From d2f35a4059fc1455d548e4598ca6067778376c54 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=B4me=20BECOT?= <jerome.becot@deveryware.com>
Date: Sat, 27 Nov 2021 23:58:22 +0100
Subject: [PATCH] fix: Check user zone create/delete permission

Co-authored-by: zoeller-freinet <86965592+zoeller-freinet@users.noreply.github.com>
---
 powerdnsadmin/decorators.py | 42 +++++++++++++++++++++++++++++++++++++
 powerdnsadmin/routes/api.py |  7 +++++--
 2 files changed, 47 insertions(+), 2 deletions(-)

diff --git a/powerdnsadmin/decorators.py b/powerdnsadmin/decorators.py
index 8cfe108..90c2f0d 100644
--- a/powerdnsadmin/decorators.py
+++ b/powerdnsadmin/decorators.py
@@ -246,6 +246,48 @@ def api_can_create_domain(f):
     return decorated_function
 
 
+def apikey_can_create_domain(f):
+    """
+    Grant access if:
+        - user is in Operator role or higher, or
+        - allow_user_create_domain is on
+    """
+    @wraps(f)
+    def decorated_function(*args, **kwargs):
+        if g.apikey.role.name not in [
+                'Administrator', 'Operator'
+        ] and not Setting().get('allow_user_create_domain'):
+            msg = "ApiKey #{0} does not have enough privileges to create domain"
+            current_app.logger.error(msg.format(g.apikey.id))
+            raise NotEnoughPrivileges()
+        return f(*args, **kwargs)
+
+    return decorated_function
+
+
+def apikey_can_remove_domain(http_methods=[]):
+    """
+    Grant access if:
+        - user is in Operator role or higher, or
+        - allow_user_remove_domain is on
+    """
+    def decorator(f):
+        @wraps(f)
+        def decorated_function(*args, **kwargs):
+            check_current_http_method = not http_methods or request.method in http_methods
+
+            if (check_current_http_method and
+                g.apikey.role.name not in ['Administrator', 'Operator'] and
+                not Setting().get('allow_user_remove_domain')
+            ):
+                msg = "ApiKey #{0} does not have enough privileges to remove domain"
+                current_app.logger.error(msg.format(g.apikey.id))
+                raise NotEnoughPrivileges()
+            return f(*args, **kwargs)
+        return decorated_function
+    return decorator
+
+
 def apikey_is_admin(f):
     """
     Grant access if user is in Administrator role
diff --git a/powerdnsadmin/routes/api.py b/powerdnsadmin/routes/api.py
index 1fd5e3a..c96e7f4 100644
--- a/powerdnsadmin/routes/api.py
+++ b/powerdnsadmin/routes/api.py
@@ -27,8 +27,9 @@ from ..lib.errors import (
 )
 from ..decorators import (
     api_basic_auth, api_can_create_domain, is_json, apikey_auth,
-    apikey_is_admin, apikey_can_access_domain, api_role_can,
-    apikey_or_basic_auth,
+    apikey_can_create_domain, apikey_can_remove_domain,
+    apikey_is_admin, apikey_can_access_domain,
+    api_role_can, apikey_or_basic_auth,
 )
 import secrets
 import string
@@ -1037,6 +1038,7 @@ def api_zone_subpath_forward(server_id, zone_id, subpath):
               methods=['GET', 'PUT', 'PATCH', 'DELETE'])
 @apikey_auth
 @apikey_can_access_domain
+@apikey_can_remove_domain(http_methods=['DELETE'])
 def api_zone_forward(server_id, zone_id):
     resp = helper.forward_request()
     if not Setting().get('bg_domain_updates'):
@@ -1080,6 +1082,7 @@ def api_server_sub_forward(subpath):
 
 @api_bp.route('/servers/<string:server_id>/zones', methods=['POST'])
 @apikey_auth
+@apikey_can_create_domain
 def api_create_zone(server_id):
     resp = helper.forward_request()