diff --git a/powerdnsadmin/decorators.py b/powerdnsadmin/decorators.py index e2a35bb..b3baae9 100644 --- a/powerdnsadmin/decorators.py +++ b/powerdnsadmin/decorators.py @@ -367,6 +367,39 @@ def apikey_can_configure_dnssec(http_methods=[]): return decorated_function return decorator +def allowed_record_types(f): + @wraps(f) + def decorated_function(*args, **kwargs): + if g.apikey.role.name in ['Administrator', 'Operator']: + return f(*args, **kwargs) + + records_allowed_to_edit = Setting().get_records_allow_to_edit() + content = request.get_json() + for record in content['rrsets']: + if record['type'] not in records_allowed_to_edit: + current_app.logger.error(f"Error: Record type not allowed: {record['type']}") + abort(401) + return f(*args, **kwargs) + + return decorated_function + +def allowed_record_ttl(f): + @wraps(f) + def decorated_function(*args, **kwargs): + if g.apikey.role.name in ['Administrator', 'Operator']: + return f(*args, **kwargs) + + allowed_ttls = Setting().get_ttl_options() + allowed_numric_ttls = [ ttl[0] for ttl in allowed_ttls ] + content = request.get_json() + for record in content['rrsets']: + if record['ttl'] not in allowed_numric_ttls: + current_app.logger.error(f"Error: Record TTL not allowed: {record['ttl']}") + abort(401) + return f(*args, **kwargs) + + return decorated_function + def apikey_auth(f): @wraps(f) diff --git a/powerdnsadmin/routes/api.py b/powerdnsadmin/routes/api.py index 4fce368..5d0d6e0 100644 --- a/powerdnsadmin/routes/api.py +++ b/powerdnsadmin/routes/api.py @@ -30,7 +30,7 @@ from ..decorators import ( apikey_can_create_domain, apikey_can_remove_domain, apikey_is_admin, apikey_can_access_domain, apikey_can_configure_dnssec, api_role_can, apikey_or_basic_auth, - callback_if_request_body_contains_key, + callback_if_request_body_contains_key, allowed_record_types, allowed_record_ttl ) import secrets import string @@ -1060,6 +1060,8 @@ def api_zone_subpath_forward(server_id, zone_id, subpath): @api_bp.route('/servers//zones/', methods=['GET', 'PUT', 'PATCH', 'DELETE']) @apikey_auth +@allowed_record_types +@allowed_record_ttl @apikey_can_access_domain @apikey_can_remove_domain(http_methods=['DELETE']) @callback_if_request_body_contains_key(apikey_can_configure_dnssec()(),