powerdns-admin/app/decorators.py

from functools import wraps
from flask import g, redirect, url_for

from app.models import Setting


def admin_role_required(f):
    """
    Grant access if user is in Administrator role
    """
    @wraps(f)
    def decorated_function(*args, **kwargs):
        if g.user.role.name != 'Administrator':
            return redirect(url_for('error', code=401))
        return f(*args, **kwargs)
    return decorated_function


def operator_role_required(f):
    """
    Grant access if user is in Operator role or higher
    """
    @wraps(f)
    def decorated_function(*args, **kwargs):
        if g.user.role.name not in ['Administrator', 'Operator']:
            return redirect(url_for('error', code=401))
        return f(*args, **kwargs)
    return decorated_function


def can_access_domain(f):
    """
    Grant access if:
        - user is in Operator role or higher, or
        - user is in granted Account, or
        - user is in granted Domain
    """
    @wraps(f)
    def decorated_function(*args, **kwargs):
        if g.user.role.name not in ['Administrator', 'Operator']:
            domain_name = kwargs.get('domain_name')
            user_domain = [d.name for d in g.user.get_domain()]

            if domain_name not in user_domain:
                return redirect(url_for('error', code=401))

        return f(*args, **kwargs)
    return decorated_function


def can_configure_dnssec(f):
    """
    Grant access if:
        - user is in Operator role or higher, or
        - dnssec_admins_only is off
    """
    @wraps(f)
    def decorated_function(*args, **kwargs):
        if g.user.role.name not in ['Administrator', 'Operator'] and Setting().get('dnssec_admins_only'):
            return redirect(url_for('error', code=401))

        return f(*args, **kwargs)
    return decorated_function


def can_create_domain(f):
    """
    Grant access if:
        - user is in Operator role or higher, or
        - allow_user_create_domain is on
    """
    @wraps(f)
    def decorated_function(*args, **kwargs):
        if g.user.role.name not in ['Administrator', 'Operator'] and not Setting().get('allow_user_create_domain'):
            return redirect(url_for('error', code=401))

        return f(*args, **kwargs)
    return decorated_function