Add access control for non-admin users

(cherry picked from commit 6e5b704)
2024-11-09 23:20:27 +00:00 · 2017-10-20 12:53:03 +02:00 · 2017-10-20 12:53:03 +02:00 · 9a4021d5e5
commit 9a4021d5e5
parent b6ed658cbd
2 changed files with 49 additions and 28 deletions
--- a/app/models.py
+++ b/app/models.py
@ -314,6 +314,13 @@ class User(db.Model):
            user_domains.append(q[2])
        return user_domains

+    def can_access_domain(self, domain_name):
+        if self.role.name == "Administrator":
+            return True
+
+        query = self.get_domain_query().filter(Domain.name == domain_name)
+        return query.count() >= 1
+
    def delete(self):
        """
        Delete a user
--- a/app/views.py
+++ b/app/views.py
@ -296,7 +296,12 @@ def dashboard():
 def domain(domain_name):
    r = Record()
    domain = Domain.query.filter(Domain.name == domain_name).first()
-    if domain:
+    if not domain:
+        return redirect(url_for('error', code=404))
+
+    if not current_user.can_access_domain(domain_name):
+        abort(403)
+
    # query domain info from PowerDNS API
    zone_info = r.get_record_data(domain.name)
    if zone_info:
@ -323,8 +328,6 @@ def domain(domain_name):
    else:
        editable_records = ['PTR']
    return render_template('domain.html', domain=domain, records=records, editable_records=editable_records)
-    else:
-        return redirect(url_for('error', code=404))


@app.route('/admin/domain/add', methods=['GET', 'POST'])
@ -416,6 +419,10 @@ def record_apply(domain_name):
    example jdata: {u'record_ttl': u'1800', u'record_type': u'CNAME', u'record_name': u'test4', u'record_status': u'Active', u'record_data': u'duykhanh.me'}
    """
    #TODO: filter removed records / name modified records.
+
+    if not current_user.can_access_domain(domain_name):
+        return make_response(jsonify({'status': 'error', 'msg': 'You do not have access to that domain'}), 403)
+
    try:
        pdata = request.data
        jdata = json.loads(pdata)
@ -440,6 +447,10 @@ def record_update(domain_name):
    This route is used for domain work as Slave Zone only
    Pulling the records update from its Master
    """
+
+    if not current_user.can_access_domain(domain_name):
+        return make_response(jsonify({'status': 'error', 'msg': 'You do not have access to that domain'}), 403)
+
    try:
        pdata = request.data
        jdata = json.loads(pdata)
@ -474,6 +485,9 @@ def record_delete(domain_name, record_name, record_type):
@app.route('/domain/<string:domain_name>/dnssec', methods=['GET'])
@login_required
 def domain_dnssec(domain_name):
+    if not current_user.can_access_domain(domain_name):
+        return make_response(jsonify({'status': 'error', 'msg': 'You do not have access to that domain'}), 403)
+
    domain = Domain()
    dnssec = domain.get_domain_dnssec(domain_name)
    return make_response(jsonify(dnssec), 200)