cwinfo/powerdns-admin
5
0
Fork 0
mirror of https://github.com/cwinfo/powerdns-admin.git synced 2025-01-27 12:14:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2 from thomasDOTde/upstream-access-control

Browse Source 
Add access control for non-admin users from hackedd
This commit is contained in:
Thomas 2017-11-01 21:47:14 +01:00 committed by GitHub
commit ff9a6fcfba
2 changed files with 49 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
app/models.py
View File

@ -314,6 +314,13 @@ class User(db.Model):
user_domains.append(q[2]) user_domains.append(q[2])
return user_domains return user_domains
def can_access_domain(self, domain_name):
if self.role.name == "Administrator":
return True
query = self.get_domain_query().filter(Domain.name == domain_name)
return query.count() >= 1
def delete(self): def delete(self):
""" """
Delete a user Delete a user

70
app/views.py
View File

@ -388,36 +388,39 @@ def dashboard():
def domain(domain_name): def domain(domain_name):
r = Record() r = Record()
domain = Domain.query.filter(Domain.name == domain_name).first() domain = Domain.query.filter(Domain.name == domain_name).first()
if domain: if not domain:
# query domain info from PowerDNS API
zone_info = r.get_record_data(domain.name)
if zone_info:
jrecords = zone_info['records']
else:
# can not get any record, API server might be down
return redirect(url_for('error', code=500))
records = []
#TODO: This should be done in the "model" instead of "view"
if NEW_SCHEMA:
for jr in jrecords:
if jr['type'] in app.config['RECORDS_ALLOW_EDIT']:
for subrecord in jr['records']:
record = Record(name=jr['name'], type=jr['type'], status='Disabled' if subrecord['disabled'] else 'Active', ttl=jr['ttl'], data=subrecord['content'])
records.append(record)
else:
for jr in jrecords:
if jr['type'] in app.config['RECORDS_ALLOW_EDIT']:
record = Record(name=jr['name'], type=jr['type'], status='Disabled' if jr['disabled'] else 'Active', ttl=jr['ttl'], data=jr['content'])
records.append(record)
if not re.search('ip6\.arpa|in-addr\.arpa$', domain_name):
editable_records = app.config['RECORDS_ALLOW_EDIT']
else:
editable_records = ['PTR']
return render_template('domain.html', domain=domain, records=records, editable_records=editable_records)
else:
return redirect(url_for('error', code=404)) return redirect(url_for('error', code=404))
if not current_user.can_access_domain(domain_name):
abort(403)
# query domain info from PowerDNS API
zone_info = r.get_record_data(domain.name)
if zone_info:
jrecords = zone_info['records']
else:
# can not get any record, API server might be down
return redirect(url_for('error', code=500))
records = []
#TODO: This should be done in the "model" instead of "view"
if NEW_SCHEMA:
for jr in jrecords:
if jr['type'] in app.config['RECORDS_ALLOW_EDIT']:
for subrecord in jr['records']:
record = Record(name=jr['name'], type=jr['type'], status='Disabled' if subrecord['disabled'] else 'Active', ttl=jr['ttl'], data=subrecord['content'])
records.append(record)
else:
for jr in jrecords:
if jr['type'] in app.config['RECORDS_ALLOW_EDIT']:
record = Record(name=jr['name'], type=jr['type'], status='Disabled' if jr['disabled'] else 'Active', ttl=jr['ttl'], data=jr['content'])
records.append(record)
if not re.search('ip6\.arpa|in-addr\.arpa$', domain_name):
editable_records = app.config['RECORDS_ALLOW_EDIT']
else:
editable_records = ['PTR']
return render_template('domain.html', domain=domain, records=records, editable_records=editable_records)
@app.route('/admin/domain/add', methods=['GET', 'POST']) @app.route('/admin/domain/add', methods=['GET', 'POST'])
@login_required @login_required
@ -508,6 +511,10 @@ def record_apply(domain_name):
example jdata: {u'record_ttl': u'1800', u'record_type': u'CNAME', u'record_name': u'test4', u'record_status': u'Active', u'record_data': u'duykhanh.me'} example jdata: {u'record_ttl': u'1800', u'record_type': u'CNAME', u'record_name': u'test4', u'record_status': u'Active', u'record_data': u'duykhanh.me'}
""" """
#TODO: filter removed records / name modified records. #TODO: filter removed records / name modified records.
if not current_user.can_access_domain(domain_name):
return make_response(jsonify({'status': 'error', 'msg': 'You do not have access to that domain'}), 403)
try: try:
pdata = request.data pdata = request.data
jdata = json.loads(pdata) jdata = json.loads(pdata)
@ -532,6 +539,10 @@ def record_update(domain_name):
This route is used for domain work as Slave Zone only This route is used for domain work as Slave Zone only
Pulling the records update from its Master Pulling the records update from its Master
""" """
if not current_user.can_access_domain(domain_name):
return make_response(jsonify({'status': 'error', 'msg': 'You do not have access to that domain'}), 403)
try: try:
pdata = request.data pdata = request.data
jdata = json.loads(pdata) jdata = json.loads(pdata)
@ -566,6 +577,9 @@ def record_delete(domain_name, record_name, record_type):
@app.route('/domain/<string:domain_name>/dnssec', methods=['GET']) @app.route('/domain/<string:domain_name>/dnssec', methods=['GET'])
@login_required @login_required
def domain_dnssec(domain_name): def domain_dnssec(domain_name):
if not current_user.can_access_domain(domain_name):
return make_response(jsonify({'status': 'error', 'msg': 'You do not have access to that domain'}), 403)
domain = Domain() domain = Domain()
dnssec = domain.get_domain_dnssec(domain_name) dnssec = domain.get_domain_dnssec(domain_name)
return make_response(jsonify(dnssec), 200) return make_response(jsonify(dnssec), 200)