC is not enabled for this domain', 'jdata' : jdata}
+                    return {'status': 'error', 'msg': 'Cannot enable DNSSEC for this domain. Error: {0}'.format(jdata['error']), 'jdata' : jdata}
                 else:
                     return {'status': 'ok'}
             except:
@@ -871,7 +871,7 @@ class Domain(db.Model):
             try:
                 jdata = utils.fetch_json(urljoin(PDNS_STATS_URL, API_EXTENDED_URL + url), headers=headers, method='DELETE')
                 if 'error' in jdata:
-                    return {'status': 'error', 'msg': 'DNSSEC is not disabled for this domain', 'jdata' : jdata}
+                    return {'status': 'error', 'msg': 'Cannot disable DNSSEC for this domain. Error: {0}'.format(jdata['error']), 'jdata' : jdata}
                 else:
                     return {'status': 'ok'}
             except:

app/views.py

@@ -20,7 +20,7 @@ from werkzeug.security import gen_salt
 from .models import User, Domain, Record, Server, History, Anonymous, Setting, DomainSetting, DomainTemplate, DomainTemplateRecord
 from app import app, login_manager, github, google
 from app.lib import utils
-from app.decorators import admin_role_required, can_access_domain
+from app.decorators import admin_role_required, can_access_domain, can_configure_dnssec
 
 if app.config['SAML_ENABLED']:
     from onelogin.saml2.auth import OneLogin_Saml2_Auth
@@ -807,6 +807,7 @@ def domain_dnssec(domain_name):
 @app.route('/domain/<path:domain_name>/dnssec/enable', methods=['GET'])
 @login_required
 @can_access_domain
+@can_configure_dnssec
 def domain_dnssec_enable(domain_name):
     domain = Domain()
     dnssec = domain.enable_domain_dnssec(domain_name)
@@ -816,6 +817,7 @@ def domain_dnssec_enable(domain_name):
 @app.route('/domain/<path:domain_name>/dnssec/disable', methods=['GET'])
 @login_required
 @can_access_domain
+@can_configure_dnssec
 def domain_dnssec_disable(domain_name):
     domain = Domain()
     dnssec = domain.get_domain_dnssec(domain_name)

configs/development.py

@@ -115,5 +115,8 @@ RECORDS_ALLOW_EDIT = ['SOA', 'A', 'AAAA', 'CAA', 'CNAME', 'MX', 'PTR', 'SPF', 'S
 FORWARD_RECORDS_ALLOW_EDIT = ['A', 'AAAA', 'CAA', 'CNAME', 'MX', 'PTR', 'SPF', 'SRV', 'TXT', 'LOC' 'NS']
 REVERSE_RECORDS_ALLOW_EDIT = ['SOA', 'TXT', 'LOC', 'NS', 'PTR']
 
+# ALLOW DNSSEC CHANGES FOR ADMINS ONLY
+DNSSEC_ADMINS_ONLY = True
+
 # EXPERIMENTAL FEATURES
 PRETTY_IPV6_PTR = False