fix: Check user zone create/delete permission

Co-authored-by: zoeller-freinet <86965592+zoeller-freinet@users.noreply.github.com>
2025-07-06 22:24:05 +00:00 · 2021-11-27 23:58:22 +01:00
parent 737e1fb93b
commit d2f35a4059
2 changed files with 47 additions and 2 deletions
--- a/powerdnsadmin/decorators.py
+++ b/powerdnsadmin/decorators.py
@ -246,6 +246,48 @@ def api_can_create_domain(f):
    return decorated_function


+def apikey_can_create_domain(f):
+    """
+    Grant access if:
+        - user is in Operator role or higher, or
+        - allow_user_create_domain is on
+    """
+    @wraps(f)
+    def decorated_function(*args, **kwargs):
+        if g.apikey.role.name not in [
+                'Administrator', 'Operator'
+        ] and not Setting().get('allow_user_create_domain'):
+            msg = "ApiKey #{0} does not have enough privileges to create domain"
+            current_app.logger.error(msg.format(g.apikey.id))
+            raise NotEnoughPrivileges()
+        return f(*args, **kwargs)
+
+    return decorated_function
+
+
+def apikey_can_remove_domain(http_methods=[]):
+    """
+    Grant access if:
+        - user is in Operator role or higher, or
+        - allow_user_remove_domain is on
+    """
+    def decorator(f):
+        @wraps(f)
+        def decorated_function(*args, **kwargs):
+            check_current_http_method = not http_methods or request.method in http_methods
+
+            if (check_current_http_method and
+                g.apikey.role.name not in ['Administrator', 'Operator'] and
+                not Setting().get('allow_user_remove_domain')
+            ):
+                msg = "ApiKey #{0} does not have enough privileges to remove domain"
+                current_app.logger.error(msg.format(g.apikey.id))
+                raise NotEnoughPrivileges()
+            return f(*args, **kwargs)
+        return decorated_function
+    return decorator
+
+
 def apikey_is_admin(f):
    """
    Grant access if user is in Administrator role