Adjustment to give user access to granted domain only

2024-11-08 14:40:27 +00:00 · 2018-03-31 07:32:46 +07:00 · 2018-03-31 07:32:46 +07:00 · aa2b29dac3
commit aa2b29dac3
parent ce6c3c21f1
2 changed files with 33 additions and 9 deletions
--- a/app/decorators.py
+++ b/app/decorators.py
@ -0,0 +1,28 @@
+from functools import wraps
+from flask import g, request, redirect, url_for
+
+from app import app
+from app.models import Role
+
+
+def admin_role_required(f):
+    @wraps(f)
+    def decorated_function(*args, **kwargs):
+        if g.user.role.name != 'Administrator':
+            return redirect(url_for('error', code=401))
+        return f(*args, **kwargs)
+    return decorated_function
+
+
+def can_access_domain(f):
+    @wraps(f)
+    def decorated_function(*args, **kwargs):
+        if g.user.role.name != 'Administrator':
+            domain_name = kwargs.get('domain_name')
+            user_domain = [d.name for d in g.user.get_domain()]
+
+            if domain_name not in user_domain:
+                return redirect(url_for('error', code=401))
+
+        return f(*args, **kwargs)
+    return decorated_function
--- a/app/views.py
+++ b/app/views.py
@ -19,6 +19,7 @@ from werkzeug.security import gen_salt
 from .models import User, Domain, Record, Server, History, Anonymous, Setting, DomainSetting
 from app import app, login_manager, github, google
 from app.lib import utils
+from app.decorators import admin_role_required, can_access_domain


 jinja2.filters.FILTERS['display_record_name'] = utils.display_record_name
@ -123,15 +124,6 @@ def login_via_authorization_header(request):
    return None
 # END USER AUTHENTICATION HANDLER

-# START CUSTOMIZE DECORATOR
-def admin_role_required(f):
-    @wraps(f)
-    def decorated_function(*args, **kwargs):
-        if g.user.role.name != 'Administrator':
-            return redirect(url_for('error', code=401))
-        return f(*args, **kwargs)
-    return decorated_function
-# END CUSTOMIZE DECORATOR

 # START VIEWS
@app.errorhandler(400)
@ -405,6 +397,7 @@ def dashboard_domains():
@app.route('/domain/<path:domain_name>', methods=['GET', 'POST'])
@app.route('/domain', methods=['GET', 'POST'])
@login_required
+@can_access_domain
 def domain(domain_name):
    r = Record()
    domain = Domain.query.filter(Domain.name == domain_name).first()
@ -523,6 +516,7 @@ def domain_management(domain_name):

@app.route('/domain/<path:domain_name>/apply', methods=['POST'], strict_slashes=False)
@login_required
+@can_access_domain
 def record_apply(domain_name):
    """
    example jdata: {u'record_ttl': u'1800', u'record_type': u'CNAME', u'record_name': u'test4', u'record_status': u'Active', u'record_data': u'duykhanh.me'}
@ -546,6 +540,7 @@ def record_apply(domain_name):

@app.route('/domain/<path:domain_name>/update', methods=['POST'], strict_slashes=False)
@login_required
+@can_access_domain
 def record_update(domain_name):
    """
    This route is used for domain work as Slave Zone only
@ -582,6 +577,7 @@ def record_delete(domain_name, record_name, record_type):


@app.route('/domain/<path:domain_name>/dnssec', methods=['GET'])
+@can_access_domain
@login_required
 def domain_dnssec(domain_name):
    domain = Domain()