From d2f35a4059fc1455d548e4598ca6067778376c54 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=B4me=20BECOT?= Date: Sat, 27 Nov 2021 23:58:22 +0100 Subject: [PATCH 1/2] fix: Check user zone create/delete permission Co-authored-by: zoeller-freinet <86965592+zoeller-freinet@users.noreply.github.com> --- powerdnsadmin/decorators.py | 42 +++++++++++++++++++++++++++++++++++++ powerdnsadmin/routes/api.py | 7 +++++-- 2 files changed, 47 insertions(+), 2 deletions(-) diff --git a/powerdnsadmin/decorators.py b/powerdnsadmin/decorators.py index 8cfe108..90c2f0d 100644 --- a/powerdnsadmin/decorators.py +++ b/powerdnsadmin/decorators.py @@ -246,6 +246,48 @@ def api_can_create_domain(f): return decorated_function +def apikey_can_create_domain(f): + """ + Grant access if: + - user is in Operator role or higher, or + - allow_user_create_domain is on + """ + @wraps(f) + def decorated_function(*args, **kwargs): + if g.apikey.role.name not in [ + 'Administrator', 'Operator' + ] and not Setting().get('allow_user_create_domain'): + msg = "ApiKey #{0} does not have enough privileges to create domain" + current_app.logger.error(msg.format(g.apikey.id)) + raise NotEnoughPrivileges() + return f(*args, **kwargs) + + return decorated_function + + +def apikey_can_remove_domain(http_methods=[]): + """ + Grant access if: + - user is in Operator role or higher, or + - allow_user_remove_domain is on + """ + def decorator(f): + @wraps(f) + def decorated_function(*args, **kwargs): + check_current_http_method = not http_methods or request.method in http_methods + + if (check_current_http_method and + g.apikey.role.name not in ['Administrator', 'Operator'] and + not Setting().get('allow_user_remove_domain') + ): + msg = "ApiKey #{0} does not have enough privileges to remove domain" + current_app.logger.error(msg.format(g.apikey.id)) + raise NotEnoughPrivileges() + return f(*args, **kwargs) + return decorated_function + return decorator + + def apikey_is_admin(f): """ Grant access if user is in Administrator role diff --git a/powerdnsadmin/routes/api.py b/powerdnsadmin/routes/api.py index 1fd5e3a..c96e7f4 100644 --- a/powerdnsadmin/routes/api.py +++ b/powerdnsadmin/routes/api.py @@ -27,8 +27,9 @@ from ..lib.errors import ( ) from ..decorators import ( api_basic_auth, api_can_create_domain, is_json, apikey_auth, - apikey_is_admin, apikey_can_access_domain, api_role_can, - apikey_or_basic_auth, + apikey_can_create_domain, apikey_can_remove_domain, + apikey_is_admin, apikey_can_access_domain, + api_role_can, apikey_or_basic_auth, ) import secrets import string @@ -1037,6 +1038,7 @@ def api_zone_subpath_forward(server_id, zone_id, subpath): methods=['GET', 'PUT', 'PATCH', 'DELETE']) @apikey_auth @apikey_can_access_domain +@apikey_can_remove_domain(http_methods=['DELETE']) def api_zone_forward(server_id, zone_id): resp = helper.forward_request() if not Setting().get('bg_domain_updates'): @@ -1080,6 +1082,7 @@ def api_server_sub_forward(subpath): @api_bp.route('/servers//zones', methods=['POST']) @apikey_auth +@apikey_can_create_domain def api_create_zone(server_id): resp = helper.forward_request() From fc8367535b30c9dce5987a6e7656512b1513ba57 Mon Sep 17 00:00:00 2001 From: Khanh Ngo Date: Wed, 8 Dec 2021 17:44:44 +0100 Subject: [PATCH 2/2] chore: remove funding and sponsor badges (#1073) --- .github/FUNDING.yml | 1 - README.md | 4 ---- 2 files changed, 5 deletions(-) delete mode 100644 .github/FUNDING.yml diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml deleted file mode 100644 index f8d96a4..0000000 --- a/.github/FUNDING.yml +++ /dev/null @@ -1 +0,0 @@ -github: [ngoduykhanh] diff --git a/README.md b/README.md index e924bb0..bec39a5 100644 --- a/README.md +++ b/README.md @@ -58,7 +58,3 @@ You can then access PowerDNS-Admin by pointing your browser to http://localhost: ## LICENSE MIT. See [LICENSE](https://github.com/ngoduykhanh/PowerDNS-Admin/blob/master/LICENSE) -## Support -If you like the project and want to support it, you can *buy me a coffee* ☕ - -Buy Me A Coffee