Add option to allow user to create domain

This commit is contained in:
Khanh Ngo 2018-09-01 17:53:05 +07:00
parent 38d1d85a18
commit 3481af149b
No known key found for this signature in database
GPG Key ID: B9AE3BAF6D5A7B22
6 changed files with 33 additions and 7 deletions

View File

@ -61,3 +61,18 @@ def can_configure_dnssec(f):
return f(*args, **kwargs) return f(*args, **kwargs)
return decorated_function return decorated_function
def can_create_domain(f):
"""
Grant access if:
- user is in Operator role or higher, or
- allow_user_create_domain is on
"""
@wraps(f)
def decorated_function(*args, **kwargs):
if g.user.role.name not in ['Administrator', 'Operator'] and not Setting().get('allow_user_create_domain'):
return redirect(url_for('error', code=401))
return f(*args, **kwargs)
return decorated_function

View File

@ -1799,6 +1799,7 @@ class Setting(db.Model):
'allow_quick_edit': True, 'allow_quick_edit': True,
'pretty_ipv6_ptr': False, 'pretty_ipv6_ptr': False,
'dnssec_admins_only': False, 'dnssec_admins_only': False,
'allow_user_create_domain': False,
'bg_domain_updates': False, 'bg_domain_updates': False,
'site_name': 'PowerDNS-Admin', 'site_name': 'PowerDNS-Admin',
'pdns_api_url': '', 'pdns_api_url': '',

View File

@ -69,7 +69,7 @@
<script> <script>
// set up history data table // set up history data table
$("#tbl_settings").DataTable({ $("#tbl_settings").DataTable({
"paging" : true, "paging" : false,
"lengthChange" : false, "lengthChange" : false,
"searching" : true, "searching" : true,
"ordering" : true, "ordering" : true,

View File

@ -108,10 +108,12 @@
<li class="{{ 'active' if active_page == 'dashboard' else '' }}"> <li class="{{ 'active' if active_page == 'dashboard' else '' }}">
<a href="{{ url_for('dashboard') }}"><i class="fa fa-dashboard"></i> Dashboard</a> <a href="{{ url_for('dashboard') }}"><i class="fa fa-dashboard"></i> Dashboard</a>
</li> </li>
{% if current_user.role.name in ['Administrator', 'Operator'] %} {% if SETTING.get('allow_user_create_domain') %}
<li class="{{ 'active' if active_page == 'new_domain' else '' }}"> <li class="{{ 'active' if active_page == 'new_domain' else '' }}">
<a href="{{ url_for('domain_add') }}"><i class="fa fa-plus"></i> New Domain</a> <a href="{{ url_for('domain_add') }}"><i class="fa fa-plus"></i> New Domain</a>
</li> </li>
{% endif %}
{% if current_user.role.name in ['Administrator', 'Operator'] %}
<li class="header">ADMINISTRATION</li> <li class="header">ADMINISTRATION</li>
<li class="{{ 'active' if active_page == 'admin_console' else '' }}"> <li class="{{ 'active' if active_page == 'admin_console' else '' }}">
<a href="{{ url_for('admin_pdns') }}"><i class="fa fa-info-circle"></i> PDNS</a> <a href="{{ url_for('admin_pdns') }}"><i class="fa fa-info-circle"></i> PDNS</a>

View File

@ -19,7 +19,7 @@ from .models import User, Account, Domain, Record, Role, Server, History, Anonym
from app import app, login_manager from app import app, login_manager
from app.lib import utils from app.lib import utils
from app.oauth import github_oauth, google_oauth from app.oauth import github_oauth, google_oauth
from app.decorators import admin_role_required, operator_role_required, can_access_domain, can_configure_dnssec from app.decorators import admin_role_required, operator_role_required, can_access_domain, can_configure_dnssec, can_create_domain
if app.config['SAML_ENABLED']: if app.config['SAML_ENABLED']:
from onelogin.saml2.utils import OneLogin_Saml2_Utils from onelogin.saml2.utils import OneLogin_Saml2_Utils
@ -598,7 +598,7 @@ def domain(domain_name):
@app.route('/admin/domain/add', methods=['GET', 'POST']) @app.route('/admin/domain/add', methods=['GET', 'POST'])
@login_required @login_required
@operator_role_required @can_create_domain
def domain_add(): def domain_add():
templates = DomainTemplate.query.all() templates = DomainTemplate.query.all()
if request.method == 'POST': if request.method == 'POST':
@ -627,6 +627,11 @@ def domain_add():
if result['status'] == 'ok': if result['status'] == 'ok':
history = History(msg='Add domain {0}'.format(domain_name), detail=str({'domain_type': domain_type, 'domain_master_ips': domain_master_ips, 'account_id': account_id}), created_by=current_user.username) history = History(msg='Add domain {0}'.format(domain_name), detail=str({'domain_type': domain_type, 'domain_master_ips': domain_master_ips, 'account_id': account_id}), created_by=current_user.username)
history.add() history.add()
# grant user access to the domain
Domain(name=domain_name).grant_privielges([current_user.username])
# apply template if needed
if domain_template != '0': if domain_template != '0':
template = DomainTemplate.query.filter(DomainTemplate.id == domain_template).first() template = DomainTemplate.query.filter(DomainTemplate.id == domain_template).first()
template_records = DomainTemplateRecord.query.filter(DomainTemplateRecord.template_id == domain_template).all() template_records = DomainTemplateRecord.query.filter(DomainTemplateRecord.template_id == domain_template).all()
@ -693,6 +698,7 @@ def domain_management(domain_name):
new_user_list = request.form.getlist('domain_multi_user[]') new_user_list = request.form.getlist('domain_multi_user[]')
# grant/revoke user privielges # grant/revoke user privielges
d = Domain(name=domain_name)
d.grant_privielges(new_user_list) d.grant_privielges(new_user_list)
history = History(msg='Change domain {0} access control'.format(domain_name), detail=str({'user_has_access': new_user_list}), created_by=current_user.username) history = History(msg='Change domain {0} access control'.format(domain_name), detail=str({'user_has_access': new_user_list}), created_by=current_user.username)

View File

@ -24,10 +24,11 @@ def update_data():
sa.sql.column('view', sa.String) sa.sql.column('view', sa.String)
) )
# add ldap_operator_group setting # add new settings
op.bulk_insert(setting_table, op.bulk_insert(setting_table,
[ [
{'id': 44, 'name': 'ldap_operator_group', 'value': '', 'view': 'authentication'}, {'id': 44, 'name': 'ldap_operator_group', 'value': '', 'view': 'authentication'},
{'id': 45, 'name': 'allow_user_create_domain', 'value': 'False', 'view': 'basic'},
] ]
) )
@ -54,5 +55,6 @@ def downgrade():
op.execute("UPDATE user SET role_id = 2 WHERE role_id=3") op.execute("UPDATE user SET role_id = 2 WHERE role_id=3")
op.execute("DELETE FROM role WHERE name = 'Operator'") op.execute("DELETE FROM role WHERE name = 'Operator'")
# delete ldap setting # delete settings
op.execute("DELETE FROM setting WHERE name = 'ldap_operator_group'") op.execute("DELETE FROM setting WHERE name = 'ldap_operator_group'")
op.execute("DELETE FROM setting WHERE name = 'allow_user_create_domain'")