Commit Graph

444 Commits

Author SHA1 Message Date
Matt Scott
d50d57bc70
Merge pull request #1357 from pneb/patch-6
fix: Potential fix for a regex bug
2023-01-25 16:19:27 -05:00
Matt Scott
51249aecd3
Merge pull request #1212 from corubba/feature/privacy-first
Privacy first
2023-01-24 05:34:30 -05:00
Robert Walter
246ad7f7d2
Fixing Wrapping in History Details Modal in Dashboard
resolves #1358
2023-01-13 10:05:20 +01:00
Bernward Sanchez
18bc336d7a
Potential fix 2023-01-11 18:21:40 +08:00
Matt Scott
bb29c27430
Merge pull request #1354 from Metrax/support-pdns4.7
Support pdns4.7
2023-01-10 08:01:17 -05:00
Robert Walter
c02cb3b7fe
Model change: Changing domain model type variable to 8 chars
PowerDNS 4.7 is supporting 2 new zone types: "producer" & "consumer"
Due to the domain type variable is limited to 6 chars, PDA Zone update will fail if producer or cusomer zones exist.
To solve this problem, this commit increases the lenght of the domain model type variable to 8 chars.
2023-01-10 13:51:04 +01:00
Bernward Sanchez
c7eaec27d8
Update utils.py 2022-12-23 08:23:14 +08:00
Ymage
1d885278d4 Cosmetic 2022-12-22 22:55:05 +01:00
Ymage
7d153932b3 Fix back_populate relationships 2022-12-22 22:50:01 +01:00
corubba
e920bf5009 Fix broken code
PR #1089 is the culprit, as was already predicted in the review.
2022-12-19 09:37:01 +01:00
Matt Scott
89f3d4d01a
Revert "enhancement(routes/index.py): OIDC supports HTTP Scheme now" 2022-12-14 20:37:30 -05:00
Bernward Sanchez
f6c49c379d
Update index.py 2022-12-15 06:13:27 +08:00
Matt Scott
30ed68471e
Merge pull request #1322 from Metrax/master
Fixing Validation problem on LDAP form
2022-12-13 20:59:22 -05:00
Matt Scott
8373363c4d
Merge pull request #1323 from jbe-dw/fixLDAPDeprecatedOpt
Draft: Fix pyhton-ldap upgrade
2022-12-13 20:56:03 -05:00
Aaron Carson
ff671ebabe Fix 1329 2022-12-14 00:34:12 +00:00
Sshafi
d0290ac469
Update login.html
Use SITE_NAME for login box title on login page.
This can be useful when using multiple powerdns admin in an organization.
2022-12-13 09:10:21 +01:00
Dominik Fahr
97a79645b0 fix of issue #1261
split record by "."
idna.encode leads into full stop if the string starts with "_" or "-"
2022-12-12 17:31:32 +01:00
Dominik Fahr
52169f698c undo of commit a7f55de
did not fix issue #1261
leaded into issue #1321
2022-12-12 17:30:42 +01:00
Jérôme BECOT
8d5b92402d
fix: Remove deprecated option OPT_X_TLS 2022-12-12 15:57:11 +01:00
Robert Walter
23e0fdbedf Fixing Validation Problem at LDAP Form 2022-12-12 12:32:32 +01:00
Bernward Sanchez
dfdb0dca17
Update domain.py 2022-12-10 10:37:06 +08:00
Matt Scott
3c0b0a1b2d
Merge pull request #1246 from unilogicbv/admin_edit_key_user_role_default
admin_edit_key: default to User role for new api keys
2022-12-08 22:13:23 -05:00
Matt Scott
2cd8f60f8d
Merge pull request #1247 from unilogicbv/models_user_plain_text_password_guard
models/user.py: properly guard plain_text_password property
2022-12-08 22:10:21 -05:00
Matt Scott
7873e5f3f8
Merge pull request #1249 from unilogicbv/models_user_totp_valid_window
models/user.py: add non-zero valid_window to totp.verify
2022-12-08 22:05:34 -05:00
Matt Scott
e823f079b7
Merge pull request #1266 from WhatshallIbreaktoday/master
allow null/None JSON data (Used for pdns notifies via api and by LEGO-ACME v 4.9.0)
2022-12-08 21:57:18 -05:00
Bernward Sanchez
2656242b45
Update api_key.py
I added the parentheses to the `db.session.rollback` line to call the method, which will now properly roll back any changes made to the database if an error occurs.
2022-12-09 09:33:17 +08:00
Bernward Sanchez
3e68044420
Update utils.py
This should fix the error you were experiencing, as it will now only attempt to process the `data` argument if it is a tuple containing two elements. If the `data` argument is not in the expected format, the function will simply return an empty string instead of raising an exception.
2022-12-09 08:15:13 +08:00
WhatshallIbreaktoday
d25a22272e allow null/None JSON data
This change permits to proxy pdns zone notify api requests (which are expected to be with empty body)
2022-10-12 08:10:35 +02:00
corubba
cb835978df Fix order of operations in api payload
PDNS checks that when a `CNAME` rrset is created that no other rrset of
the same name but a different rtype exists. When changing a record type
to `CNAME`, PDA will send two operations in one api call to PDNS: A
deletion of the old rrset, and the addition of the new rrset. For the
check in PDNS to pass, the deletion needs to happen before the addition.
Before PR #1201 that was the case, the first api call did deletions and
the second handled additions and changes. Currently the api payload
contains additions first and deletions last. PDNS applies these in the
order they are passed in the payload to the api, so to restore the
original/correct/working behaviour the order of operations in the api
payload has to be reversed.

fixes #1251
2022-09-23 00:19:22 +02:00
Pascal de Bruijn
846c03f154 models/user.py: add non-zero valid_window to totp.verify
PyOTP's totp.verify defaults to the valid_window of zero, which means
it will reject valid codes, if submitted just past the 30 sec window.
It also means, users will run into authentication issues very quickly
if their phones time-sync isn't perfect.

Therefore valid_window should at the very least be 1 or more, settting
it higher trades security for robustness, especially with regard to
time desync issues.
2022-09-07 14:23:34 +02:00
Pascal de Bruijn
41a3995865 routes/index.py: otp_force shouldn't apply to OAuth
as 2FA policies are typically enforced on the OAuth proviers end

Relates to #1051
2022-09-06 16:28:45 +02:00
Pascal de Bruijn
4fd1b10018 models/user.py: properly guard plain_text_password property
Resolves the following issue, which occurs with force_otp enabled
and OAuth authentication sources:

File "/srv/powerdnsadmin/powerdnsadmin/models/user.py", line 481, in update_profile
  "utf-8") if self.plain_text_password else user.password
AttributeError: 'User' object has no attribute 'plain_text_password'
2022-09-06 15:31:43 +02:00
Pascal de Bruijn
9bf74a6baf admin_edit_key: default to User role for new api keys
hopefully this will prevent accidental administator api keys from being created
2022-09-06 15:25:28 +02:00
Vasileios Markopoulos
204c996c81
Merge pull request #1221 from corubba/bugfix/changelog-hyphen
Fix rrset changelog for names with hyphen
2022-07-01 15:52:44 +03:00
AdvanticGmbH
3c68b611c6
Update powerdnsadmin/routes/admin.py
Looks good to me

Co-authored-by: Corubba <97832352+corubba@users.noreply.github.com>
2022-06-29 08:56:01 +02:00
AdvanticGmbH
cfab13824d Add history entries for association changes of domains 2022-06-28 11:19:00 +02:00
AdvanticGmbH
6a2ba1b1c3 Add list to manage with an account associated domains 2022-06-28 11:18:53 +02:00
Jérôme BECOT
41642fcea4
fix: Update JS minifier library 2022-06-24 23:03:01 +02:00
corubba
5036619a67 Allow new domains to be absolute
Allow the new domain name to be input absolute (with a dot at the end).
To keep the rest of the logic working as-is, remove it fairly early in
the function.

Would have loved to use `str.removesuffix()` but that's python v3.9+.
2022-06-23 22:31:00 +02:00
corubba
9890ddfa64 Fix rrset changelog for names with hyphen
When clicking the changelog button for a record with the name
`foo-bar.example.org`, the url you get redirected to is
`/domain/example.org/changelog/foo-bar.example.org.-A`. Because of the
non-greedy behaviour of the path converter, the last part gets split at
the *first* hyphen, so the example above gets wrongly dissected into
`record_name=foo` and `record_type=bar.example.org.-A`. This results
for obvious reasons in an empty changelog.

As described in rfc5395 [0], types have to be alphanumerical, so its
converter is changed from path to string.

The hyphen is one of the few characters recommended by rfc1035 [1],
so it is a bad choice as separator. The separator is instead changed to
a slash.
Granted, this does not entirely solve the issue but at least makes it a
lot less likely to happen. Plus, a lot more and other things break in
pda with slashes in names.

[0] https://datatracker.ietf.org/doc/html/rfc5395#section-3.1
[1] https://datatracker.ietf.org/doc/html/rfc1035#section-2.3.1
2022-06-19 12:16:40 +02:00
jbe-dw
dac232147e
enh: Cookies security (#1211)
author: corruba
2022-06-18 22:51:47 +02:00
corubba
3a8ad7c444 Remove OFFLINE_MODE config option 2022-06-18 19:11:16 +02:00
corubba
b809308d31 Add LDAP user images 2022-06-18 19:11:16 +02:00
corubba
607caa1a2d Rework user image handling
Moved all the logic out of the template into a separate endpoint. This
makes it easy to extend to also support images from different sources
like LDAP/SAML/OIDC. Session-based caching is hard to do, so to allow
time-based caching in the browser, the url needs to be unique for every
user by using a query parameter.

Replaced the default/fallback user image with a new one. It is based on
the old one, but does not need css to be visible. And removed said css.

Gravatar has now its own setting named `gravatar_enabled`, which is
disabled by default.
2022-06-18 19:11:13 +02:00
corubba
b795f1eadf Use the doc search directly 2022-06-18 19:07:23 +02:00
corubba
fee26b84ba Remove IE8 polyfills
These old browsers are EOL since 2016 [0], let them finally rest in
peace.

This effectively reverts/replaces commit b8dee5d17056788c2dc9940d14308648e32186d8.

[0] https://web.archive.org/web/20160115070611/https://www.microsoft.com/en-us/WindowsForBusiness/End-of-IE-support
2022-06-18 19:07:23 +02:00
corubba
54b2c5918f Serve the IE8 polyfills from local 2022-06-18 19:07:23 +02:00
corubba
674704609b Always use local fonts 2022-06-18 19:07:23 +02:00
corubba
af902f24a2 Update using only one api call
Starting with the very first commit, the update was always done with
two api calls: one for DELETE and one for REPLACE. It is however
perfectly valid and save to do both at once, which makes it atomic, so
no need for the rollback. Plus it only updates the serial once.
There is no point in sending the full RRset data when deleting it, the
key attributes to identify it are enough. This also make the behaviour
consistent with the api docs [0] where it says "MUST NOT be included
when changetype is set to DELETE."

[0] https://doc.powerdns.com/authoritative/http-api/zone.html#rrset
2022-06-18 18:58:39 +02:00
corubba
52b704baeb Set SameSite on cookies
Setting this attribute on a cookie marks it as non-cross-site, so it
is only send in requests to our own server. It is reasonable that no
one else should need our session or csrf data. Setting it explicitly
also prevents any issues from the ongoing change in browser behaviour [0]
when it is unset.

Seasurf supports the SameSite attribute starting with v0.3. As nothing
obviously broke, I used the opportunity and updated all the way to the
most recent version.

The SeaSurf default for SameSite is already `Lax`, so it only needs to
be set for the session cookie.

[0] https://developers.google.com/search/blog/2020/01/get-ready-for-new-samesitenone-secure
2022-06-18 18:51:42 +02:00
corubba
ae2ad6527a Set csrf cookie to httponly
The CSRF token is currently inserted directly in the template and not
in the browser via JavaScript from the cookie, so making it inaccessible
is not a problem.

The Sesson-cookie is already httponly by default [0].

[0] https://flask.palletsprojects.com/en/2.1.x/config/?highlight=session_cookie_httponly#SESSION_COOKIE_HTTPONLY
2022-06-18 18:51:42 +02:00
corubba
3e462dab17 Fix csrf configuration
CSRF has been initialized *before* the app config was fully read. That
made it impossible to configure CSRF properly. Moved the CSRF init into
the routes module, and switched from programmatic to decorated
exemptions. GET routes don't need to be exempted because they are by
default.
2022-06-18 18:51:40 +02:00
Jérôme BECOT
a87b931520
feat: Move the account parse calls to a method 2022-06-18 14:30:56 +02:00
Jérôme BECOT
eb13b37e09
feat: Add the extra chars as an option 2022-06-18 14:30:56 +02:00
Jérôme BECOT
a3c50828a6
feat: Allow underscores and hyphens in account name 2022-06-18 14:28:32 +02:00
AdvanticGmbH
beed738d02
enh: Improve performance of domain update (#1218)
author: @AdvanticGmbH
2022-06-18 14:23:05 +02:00
RGanor
81f158d9bc
enh: Enforce Record Restrictions in API (#1089)
Co-authored-by: Tom <tom@tom.com>
2022-06-18 14:20:49 +02:00
Vasileios Markopoulos
83d2f3c791
Merge pull request #1205 from joshsol1/master
Modification to SAML groups and group management
2022-06-18 13:39:01 +03:00
gadall
bf83e68a4b
Fix DynDNS2 using X-Forwarded-For (#1214)
utils.validate_ipaddress() takes a string, not a list
2022-06-18 13:11:22 +03:00
TomSebty
1926b862b8
feat: Option to forbid the creation of domain if it exists as a record (#1127)
When enabled, forbids the creation of a domain if it exists as a record in one of its parent domains (administrators and operators are not limited though).
2022-06-17 17:50:51 +02:00
jbe-dw
1112105683
feat: Add /api endpoint (#1206) 2022-06-17 16:48:23 +02:00
jbe-dw
2a75013de4
Merge pull request #1163 from AdvanticGmbH/idna_decode
fix: use idna module to support extended character set
2022-06-17 15:47:55 +02:00
Vasileios Markopoulos
9d7d701cd9
Merge pull request #1203 from pixelrebel/saml-fixes
Small fixes to SAML service
2022-06-15 15:56:28 +03:00
Vasileios Markopoulos
41343fd598
Merge pull request #1199 from corubba/bugfix/rrest-typo
Fix rrest typo in history detail
2022-05-25 10:45:50 +03:00
corubba
f98326ea90 Fix remaining typo occurrence 2022-05-24 23:45:14 +02:00
Jérôme BECOT
88df88f30b
fix: Active directory filter is broken 2022-05-24 13:58:45 +02:00
jbe-dw
259bd0a906
Merge pull request #1200 from corubba/feature/modal-consolidation
enh: Consolidate generic modal code
2022-05-23 22:50:48 +02:00
jbe-dw
06c12cc3ac
Merge pull request #1172 from RGanor/master
Added health check
2022-05-23 20:18:17 +02:00
RGanor
1bee833326 Updated the unknown state 2022-05-23 16:46:11 +00:00
jbe-dw
e81453c5e3
Merge pull request #1188 from corubba/bugfix/pyOpenSSL
Small bugfixes
2022-05-23 13:59:18 +02:00
Josh Matthews
715c6b76cd added code to raise user to operator on SAML auth if in the right group 2022-05-23 14:38:16 +10:00
pixelrebel
e4c8c3892f Use HTTP_X_FORWARDED_PROTO header from reverse proxy to rewrite https:// for SAML request URLs 2022-05-19 19:00:38 -07:00
pixelrebel
9221d58a1b Allow SAML AttributeStatements to be optional 2022-05-19 14:52:51 -07:00
corubba
0dfcdb6c3e Fix rrest typo in history detail
There is a misspelling of rrset throughout the history logic, which also
effects the json payload in the database. Code-wise this is a simple
search-and-replace, and the migration will fix the payloads.
2022-05-19 00:53:35 +02:00
corubba
70450315ba Add general modal functions
The two generic modals are defined in the base template, and are used
in various templates. So provide functions and remove duplicate code.
2022-05-19 00:53:20 +02:00
RGanor
3d2ad1abc0 LGTM fix - unused variable 2022-05-15 13:57:13 +00:00
Cloud User
b3271e84d6 Using domain model and added authentication 2022-05-15 12:19:04 +00:00
jbe-dw
6579c9e830
Merge pull request #1182 from jbe-dw/revertCorruptedHistoryFix
fix: Insert valid JSON in history.detail and replace single quotes in the database
2022-05-12 21:30:20 +02:00
corubba
564ec6086d Replace pyOpenSSL with cryptography
This is literally the example from the docs [0]. The only thing I
adapted are the parameters for the keys and certificate, so they
stay the same.

Fixes #1086

[0] https://cryptography.io/en/latest/x509/tutorial/#creating-a-self-signed-certificate
2022-05-07 21:32:19 +02:00
corubba
fec649b747 Header for fixed order column
Semantically and syntactically it is better to have the same number of
`<th>` as `<td>`. Not that anyone will ever see that new header, since
that column is always invisible (except if the user disables javascript).

Plus remove a unmatched closing html element.
2022-05-07 21:14:57 +02:00
corubba
0e2cd063c5 Remove python v2 remnant
As vermin [0] confirms, the codebase has long moved beyond supporting
python v2 (which is not a bad thing). This removes the last explicit py2
piece of code.

And in case anyone wonders, vermin currently reports the minium version
to be v3.6.

[0] https://pypi.org/project/vermin/
2022-05-07 21:14:48 +02:00
jbe-dw
fa9bdcfde0
Merge pull request #1134 from jbe-dw/fixAPIDeleteAccount
Fix API Account deletion
2022-05-06 23:35:24 +02:00
Jérôme BECOT
64f7968af9
fix: Use json.dumps instead of str 2022-05-06 17:04:39 +02:00
jbe-dw
82f03a4de2
Merge pull request #1160 from AdvanticGmbH/json_load_error
Json load error
2022-04-26 17:54:08 +02:00
AdvanticGmbH
26c60f175d Remove unnecessary call to str()
* json.dumps() already returns a str
2022-04-26 09:11:05 +02:00
jbe-dw
fc56a168c8
Merge pull request #1174 from gunet/ping-no-login-required
Login requirement removal for /ping endpoint
2022-04-25 16:22:21 +02:00
ManosKoukoularis
5040cf5282
Merge pull request #1159 from AdvanticGmbH/html_entity_domain_fix
Decode domain record data and comment from HTML entity to text
2022-04-25 12:49:10 +03:00
AdvanticGmbH
44c9aff5db Use json.dumps for every detail in history
This works much better instead of just writing a str to the db and
expect it to be loaded just fine from json.loads
2022-04-25 10:43:46 +02:00
AdvanticGmbH
3df36adbf4 Add more detailed info to the history when a msg and status exists 2022-04-25 10:43:40 +02:00
AdvanticGmbH
191e919626 Allow IDNA in SOA
* Previously having characters like "ü" in the SOA wouldnt allow to push
updates to the domain
* Also use the new method to_idna to support characters like "ß"
2022-04-25 10:19:40 +02:00
AdvanticGmbH
40deb3c145 Create method to encode and decode idna
Previously strings with characters like "ß" would throw and exception
This seems to happen because the lib behind encode().decode('idna')
cant handle characters like this
2022-04-25 10:05:46 +02:00
KostasMparmparousis
4d6c6224b4 Login requirement removal for /ping endpoint 2022-04-20 13:31:23 +03:00
RGanor
4958423cc7
Update api.py 2022-04-18 22:11:31 +03:00
root
f41696c310 WIP - Added health check 2022-04-18 09:01:22 +00:00
Vasileios Markopoulos
e891333971
Merge pull request #1166 from LordVeovis/fix/saml
Fix broken SAML login from 9c00e48f
2022-04-13 10:16:58 +03:00
Vasileios Markopoulos
c9c82d4244
Merge pull request #1118 from cropalato/master
Fixing AD login if there is a infinity loop in memberOf groups.
2022-04-13 10:15:54 +03:00
Veovis
bd92c5946c
Fix broken SAML login from 9c00e48f 2022-04-12 17:14:54 +02:00
Ricardo Melo
ee0511ff4c
[Fix] AD recursive problem
- Fixing #1011[https://github.com/PowerDNS-Admin/PowerDNS-Admin/issues/1011]
2022-04-11 08:49:38 -04:00
Vasileios Markopoulos
098224eed1
Merge pull request #1123 from gunet/log-dnssec-enabling
Log DNSSEC status change for a domain
2022-04-11 15:21:59 +03:00
ManosKoukoularis
9e90dde144
Merge pull request #1158 from AdvanticGmbH/domain_xss
Render domain data table fields only as text
2022-04-11 13:05:43 +03:00
vmarkop
9c62208c2e Updated repository URL 2022-04-11 12:21:34 +03:00
jbe-dw
8cf2985335
Merge pull request #979 from mirko/make-onelogin-pkg-optional
routes/index.py: Make package 'onelogin.saml2.utils' optional
2022-04-07 13:37:00 +02:00
jbe-dw
33f1c6ad61
Merge pull request #1027 from mirko/add-WWW-Authenticate-header-for-dyndns
dyndns: Respond with HTTP header 'WWW-Authenticate' to unauthed requests
2022-04-07 13:31:03 +02:00
AdvanticGmbH
b534eadf19 Decode domain record data and comment from HTML entity to text 2022-04-04 14:43:02 +02:00
AdvanticGmbH
e596de37f4 Render Name, Type, Status, TTL, Data and Edit as text 2022-04-04 14:16:40 +02:00
AdvanticGmbH
930932d131 Render domain data table fields only as text 2022-04-04 14:06:31 +02:00
jbe-dw
13ff4df9f9
Merge pull request #1122 from gunet/auth_type_log_fix
Fixed LDAP Authenticator Type logging
2022-04-03 14:59:48 +02:00
jbe-dw
c6de972ed8
Merge pull request #1101 from decryptus/master
[BUG] Fixed delete zone from API
2022-04-03 00:29:47 +02:00
Jérôme BECOT
17b4269e1b
fix: Set Content-Type on backend API calls 2022-03-30 23:39:00 +02:00
ManosKoukoularis
fcb8287f14
Update login.html 2022-02-25 12:59:23 +02:00
Jérôme BECOT
84a183d913
fix: Disassociate domains from account before deletion 2022-02-24 11:24:19 +01:00
Jérôme BECOT
6ba1254759
feat: Make domain update optional in assoc_account 2022-02-24 11:24:12 +01:00
kkmanos
10603fbb36 fixed csrf expiration for login page 2022-02-17 18:10:06 +02:00
kkmanos
e21f53085d added DNSSEC enabling/disabling to history logs 2022-02-17 17:40:48 +02:00
vmarkop
36cee8cddc Fixed 'LOCAL' Authenticator Type showing for LDAP auth 2022-02-17 17:34:54 +02:00
kkmanos
b9cf7245a5 fixed csrf expiration for login page 2022-02-17 17:02:11 +02:00
Adrien Delle Cave
6982e0107c Typo in routes/api.py 2022-01-20 12:49:37 +01:00
Adrien Delle Cave
98bd9634a4 [BUG] Fixed delete zone from API 2022-01-19 13:50:12 +01:00
zoeller-freinet
0b2ad520b7 History table: relocate HTML for modal window (#1090)
- Store HTML for modal window inside an invisible <div> element instead
  of inside the <button> element's value attribute
- Mark history.detailed_msg as safe as it is already manually run
  through the template engine beforehand and would be broken if escaped
  a second time
2022-01-01 21:20:01 +01:00
Christian
302e793665
Add button for admin page in single Domain view (#1076)
* Added button for admin page in domain overview
2021-12-31 00:55:59 +01:00
RGanor
328780e2d4 Revert "Merge branch 'master' into master"
This reverts commit ca4c145a18, reversing
changes made to 7808febad8.
2021-12-25 16:17:54 +02:00
RGanor
ca4c145a18
Merge branch 'master' into master 2021-12-25 16:10:18 +02:00
zoeller-freinet
7808febad8 login.html: don't suggest previous OTP tokens
This change has been tested to work with:
- Chromium 96.0.4664.93
- Firefox 95.0
- Edge 96.0.1054.57
2021-12-17 12:48:11 +01:00
Vasileios Markopoulos
94a923a965
Add 'otp_force' basic setting (#1051)
If the 'otp_force' and 'otp_field_enabled' basic settings are both enabled, automatically enable 2FA for the user after login or signup, if needed, by setting a new OTP secret. Redirect the user to a welcome page for scanning the QR code.

Also show the secret key in ASCII form on the user profile page for easier copying into other applications.
2021-12-17 11:41:51 +01:00
Kateřina Churanová
eb70f6a066
fix: making the key name in the config database unique 2021-12-12 20:32:14 +01:00
Jérôme BECOT
0da9b2185e fix: Error in the swagger AccountSummary definition 2021-12-08 23:11:13 +01:00
zoeller-freinet
07f0d215a7 PDNS-API: factor in 'dnssec_admins_only' basic setting (#1055)
`GET cryptokeys/{cryptokey_id}` returns the private key, which justifies
that the setting is honored in this case.
2021-12-06 22:38:16 +01:00
Jérôme BECOT
d2f35a4059 fix: Check user zone create/delete permission
Co-authored-by: zoeller-freinet <86965592+zoeller-freinet@users.noreply.github.com>
2021-12-05 14:16:45 +01:00
zoeller-freinet
737e1fb93b routes/admin.py: DetailedHistory: backward-compatibility
See https://github.com/ngoduykhanh/PowerDNS-Admin/pull/1066
2021-12-04 17:38:48 +01:00
zoeller-freinet
f0008ce401 routes/admin.py: refactor DetailedHistory
- Run HTML through the template engine, preventing XSS from various
  vectors
- Fix uncaught exception when a history entry about domain template
  deletion is processed
- Adapt indentation to 4 space characters per level
2021-12-04 16:09:53 +01:00
Dominic Zöller
6f12b783a8 models.user: get_accounts(): order by name
The order of account names returned by User.get_accounts() affects the
order account names are displyed in on /domain/add if the current user
neither has the Administrator role nor the Operator role and the
`allow_user_create_domain` setting is enabled at the same time.

If the current user does have the Administrator or Operator role,
routes.domain.add() already returns accounts ordered by name, so this
change makes it consistent.
2021-12-04 16:09:15 +01:00
Dominic Zöller
51a7f636b0 Use secrets module for generating new API keys and passwords
The implementation of `random.choice()` uses the Mersenne Twister, the
output of which is predictable by observing previous output, and is as
such unsuitable for security-sensitive applications. A cryptographically
secure pseudorandom number generator - which the `secrets` module relies
on - should be used instead in those instances.
2021-12-04 16:08:07 +01:00
ManosKoukoularis
9f46188c7e
Quotes fix (#1066)
* minor fix in history
* made key access more generic
2021-12-03 20:14:14 +02:00
root
caa48b7fe5 Merge branch 'quotes-fix'
Conflicts:
	powerdnsadmin/routes/admin.py
2021-12-03 14:17:39 +00:00
root
940551e99e feat: Associate an API Key with accounts (#1044) 2021-12-03 14:12:11 +00:00
ManosKoukoularis
6c1dfd2408
Datepicker replace (#1059)
* replaced jquery-ui-datepicker with bootstrap-datepicker

* removed obsolete static files
2021-12-02 11:59:36 +01:00
Dominic Zöller
701a442d12 default config: add exemplary URL encoding step for SQLA DB URL params
SQLAlchemy database URLs follow RFC-1738, so parameters like username
and password need to be encoded accordingly.

https://docs.sqlalchemy.org/en/13/core/engines.html#database-urls
2021-11-30 22:29:00 +01:00
ManosKoukoularis
1332c8d29d
History Tab Overhaul & Domain Record Modifications Changelog (#1042)
Co-authored-by: Konstantinos Kouris <85997752+konkourgr@users.noreply.github.com>
Co-authored-by: vmarkop <billy.mark.b.m.10@gmail.com>
Co-authored-by: KostasMparmparousis <mparmparousis.kostas@gmail.com>
Co-authored-by: dimpapac <demispapa@gmail.com>
2021-11-30 11:02:37 +02:00
benshalev849
b3f9b4a2b0
OIDC list accounts (#994)
Added the function to use lists instead of a single string in account autoprovision.
2021-11-19 17:53:17 +02:00
zoeller-freinet
bfaf5655ae
Clarify salt re-use for API keys (#1037) 2021-11-09 22:09:15 +02:00
benshalev849
3081036c2c
Env oauth url (#1030)
Overriding settings in DB using environment variable in docker
2021-11-05 18:22:38 +02:00
Daniel Molkentin
c7b4aa3434
fix: actually store OIDC logout URL (#988) 2021-11-05 17:28:21 +02:00
Vitali Quiering
e7d5a3aba0
feat: enable_api_rr_history setting (#998)
* feat: introduce enable_api_rr_history setting to disable api record
changes
2021-11-05 17:26:38 +02:00
zoeller-freinet
20b866a784
strip() whitespace from new local user master data (#1019)
When creating a new local user, there is a chance that, due to a copy &
paste or typing error, whitespace will be introduced at the start or end
of the username. This can lead to issues when trying to log in using the
affected username, as such a condition can easily be overlooked - no
user will be found in the database if entering the username without the
aforementioned whitespace. This commit therefore strip()s the username
string within routes/{admin,index}.py.

The firstname, lastname and email strings within
routes/{admin,index,user}.py are also strip()ped on this occasion.
2021-11-05 17:04:35 +02:00
zoeller-freinet
0e655c1357
user_profile tpl: set email input type attr to "email" (#1020)
It is then consistent with the email address input elements declared in
admin_edit_account.html, admin_edit_user.html and register.html.
2021-10-30 21:30:26 +02:00
steschuser
ba2423d6f5
fix if condition in pretty_domain_name (#1008) 2021-10-30 21:29:55 +02:00
jbe-dw
b8ee91ab9a
fix: Accounts API is broken (#996) 2021-10-30 21:28:36 +02:00
RGanor
c246775ffe
bg_domain button for operators and higher (#993) 2021-10-30 21:26:46 +02:00
Hidde
f96103db79
Replace [ZONE] placeholder with domain_name (#960) 2021-10-30 21:24:16 +02:00
steschuser
bf83662108
allow users to remove domain (#952) 2021-10-30 21:21:45 +02:00