From 3688add76afe96e3366976edc4a1bfcbf2a8ae9b Mon Sep 17 00:00:00 2001
From: Rauno Tuul <raunz@hot.ee>
Date: Mon, 13 Feb 2023 12:10:44 +0200
Subject: [PATCH] Global Search available for all users. Apply allowed domain
 filter for standard users search result.

---
 powerdnsadmin/routes/admin.py | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/powerdnsadmin/routes/admin.py b/powerdnsadmin/routes/admin.py
index 609f875..77c027d 100644
--- a/powerdnsadmin/routes/admin.py
+++ b/powerdnsadmin/routes/admin.py
@@ -2021,7 +2021,6 @@ def delete_template(template):
 
 @admin_bp.route('/global-search', methods=['GET'])
 @login_required
-@operator_role_required
 def global_search():
     if request.method == 'GET':
         domains = []
@@ -2033,6 +2032,22 @@ def global_search():
             server = Server(server_id='localhost')
             results = server.global_search(object_type='all', query=query)
 
+            # Filter results to domains to which the user has access permission
+            if current_user.role.name not in [ 'Administrator', 'Operator' ]:
+                allowed_domains = db.session.query(Domain) \
+                    .outerjoin(DomainUser, Domain.id == DomainUser.domain_id) \
+                    .outerjoin(Account, Domain.account_id == Account.id) \
+                    .outerjoin(AccountUser, Account.id == AccountUser.account_id) \
+                    .filter(
+                        db.or_(
+                            DomainUser.user_id == current_user.id,
+                            AccountUser.user_id == current_user.id
+                        )) \
+                    .with_entities(Domain.name) \
+                    .all()
+                allowed_domains = [value for value, in allowed_domains]
+                results = list(filter(lambda r: r['zone_id'][:-1] in allowed_domains, results))
+
             # Format the search result
             for result in results:
                 if result['object_type'] == 'zone':