Extend api with account and user management

2025-07-06 22:24:05 +00:00 · 2020-01-27 12:38:38 +00:00
parent 1cd423041c
commit 4d391ccb34
10 changed files with 1730 additions and 8 deletions
--- a/powerdnsadmin/decorators.py
+++ b/powerdnsadmin/decorators.py
@ -161,6 +161,41 @@ def is_json(f):
    return decorated_function


+def api_role_can(action, roles=None, allow_self=False):
+    """
+    Grant access if:
+        - user is in the permitted roles
+        - allow_self and kwargs['user_id'] = current_user.id
+        - allow_self and kwargs['username'] = current_user.username
+    """
+    if roles is None:
+        roles = ['Administrator', 'Operator']
+
+    def decorator(f):
+        @wraps(f)
+        def decorated_function(*args, **kwargs):
+            try:
+                user_id = int(kwargs.get('user_id'))
+            except:
+                user_id = None
+            try:
+                username = kwargs.get('username')
+            except:
+                username = None
+            if (
+                (current_user.role.name in roles) or
+                (allow_self and user_id and current_user.id == user_id) or
+                (allow_self and username and current_user.username == username)
+            ):
+                return f(*args, **kwargs)
+            msg = (
+                "User {} with role {} does not have enough privileges to {}"
+            ).format(current_user.username, current_user.role.name, action)
+            raise NotEnoughPrivileges(message=msg)
+        return decorated_function
+    return decorator
+
+
 def api_can_create_domain(f):
    """
    Grant access if: