From 993e02b635ed271f855e02aeab3e2f8c18d0554f Mon Sep 17 00:00:00 2001 From: steschuser Date: Thu, 5 Aug 2021 19:42:58 +0200 Subject: [PATCH] limit user to only create domains for the accounts he belongs to (#970) --- powerdnsadmin/routes/domain.py | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/powerdnsadmin/routes/domain.py b/powerdnsadmin/routes/domain.py index 75dd2f9..a90f367 100644 --- a/powerdnsadmin/routes/domain.py +++ b/powerdnsadmin/routes/domain.py @@ -149,6 +149,18 @@ def add(): 'errors/400.html', msg="Please enter a valid domain name"), 400 + # If User creates the domain, check some additional stuff + if current_user.role.name not in ['Administrator', 'Operator']: + # Get all the account_ids of the user + user_accounts_ids = current_user.get_accounts() + user_accounts_ids = [x.id for x in user_accounts_ids] + # User may not create domains without Account + if int(account_id) == 0 or int(account_id) not in user_accounts_ids: + return render_template( + 'errors/400.html', + msg="Please use a valid Account"), 400 + + #TODO: Validate ip addresses input # Encode domain name into punycode (IDN) @@ -250,13 +262,19 @@ def add(): current_app.logger.debug(traceback.format_exc()) abort(500) + # Get else: - accounts = Account.query.order_by(Account.name).all() + # Admins and Operators can set to any account + if current_user.role.name in ['Administrator', 'Operator']: + accounts = Account.query.order_by(Account.name).all() + else: + accounts = current_user.get_accounts() return render_template('domain_add.html', templates=templates, accounts=accounts) + @domain_bp.route('/setting//delete', methods=['POST']) @login_required @operator_role_required