Add option to allow user to create domain

2018-09-01 17:53:05 +07:00 · 2018-09-01 17:53:05 +07:00 · 3481af149b
parent 38d1d85a18
commit 3481af149b
6 changed files with 33 additions and 7 deletions
--- a/app/decorators.py
+++ b/app/decorators.py
@ -61,3 +61,18 @@ def can_configure_dnssec(f):

        return f(*args, **kwargs)
    return decorated_function
+
+
+def can_create_domain(f):
+    """
+    Grant access if:
+        - user is in Operator role or higher, or
+        - allow_user_create_domain is on
+    """
+    @wraps(f)
+    def decorated_function(*args, **kwargs):
+        if g.user.role.name not in ['Administrator', 'Operator'] and not Setting().get('allow_user_create_domain'):
+            return redirect(url_for('error', code=401))
+
+        return f(*args, **kwargs)
+    return decorated_function
--- a/app/models.py
+++ b/app/models.py
@ -1799,6 +1799,7 @@ class Setting(db.Model):
        'allow_quick_edit': True,
        'pretty_ipv6_ptr': False,
        'dnssec_admins_only': False,
+        'allow_user_create_domain': False,
        'bg_domain_updates': False,
        'site_name': 'PowerDNS-Admin',
        'pdns_api_url': '',
--- a/app/templates/admin_setting_basic.html
+++ b/app/templates/admin_setting_basic.html
@ -69,7 +69,7 @@
 <script>
    // set up history data table
    $("#tbl_settings").DataTable({
-        "paging" : true,
+        "paging" : false,
        "lengthChange" : false,
        "searching" : true,
        "ordering" : true,
--- a/app/templates/base.html
+++ b/app/templates/base.html
@ -108,10 +108,12 @@
        <li class="{{ 'active' if active_page == 'dashboard' else '' }}">
          <a href="{{ url_for('dashboard') }}"><i class="fa fa-dashboard"></i> Dashboard</a>
        </li>
-        {% if current_user.role.name in ['Administrator', 'Operator'] %}
+        {% if SETTING.get('allow_user_create_domain') %}
        <li class="{{ 'active' if active_page == 'new_domain' else '' }}">
          <a href="{{ url_for('domain_add') }}"><i class="fa fa-plus"></i> New Domain</a>
        </li>
+        {% endif %}
+        {% if current_user.role.name in ['Administrator', 'Operator'] %}
        <li class="header">ADMINISTRATION</li>
        <li class="{{ 'active' if active_page == 'admin_console' else '' }}">
          <a href="{{ url_for('admin_pdns') }}"><i class="fa fa-info-circle"></i> PDNS</a>
--- a/app/views.py
+++ b/app/views.py
@ -19,7 +19,7 @@ from .models import User, Account, Domain, Record, Role, Server, History, Anonym
 from app import app, login_manager
 from app.lib import utils
 from app.oauth import github_oauth, google_oauth
-from app.decorators import admin_role_required, operator_role_required, can_access_domain, can_configure_dnssec
+from app.decorators import admin_role_required, operator_role_required, can_access_domain, can_configure_dnssec, can_create_domain

 if app.config['SAML_ENABLED']:
    from onelogin.saml2.utils import OneLogin_Saml2_Utils
@ -598,7 +598,7 @@ def domain(domain_name):

@app.route('/admin/domain/add', methods=['GET', 'POST'])
@login_required
-@operator_role_required
+@can_create_domain
 def domain_add():
    templates = DomainTemplate.query.all()
    if request.method == 'POST':
@ -627,6 +627,11 @@ def domain_add():
            if result['status'] == 'ok':
                history = History(msg='Add domain {0}'.format(domain_name), detail=str({'domain_type': domain_type, 'domain_master_ips': domain_master_ips, 'account_id': account_id}), created_by=current_user.username)
                history.add()
+
+                # grant user access to the domain
+                Domain(name=domain_name).grant_privielges([current_user.username])
+
+                # apply template if needed
                if domain_template != '0':
                    template = DomainTemplate.query.filter(DomainTemplate.id == domain_template).first()
                    template_records = DomainTemplateRecord.query.filter(DomainTemplateRecord.template_id == domain_template).all()
@ -693,6 +698,7 @@ def domain_management(domain_name):
        new_user_list = request.form.getlist('domain_multi_user[]')

        # grant/revoke user privielges
+        d = Domain(name=domain_name)
        d.grant_privielges(new_user_list)

        history = History(msg='Change domain {0} access control'.format(domain_name), detail=str({'user_has_access': new_user_list}), created_by=current_user.username)
--- a/migrations/versions/4a666113c7bb_add_operator_role.py
+++ b/migrations/versions/4a666113c7bb_add_operator_role.py
@ -24,10 +24,11 @@ def update_data():
        sa.sql.column('view', sa.String)
    )

-    # add ldap_operator_group setting
+    # add new settings
    op.bulk_insert(setting_table,
        [
            {'id': 44, 'name': 'ldap_operator_group', 'value': '', 'view': 'authentication'},
+            {'id': 45, 'name': 'allow_user_create_domain', 'value': 'False', 'view': 'basic'},
        ]
    )

@ -54,5 +55,6 @@ def downgrade():
    op.execute("UPDATE user SET role_id = 2 WHERE role_id=3")
    op.execute("DELETE FROM role WHERE name = 'Operator'")

-    # delete ldap setting
-    op.execute("DELETE FROM setting WHERE name = 'ldap_operator_group'")
+    # delete settings
+    op.execute("DELETE FROM setting WHERE name = 'ldap_operator_group'")
+    op.execute("DELETE FROM setting WHERE name = 'allow_user_create_domain'")