fix: Check user zone create/delete permission

Co-authored-by: zoeller-freinet <86965592+zoeller-freinet@users.noreply.github.com>
2025-06-14 20:16:05 +00:00 · 2021-11-27 23:58:22 +01:00
parent 737e1fb93b
commit d2f35a4059
2 changed files with 47 additions and 2 deletions
--- a/powerdnsadmin/routes/api.py
+++ b/powerdnsadmin/routes/api.py
@ -27,8 +27,9 @@ from ..lib.errors import (
 )
 from ..decorators import (
    api_basic_auth, api_can_create_domain, is_json, apikey_auth,
-    apikey_is_admin, apikey_can_access_domain, api_role_can,
-    apikey_or_basic_auth,
+    apikey_can_create_domain, apikey_can_remove_domain,
+    apikey_is_admin, apikey_can_access_domain,
+    api_role_can, apikey_or_basic_auth,
 )
 import secrets
 import string
@ -1037,6 +1038,7 @@ def api_zone_subpath_forward(server_id, zone_id, subpath):
              methods=['GET', 'PUT', 'PATCH', 'DELETE'])
@apikey_auth
@apikey_can_access_domain
+@apikey_can_remove_domain(http_methods=['DELETE'])
 def api_zone_forward(server_id, zone_id):
    resp = helper.forward_request()
    if not Setting().get('bg_domain_updates'):
@ -1080,6 +1082,7 @@ def api_server_sub_forward(subpath):

@api_bp.route('/servers/<string:server_id>/zones', methods=['POST'])
@apikey_auth
+@apikey_can_create_domain
 def api_create_zone(server_id):
    resp = helper.forward_request()