Validate user role and DNSSEC_ADMINS_ONLY config on DNSSEC related routes

2024-11-08 14:40:27 +00:00 · 2018-06-07 09:28:14 +07:00 · 2018-06-07 09:28:14 +07:00 · 2958ae663c
commit 2958ae663c
parent 6f54b1a9de
4 changed files with 18 additions and 3 deletions
--- a/app/decorators.py
+++ b/app/decorators.py
@ -26,3 +26,13 @@ def can_access_domain(f):

        return f(*args, **kwargs)
    return decorated_function
+
+
+def can_configure_dnssec(f):
+    @wraps(f)
+    def decorated_function(*args, **kwargs):
+        if g.user.role.name != 'Administrator' and app.config['DNSSEC_ADMINS_ONLY']:
+                return redirect(url_for('error', code=401))
+
+        return f(*args, **kwargs)
+    return decorated_function
--- a/app/models.py
+++ b/app/models.py
@ -849,7 +849,7 @@ class Domain(db.Model):
            try:
                jdata = utils.fetch_json(urljoin(PDNS_STATS_URL, API_EXTENDED_URL + '/servers/localhost/zones/{0}/cryptokeys'.format(domain.name)), headers=headers, method='POST',data=post_data)
                if 'error' in jdata:
-                    return {'status': 'error', 'msg': 'DNSSEC is not enabled for this domain', 'jdata' : jdata}
+                    return {'status': 'error', 'msg': 'Cannot enable DNSSEC for this domain. Error: {0}'.format(jdata['error']), 'jdata' : jdata}
                else:
                    return {'status': 'ok'}
            except:
@ -871,7 +871,7 @@ class Domain(db.Model):
            try:
                jdata = utils.fetch_json(urljoin(PDNS_STATS_URL, API_EXTENDED_URL + url), headers=headers, method='DELETE')
                if 'error' in jdata:
-                    return {'status': 'error', 'msg': 'DNSSEC is not disabled for this domain', 'jdata' : jdata}
+                    return {'status': 'error', 'msg': 'Cannot disable DNSSEC for this domain. Error: {0}'.format(jdata['error']), 'jdata' : jdata}
                else:
                    return {'status': 'ok'}
            except:
--- a/app/views.py
+++ b/app/views.py
@ -20,7 +20,7 @@ from werkzeug.security import gen_salt
 from .models import User, Domain, Record, Server, History, Anonymous, Setting, DomainSetting, DomainTemplate, DomainTemplateRecord
 from app import app, login_manager, github, google
 from app.lib import utils
-from app.decorators import admin_role_required, can_access_domain
+from app.decorators import admin_role_required, can_access_domain, can_configure_dnssec

 if app.config['SAML_ENABLED']:
    from onelogin.saml2.auth import OneLogin_Saml2_Auth
@ -807,6 +807,7 @@ def domain_dnssec(domain_name):
@app.route('/domain/<path:domain_name>/dnssec/enable', methods=['GET'])
@login_required
@can_access_domain
+@can_configure_dnssec
 def domain_dnssec_enable(domain_name):
    domain = Domain()
    dnssec = domain.enable_domain_dnssec(domain_name)
@ -816,6 +817,7 @@ def domain_dnssec_enable(domain_name):
@app.route('/domain/<path:domain_name>/dnssec/disable', methods=['GET'])
@login_required
@can_access_domain
+@can_configure_dnssec
 def domain_dnssec_disable(domain_name):
    domain = Domain()
    dnssec = domain.get_domain_dnssec(domain_name)
--- a/configs/development.py
+++ b/configs/development.py
@ -115,5 +115,8 @@ RECORDS_ALLOW_EDIT = ['SOA', 'A', 'AAAA', 'CAA', 'CNAME', 'MX', 'PTR', 'SPF', 'S
 FORWARD_RECORDS_ALLOW_EDIT = ['A', 'AAAA', 'CAA', 'CNAME', 'MX', 'PTR', 'SPF', 'SRV', 'TXT', 'LOC' 'NS']
 REVERSE_RECORDS_ALLOW_EDIT = ['SOA', 'TXT', 'LOC', 'NS', 'PTR']

+# ALLOW DNSSEC CHANGES FOR ADMINS ONLY
+DNSSEC_ADMINS_ONLY = True
+
 # EXPERIMENTAL FEATURES
 PRETTY_IPV6_PTR = False