diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
deleted file mode 100644
index f8d96a4..0000000
--- a/.github/FUNDING.yml
+++ /dev/null
@@ -1 +0,0 @@
-github: [ngoduykhanh]
diff --git a/README.md b/README.md
index ac74da2..5008836 100644
--- a/README.md
+++ b/README.md
@@ -45,7 +45,3 @@ The app has a plethora of settings that may be configured through a number of me
## LICENSE
MIT. See [LICENSE](https://github.com/ngoduykhanh/PowerDNS-Admin/blob/master/LICENSE)
-## Support
-If you like the project and want to support it, you can *buy me a coffee* ☕
-
-
diff --git a/powerdnsadmin/decorators.py b/powerdnsadmin/decorators.py
index 8cfe108..90c2f0d 100644
--- a/powerdnsadmin/decorators.py
+++ b/powerdnsadmin/decorators.py
@@ -246,6 +246,48 @@ def api_can_create_domain(f):
return decorated_function
+def apikey_can_create_domain(f):
+ """
+ Grant access if:
+ - user is in Operator role or higher, or
+ - allow_user_create_domain is on
+ """
+ @wraps(f)
+ def decorated_function(*args, **kwargs):
+ if g.apikey.role.name not in [
+ 'Administrator', 'Operator'
+ ] and not Setting().get('allow_user_create_domain'):
+ msg = "ApiKey #{0} does not have enough privileges to create domain"
+ current_app.logger.error(msg.format(g.apikey.id))
+ raise NotEnoughPrivileges()
+ return f(*args, **kwargs)
+
+ return decorated_function
+
+
+def apikey_can_remove_domain(http_methods=[]):
+ """
+ Grant access if:
+ - user is in Operator role or higher, or
+ - allow_user_remove_domain is on
+ """
+ def decorator(f):
+ @wraps(f)
+ def decorated_function(*args, **kwargs):
+ check_current_http_method = not http_methods or request.method in http_methods
+
+ if (check_current_http_method and
+ g.apikey.role.name not in ['Administrator', 'Operator'] and
+ not Setting().get('allow_user_remove_domain')
+ ):
+ msg = "ApiKey #{0} does not have enough privileges to remove domain"
+ current_app.logger.error(msg.format(g.apikey.id))
+ raise NotEnoughPrivileges()
+ return f(*args, **kwargs)
+ return decorated_function
+ return decorator
+
+
def apikey_is_admin(f):
"""
Grant access if user is in Administrator role
diff --git a/powerdnsadmin/routes/api.py b/powerdnsadmin/routes/api.py
index 1fd5e3a..c96e7f4 100644
--- a/powerdnsadmin/routes/api.py
+++ b/powerdnsadmin/routes/api.py
@@ -27,8 +27,9 @@ from ..lib.errors import (
)
from ..decorators import (
api_basic_auth, api_can_create_domain, is_json, apikey_auth,
- apikey_is_admin, apikey_can_access_domain, api_role_can,
- apikey_or_basic_auth,
+ apikey_can_create_domain, apikey_can_remove_domain,
+ apikey_is_admin, apikey_can_access_domain,
+ api_role_can, apikey_or_basic_auth,
)
import secrets
import string
@@ -1037,6 +1038,7 @@ def api_zone_subpath_forward(server_id, zone_id, subpath):
methods=['GET', 'PUT', 'PATCH', 'DELETE'])
@apikey_auth
@apikey_can_access_domain
+@apikey_can_remove_domain(http_methods=['DELETE'])
def api_zone_forward(server_id, zone_id):
resp = helper.forward_request()
if not Setting().get('bg_domain_updates'):
@@ -1080,6 +1082,7 @@ def api_server_sub_forward(subpath):
@api_bp.route('/servers//zones', methods=['POST'])
@apikey_auth
+@apikey_can_create_domain
def api_create_zone(server_id):
resp = helper.forward_request()