mirror of
https://github.com/cwinfo/powerdns-admin.git
synced 2025-01-27 12:14:39 +00:00
Merge pull request #2 from thomasDOTde/upstream-access-control
Add access control for non-admin users from hackedd
This commit is contained in:
commit
ff9a6fcfba
@ -314,6 +314,13 @@ class User(db.Model):
|
||||
user_domains.append(q[2])
|
||||
return user_domains
|
||||
|
||||
def can_access_domain(self, domain_name):
|
||||
if self.role.name == "Administrator":
|
||||
return True
|
||||
|
||||
query = self.get_domain_query().filter(Domain.name == domain_name)
|
||||
return query.count() >= 1
|
||||
|
||||
def delete(self):
|
||||
"""
|
||||
Delete a user
|
||||
|
20
app/views.py
20
app/views.py
@ -388,7 +388,12 @@ def dashboard():
|
||||
def domain(domain_name):
|
||||
r = Record()
|
||||
domain = Domain.query.filter(Domain.name == domain_name).first()
|
||||
if domain:
|
||||
if not domain:
|
||||
return redirect(url_for('error', code=404))
|
||||
|
||||
if not current_user.can_access_domain(domain_name):
|
||||
abort(403)
|
||||
|
||||
# query domain info from PowerDNS API
|
||||
zone_info = r.get_record_data(domain.name)
|
||||
if zone_info:
|
||||
@ -415,8 +420,6 @@ def domain(domain_name):
|
||||
else:
|
||||
editable_records = ['PTR']
|
||||
return render_template('domain.html', domain=domain, records=records, editable_records=editable_records)
|
||||
else:
|
||||
return redirect(url_for('error', code=404))
|
||||
|
||||
|
||||
@app.route('/admin/domain/add', methods=['GET', 'POST'])
|
||||
@ -508,6 +511,10 @@ def record_apply(domain_name):
|
||||
example jdata: {u'record_ttl': u'1800', u'record_type': u'CNAME', u'record_name': u'test4', u'record_status': u'Active', u'record_data': u'duykhanh.me'}
|
||||
"""
|
||||
#TODO: filter removed records / name modified records.
|
||||
|
||||
if not current_user.can_access_domain(domain_name):
|
||||
return make_response(jsonify({'status': 'error', 'msg': 'You do not have access to that domain'}), 403)
|
||||
|
||||
try:
|
||||
pdata = request.data
|
||||
jdata = json.loads(pdata)
|
||||
@ -532,6 +539,10 @@ def record_update(domain_name):
|
||||
This route is used for domain work as Slave Zone only
|
||||
Pulling the records update from its Master
|
||||
"""
|
||||
|
||||
if not current_user.can_access_domain(domain_name):
|
||||
return make_response(jsonify({'status': 'error', 'msg': 'You do not have access to that domain'}), 403)
|
||||
|
||||
try:
|
||||
pdata = request.data
|
||||
jdata = json.loads(pdata)
|
||||
@ -566,6 +577,9 @@ def record_delete(domain_name, record_name, record_type):
|
||||
@app.route('/domain/<string:domain_name>/dnssec', methods=['GET'])
|
||||
@login_required
|
||||
def domain_dnssec(domain_name):
|
||||
if not current_user.can_access_domain(domain_name):
|
||||
return make_response(jsonify({'status': 'error', 'msg': 'You do not have access to that domain'}), 403)
|
||||
|
||||
domain = Domain()
|
||||
dnssec = domain.get_domain_dnssec(domain_name)
|
||||
return make_response(jsonify(dnssec), 200)
|
||||
|
Loading…
x
Reference in New Issue
Block a user