From 3457d9214a84a504a53eb6f77830adba4bafa4e4 Mon Sep 17 00:00:00 2001
From: Khanh Ngo <ngokhanhit@gmail.com>
Date: Fri, 31 Aug 2018 11:57:06 +0700
Subject: [PATCH 01/13] Adding Operator role

---
 app/decorators.py                             | 34 +++++++-
 app/models.py                                 | 68 +++++++--------
 app/static/custom/js/custom.js                |  7 +-
 app/templates/admin_manageuser.html           | 40 ++++-----
 .../admin_setting_authentication.html         |  8 ++
 app/templates/base.html                       | 24 +++---
 app/templates/dashboard.html                  | 32 +++----
 app/templates/dashboard_domain.html           |  4 +-
 app/views.py                                  | 86 +++++++++++--------
 .../4a666113c7bb_add_operator_role.py         | 58 +++++++++++++
 10 files changed, 228 insertions(+), 133 deletions(-)
 create mode 100644 migrations/versions/4a666113c7bb_add_operator_role.py

diff --git a/app/decorators.py b/app/decorators.py
index 673eea6..c563e00 100644
--- a/app/decorators.py
+++ b/app/decorators.py
@@ -6,6 +6,9 @@ from app.models import Role, Setting
 
 
 def admin_role_required(f):
+    """
+    Grant access if user is in Administrator role
+    """
     @wraps(f)
     def decorated_function(*args, **kwargs):
         if g.user.role.name != 'Administrator':
@@ -14,10 +17,28 @@ def admin_role_required(f):
     return decorated_function
 
 
-def can_access_domain(f):
+def operator_role_required(f):
+    """
+    Grant access if user is in Operator role or higher
+    """
     @wraps(f)
     def decorated_function(*args, **kwargs):
-        if g.user.role.name != 'Administrator':
+        if g.user.role.name not in ['Administrator', 'Operator']:
+            return redirect(url_for('error', code=401))
+        return f(*args, **kwargs)
+    return decorated_function
+
+
+def can_access_domain(f):
+    """
+    Grant access if:
+        - user is in Operator role or higher, or
+        - user is in granted Account, or
+        - user is in granted Domain
+    """
+    @wraps(f)
+    def decorated_function(*args, **kwargs):
+        if g.user.role.name not in ['Administrator', 'Operator']:
             domain_name = kwargs.get('domain_name')
             user_domain = [d.name for d in g.user.get_domain()]
 
@@ -29,10 +50,15 @@ def can_access_domain(f):
 
 
 def can_configure_dnssec(f):
+    """
+    Grant access if:
+        - user is in Operator role or higher, or
+        - dnssec_admins_only is off
+    """
     @wraps(f)
     def decorated_function(*args, **kwargs):
-        if g.user.role.name != 'Administrator' and Setting().get('dnssec_admins_only'):
-                return redirect(url_for('error', code=401))
+        if g.user.role.name not in ['Administrator', 'Operator'] and Setting().get('dnssec_admins_only'):
+            return redirect(url_for('error', code=401))
 
         return f(*args, **kwargs)
     return decorated_function
diff --git a/app/models.py b/app/models.py
index 5eec5ab..2117ea1 100644
--- a/app/models.py
+++ b/app/models.py
@@ -150,7 +150,7 @@ class User(db.Model):
             logging.error(e)
             logging.debug('baseDN: {0}'.format(baseDN))
             logging.debug(traceback.format_exc())
-            raise
+
 
     def ldap_auth(self, ldap_username, password):
         try:
@@ -165,6 +165,8 @@ class User(db.Model):
         """
         Validate user credential
         """
+        role_name = 'User'
+
         if method == 'LOCAL':
             user_info = User.query.filter(User.username == self.username).first()
 
@@ -179,12 +181,12 @@ class User(db.Model):
             return False
 
         if method == 'LDAP':
-            isadmin = False
             LDAP_TYPE = Setting().get('ldap_type')
             LDAP_BASE_DN = Setting().get('ldap_base_dn')
             LDAP_FILTER_BASIC = Setting().get('ldap_filter_basic')
             LDAP_FILTER_USERNAME = Setting().get('ldap_filter_username')
             LDAP_ADMIN_GROUP = Setting().get('ldap_admin_group')
+            LDAP_OPERATOR_GROUP = Setting().get('ldap_operator_group')
             LDAP_USER_GROUP = Setting().get('ldap_user_group')
             LDAP_GROUP_SECURITY_ENABLED = Setting().get('ldap_sg_enabled')
 
@@ -206,24 +208,30 @@ class User(db.Model):
                         try:
                             if LDAP_TYPE == 'ldap':
                                 if (self.ldap_search(searchFilter, LDAP_ADMIN_GROUP)):
-                                    isadmin = True
+                                    role_name = 'Administrator'
                                     logging.info('User {0} is part of the "{1}" group that allows admin access to PowerDNS-Admin'.format(self.username, LDAP_ADMIN_GROUP))
+                                elif (self.ldap_search(searchFilter, LDAP_OPERATOR_GROUP)):
+                                    role_name = 'Operator'
+                                    logging.info('User {0} is part of the "{1}" group that allows operator access to PowerDNS-Admin'.format(self.username, LDAP_OPERATOR_GROUP))
                                 elif (self.ldap_search(searchFilter, LDAP_USER_GROUP)):
                                     logging.info('User {0} is part of the "{1}" group that allows user access to PowerDNS-Admin'.format(self.username, LDAP_USER_GROUP))
                                 else:
-                                    logging.error('User {0} is not part of the "{1}" or "{2}" groups that allow access to PowerDNS-Admin'.format(self.username, LDAP_ADMIN_GROUP, LDAP_USER_GROUP))
+                                    logging.error('User {0} is not part of the "{1}", "{2}" or "{3}" groups that allow access to PowerDNS-Admin'.format(self.username, LDAP_ADMIN_GROUP, LDAP_OPERATOR_GROUP, LDAP_USER_GROUP))
                                     return False
                             elif LDAP_TYPE == 'ad':
                                 user_ldap_groups = [g.decode("utf-8") for g in ldap_result[0][0][1]['memberOf']]
                                 logging.debug('user_ldap_groups: {0}'.format(user_ldap_groups))
 
                                 if (LDAP_ADMIN_GROUP in user_ldap_groups):
-                                    isadmin = True
+                                    role_name = 'Administrator'
                                     logging.info('User {0} is part of the "{1}" group that allows admin access to PowerDNS-Admin'.format(self.username, LDAP_ADMIN_GROUP))
+                                elif (LDAP_OPERATOR_GROUP in user_ldap_groups):
+                                    role_name = 'Operator'
+                                    logging.info('User {0} is part of the "{1}" group that allows operator access to PowerDNS-Admin'.format(self.username, LDAP_OPERATOR_GROUP))
                                 elif (LDAP_USER_GROUP in user_ldap_groups):
                                     logging.info('User {0} is part of the "{1}" group that allows user access to PowerDNS-Admin'.format(self.username, LDAP_USER_GROUP))
                                 else:
-                                    logging.error('User {0} is not part of the "{1}" or "{2}" groups that allow access to PowerDNS-Admin'.format(self.username, LDAP_ADMIN_GROUP, LDAP_USER_GROUP))
+                                    logging.error('User {0} is not part of the "{1}", "{2}" or "{3}" groups that allow access to PowerDNS-Admin'.format(self.username, LDAP_ADMIN_GROUP, LDAP_OPERATOR_GROUP, LDAP_USER_GROUP))
                                     return False
                             else:
                                 logging.error('Invalid LDAP type')
@@ -261,21 +269,17 @@ class User(db.Model):
                     logging.debug(traceback.format_exc())
 
                 # first register user will be in Administrator role
-                self.role_id = Role.query.filter_by(name='User').first().id
                 if User.query.count() == 0:
                     self.role_id = Role.query.filter_by(name='Administrator').first().id
-
-                # user will be in Administrator role if part of LDAP Admin group
-                if LDAP_GROUP_SECURITY_ENABLED:
-                    if isadmin == True:
-                        self.role_id = Role.query.filter_by(name='Administrator').first().id
+                else:
+                    self.role_id = Role.query.filter_by(name=role_name).first().id
 
                 self.create_user()
                 logging.info('Created user "{0}" in the DB'.format(self.username))
 
-            # user already exists in database, set their admin status based on group membership (if enabled)
+            # user already exists in database, set their role based on group membership (if enabled)
             if LDAP_GROUP_SECURITY_ENABLED:
-                self.set_admin(isadmin)
+                self.set_role(role_name)
 
             return True
         else:
@@ -453,28 +457,15 @@ class User(db.Model):
                 return False
         return False
 
-    def set_admin(self, is_admin):
-        """
-        Set role for a user:
-            is_admin == True  => Administrator
-            is_admin == False => User
-        """
-        user_role_name = 'Administrator' if is_admin else 'User'
-        role = Role.query.filter(Role.name==user_role_name).first()
-
-        try:
-            if role:
-                user = User.query.filter(User.username==self.username).first()
-                user.role_id = role.id
-                db.session.commit()
-                return True
-            else:
-                return False
-        except:
-            db.session.roleback()
-            logging.error('Cannot change user role in DB')
-            logging.debug(traceback.format_exc())
-            return False
+    def set_role(self, role_name):
+        role = Role.query.filter(Role.name==role_name).first()
+        if role:
+            user = User.query.filter(User.username==self.username).first()
+            user.role_id = role.id
+            db.session.commit()
+            return {'status': True, 'msg': 'Set user role successfully'}
+        else:
+            return {'status': False, 'msg': 'Role does not exist'}
 
 
 class Account(db.Model):
@@ -1825,8 +1816,9 @@ class Setting(db.Model):
         'ldap_filter_basic': '',
         'ldap_filter_username': '',
         'ldap_sg_enabled': False,
-        'ldap_admin_group': False,
-        'ldap_user_group': False,
+        'ldap_admin_group': '',
+        'ldap_operator_group': '',
+        'ldap_user_group': '',
         'github_oauth_enabled': False,
         'github_oauth_key': '',
         'github_oauth_secret': '',
diff --git a/app/static/custom/js/custom.js b/app/static/custom/js/custom.js
index 6442bb2..e079130 100644
--- a/app/static/custom/js/custom.js
+++ b/app/static/custom/js/custom.js
@@ -22,9 +22,14 @@ function applyChanges(data, url, showResult, refreshPage) {
         },
 
         error : function(jqXHR, status) {
+            // console.log(jqXHR);
+            // var modal = $("#modal_error");
+            // modal.find('.modal-body p').text(jqXHR["responseText"]);
+            // modal.modal('show');
             console.log(jqXHR);
             var modal = $("#modal_error");
-            modal.find('.modal-body p').text(jqXHR["responseText"]);
+            var responseJson = jQuery.parseJSON(jqXHR.responseText);
+            modal.find('.modal-body p').text(responseJson['msg']);
             modal.modal('show');
         }
     });
diff --git a/app/templates/admin_manageuser.html b/app/templates/admin_manageuser.html
index 653738e..a3aa85a 100644
--- a/app/templates/admin_manageuser.html
+++ b/app/templates/admin_manageuser.html
@@ -36,7 +36,7 @@
                                 <th>First Name</th>
                                 <th>Last Name</th>
                                 <th>Email</th>
-                                <th>Admin</th>
+                                <th>Role</th>
                                 <th>Privileges</th>
                                 <th>Action</th>
                             </tr>
@@ -49,18 +49,22 @@
                                 <td>{{ user.lastname }}</td>
                                 <td>{{ user.email }}</td>
                                 <td>
-                                    <input type="checkbox" id="{{ user.username }}" class="admin_toggle" {% if user.role.name=='Administrator' %}checked{% endif %} {% if user.username==current_user.username %}disabled{% endif %}>
+                                    <select id="{{ user.username }}" class="user_role" {% if user.username==current_user.username or (current_user.role.name=='Operator' and user.role.name=='Administrator') %}disabled{% endif %}>
+                                        {% for role in roles %}
+                                        <option value="{{ role.name }}" {% if role.id==user.role.id %}selected{% endif %}>{{ role.name }}</option>
+                                        {% endfor %}
+                                    </select>
                                 </td>
                                 <td width="6%">
-                                    <button type="button" class="btn btn-flat btn-warning button_revoke" id="{{ user.username }}">
+                                    <button type="button" class="btn btn-flat btn-warning button_revoke" id="{{ user.username }}" {% if current_user.role.name=='Operator' and user.role.name=='Administrator' %}disabled{% endif %}>
                                         Revoke&nbsp;<i class="fa fa-lock"></i>
                                     </button>
                                 </td>
                                 <td width="15%">
-                                    <button type="button" class="btn btn-flat btn-success button_edit" onclick="window.location.href='{{ url_for('admin_edituser', user_username=user.username) }}'">
+                                    <button type="button" class="btn btn-flat btn-success button_edit" onclick="window.location.href='{{ url_for('admin_edituser', user_username=user.username) }}'" {% if current_user.role.name=='Operator' and user.role.name=='Administrator' %}disabled{% endif %}>
                                         Edit&nbsp;<i class="fa fa-lock"></i>
                                     </button>
-                                    <button type="button" class="btn btn-flat btn-danger button_delete" id="{{ user.username }}" {% if user.username==current_user.username %}disabled{% endif %}>
+                                    <button type="button" class="btn btn-flat btn-danger button_delete" id="{{ user.username }}" {% if user.username==current_user.username or (current_user.role.name=='Operator' and user.role.name=='Administrator') %}disabled{% endif %}>
                                         Delete&nbsp;<i class="fa fa-trash"></i>
                                     </button>
                                 </td>
@@ -93,14 +97,6 @@
         "pageLength": 10
     });
 
-    // avoid losing icheck box style when database refreshed
-    $('#tbl_users').on('draw.dt', function () {
-        $('.admin_toggle').iCheck({
-            handle: 'checkbox',
-            checkboxClass: 'icheckbox_square-blue'
-        });
-    });
-
     // handle revocation of privileges
     $(document.body).on('click', '.button_revoke', function() {
         var modal = $("#modal_revoke");
@@ -129,24 +125,18 @@
         
     });
 
-    // initialize pretty checkboxes
-    $('.admin_toggle').iCheck({
-        checkboxClass : 'icheckbox_square-blue',
-        increaseArea : '20%' // optional
-    });
-    
-    // handle checkbox toggling
-    $(document.body).on('ifToggled', '.admin_toggle', function() {
-        var is_admin = $(this).prop('checked');
+    // handle user role changing
+    $('.user_role').on('change', function() {
+        var role_name = this.value;
         var username = $(this).prop('id');
         postdata = {
-            'action' : 'set_admin',
+            'action' : 'update_user_role',
             'data' : {
                 'username' : username,
-                'is_admin' : is_admin
+                'role_name' : role_name
             }
         };
-        applyChanges(postdata, $SCRIPT_ROOT + '/admin/manageuser');
+        applyChanges(postdata, $SCRIPT_ROOT + '/admin/manageuser', showResult=true);
     });
 </script>
 {% endblock %}
diff --git a/app/templates/admin_setting_authentication.html b/app/templates/admin_setting_authentication.html
index e929065..e522178 100644
--- a/app/templates/admin_setting_authentication.html
+++ b/app/templates/admin_setting_authentication.html
@@ -133,6 +133,11 @@
                                                     <input type="text" class="form-control" name="ldap_admin_group" id="ldap_admin_group" placeholder="e.g. cn=sysops,dc=mydomain,dc=com"  data-error="Please input LDAP DN for Admin group" value="{{ SETTING.get('ldap_admin_group') }}">
                                                     <span class="help-block with-errors"></span>
                                                 </div>
+                                                <div class="form-group">
+                                                    <label for="ldap_operator_group">Operator group</label>
+                                                    <input type="text" class="form-control" name="ldap_operator_group" id="ldap_operator_group" placeholder="e.g. cn=operators,dc=mydomain,dc=com" data-error="Please input LDAP DN for Operator group" value="{{ SETTING.get('ldap_operator_group') }}">
+                                                    <span class="help-block with-errors"></span>
+                                                </div>
                                                 <div class="form-group">
                                                     <label for="ldap_user_group">User group</label>
                                                     <input type="text" class="form-control" name="ldap_user_group" id="ldap_user_group" placeholder="e.g. cn=users,dc=mydomain,dc=com" data-error="Please input LDAP DN for User group" value="{{ SETTING.get('ldap_user_group') }}">
@@ -197,6 +202,9 @@
                                                     <li>
                                                         Admin group - Your LDAP admin group.
                                                     </li>
+                                                    <li>
+                                                        Operator group - Your LDAP operator group.
+                                                    </li>
                                                     <li>
                                                         User group - Your LDAP user group.
                                                     </li>
diff --git a/app/templates/base.html b/app/templates/base.html
index 98845ea..0b1e220 100644
--- a/app/templates/base.html
+++ b/app/templates/base.html
@@ -108,26 +108,26 @@
         <li class="{{ 'active' if active_page == 'dashboard' else '' }}">
           <a href="{{ url_for('dashboard') }}"><i class="fa fa-dashboard"></i> Dashboard</a>
         </li>
-        {% if current_user.role.name == 'Administrator' %}
+        {% if current_user.role.name in ['Administrator', 'Operator'] %}
         <li class="{{ 'active' if active_page == 'new_domain' else '' }}">
           <a href="{{ url_for('domain_add') }}"><i class="fa fa-plus"></i> New Domain</a>
         </li>
         <li class="header">ADMINISTRATION</li>
         <li class="{{ 'active' if active_page == 'admin_console' else '' }}">
-          <a href="{{ url_for('admin') }}"><i class="fa fa-wrench"></i> Admin Console</a>
-        </li>
-        <li class="{{ 'active' if active_page == 'admin_domain_template' else '' }}">
-          <a href="{{ url_for('templates') }}"><i class="fa fa-clone"></i> Domain Templates</a>
-        </li>
-        <li class="{{ 'active' if active_page == 'admin_users' else '' }}">
-          <a href="{{ url_for('admin_manageuser') }}"><i class="fa fa-users"></i> Users</a>
-        </li>
-        <li class="{{ 'active' if active_page == 'admin_accounts' else '' }}">
-          <a href="{{ url_for('admin_manageaccount') }}"><i class="fa fa-industry"></i> Accounts</a>
+          <a href="{{ url_for('admin_pdns') }}"><i class="fa fa-info-circle"></i> PDNS</a>
         </li>
         <li class="{{ 'active' if active_page == 'admin_history' else '' }}">
           <a href="{{ url_for('admin_history') }}"><i class="fa fa-calendar"></i> History</a>
         </li>
+        <li class="{{ 'active' if active_page == 'admin_domain_template' else '' }}">
+          <a href="{{ url_for('templates') }}"><i class="fa fa-clone"></i> Domain Templates</a>
+        </li>
+        <li class="{{ 'active' if active_page == 'admin_accounts' else '' }}">
+          <a href="{{ url_for('admin_manageaccount') }}"><i class="fa fa-industry"></i> Accounts</a>
+        </li>
+        <li class="{{ 'active' if active_page == 'admin_users' else '' }}">
+          <a href="{{ url_for('admin_manageuser') }}"><i class="fa fa-users"></i> Users</a>
+        </li>          
         <li class="{{ 'treeview active' if active_page == 'admin_settings' else 'treeview' }}">
           <a href="#">
             <i class="fa fa-cog"></i> Settings
@@ -138,8 +138,10 @@
           <ul class="treeview-menu" {% if active_page == 'admin_settings' %}style="display: block;"{% endif %}>
             <li><a href="{{ url_for('admin_setting_basic') }}"><i class="fa fa-circle-o"></i></i> Basic</a></li>
             <li><a href="{{ url_for('admin_setting_records') }}"><i class="fa fa-circle-o"></i> Records</a></li>
+            {% if current_user.role.name == 'Administrator' %}
             <li><a href="{{ url_for('admin_setting_pdns') }}"><i class="fa fa-circle-o"></i> PDNS</a></li>
             <li><a href="{{ url_for('admin_setting_authentication') }}"><i class="fa fa-circle-o"></i> Authentication</a></li>
+            {% endif %}
           </ul>
         </li>
         {% endif %}
diff --git a/app/templates/dashboard.html b/app/templates/dashboard.html
index b1d3400..871ff26 100644
--- a/app/templates/dashboard.html
+++ b/app/templates/dashboard.html
@@ -19,7 +19,7 @@
 {% block content %}
  <!-- Main content -->
     <section class="content">
-      {% if current_user.role.name == 'Administrator' %}
+      {% if current_user.role.name in ['Administrator', 'Operator'] %}
       <div class="row">
         <div class="col-xs-3">
             <div class="box">
@@ -69,7 +69,7 @@
                       </a>
                     </div>
                     <div class="col-lg-6">
-                      <a href="{{ url_for('admin') }}">
+                      <a href="{{ url_for('admin_pdns') }}">
                       <div class="small-box bg-green">
                         <div class="inner">
                           <h3><span style="font-size: 18px">{{ uptime|display_second_to_time }}</span></h3>
@@ -102,17 +102,17 @@
                     </thead>
                     <tbody>
                     {% for history in histories %}
-                            <tr class="odd">
-                                <td>{{ history.created_by }}</td>
-                                <td>{{ history.msg }}</td>
-                                <td>{{ history.created_on }}</td>
-                                <td width="6%">
-                                    <button type="button" class="btn btn-flat btn-primary history-info-button" value='{{ history.detail|replace("[]","None") }}'>
-                                        Info&nbsp;<i class="fa fa-info"></i>
-                                    </button>
-                                </td>
-                            </tr>
-                            {% endfor %}
+                      <tr class="odd">
+                          <td>{{ history.created_by }}</td>
+                          <td>{{ history.msg }}</td>
+                          <td>{{ history.created_on }}</td>
+                          <td width="6%">
+                              <button type="button" class="btn btn-flat btn-primary history-info-button" value='{{ history.detail|replace("[]","None") }}'>
+                                  Info&nbsp;<i class="fa fa-info"></i>
+                              </button>
+                          </td>
+                      </tr>
+                    {% endfor %}
                     </tbody>
                   </table>
                 </div>
@@ -136,7 +136,7 @@
                   <th>Serial</th>
                   <th>Master</th>
                   <th>Account</th>
-                  <th {% if current_user.role.name !='Administrator' %}width="6%"{% else %}width="25%"{% endif %}>Action</th>
+                  <th {% if current_user.role.name not in ['Administrator','Operator'] %}width="6%"{% else %}width="25%"{% endif %}>Action</th>
                 </tr>
                 </thead>
                 <tbody>
@@ -182,7 +182,7 @@
         "ordering" : true,
         "columnDefs": [
             { "orderable": false, "targets": [-1] }
-            {% if current_user.role.name != 'Administrator' %},{ "visible": false, "targets": [-2] }{% endif %}
+            {% if current_user.role.name not in ['Administrator', 'Operator'] %},{ "visible": false, "targets": [-2] }{% endif %}
         ],
         "processing" : true,
         "serverSide" : true,
@@ -236,7 +236,7 @@
         modal.modal('show');
     });
 
-    {% if current_user.role.name == 'Administrator' or not SETTING.get('dnssec_admins_only') %}
+    {% if current_user.role.name in ['Administrator', 'Operator'] or not SETTING.get('dnssec_admins_only') %}
     $(document.body).on("click", ".button_dnssec", function() {
         var domain = $(this).prop('id');
         getdnssec($SCRIPT_ROOT + '/domain/' + domain + '/dnssec', domain);
diff --git a/app/templates/dashboard_domain.html b/app/templates/dashboard_domain.html
index 6d42edb..8f1c1fe 100644
--- a/app/templates/dashboard_domain.html
+++ b/app/templates/dashboard_domain.html
@@ -23,13 +23,13 @@
 {% endmacro %}
 
 {% macro account(domain) %}
-    {% if current_user.role.name =='Administrator' %}
+    {% if current_user.role.name in ['Administrator', 'Operator'] %}
       {% if domain.account_description != "" %}{{ domain.account.description }} {% endif %}[{{ domain.account.name }}]
     {% endif %}
 {% endmacro %}
 
 {% macro actions(domain) %}
-  {% if current_user.role.name =='Administrator' %}
+  {% if current_user.role.name in ['Administrator', 'Operator'] %}
     <td width="25%">
       <button type="button" class="btn btn-flat btn-success button_template" id="{{ domain.name }}">
         Template&nbsp;<i class="fa fa-clone"></i>
diff --git a/app/views.py b/app/views.py
index 2fe0356..8fbe130 100644
--- a/app/views.py
+++ b/app/views.py
@@ -22,7 +22,7 @@ from .models import User, Account, Domain, Record, Role, Server, History, Anonym
 from app import app, login_manager
 from app.lib import utils
 from app.oauth import github_oauth, google_oauth
-from app.decorators import admin_role_required, can_access_domain, can_configure_dnssec
+from app.decorators import admin_role_required, operator_role_required, can_access_domain, can_configure_dnssec
 
 if app.config['SAML_ENABLED']:
     from onelogin.saml2.auth import OneLogin_Saml2_Auth
@@ -68,7 +68,7 @@ def before_request():
 
     # check site maintenance mode
     maintenance = Setting().get('maintenance')
-    if maintenance and current_user.is_authenticated and current_user.role.name != 'Administrator':
+    if maintenance and current_user.is_authenticated and current_user.role.name not in ['Administrator', 'Operator']:
         return render_template('maintenance.html')
 
 
@@ -476,7 +476,7 @@ def dashboard():
 @app.route('/dashboard-domains', methods=['GET'])
 @login_required
 def dashboard_domains():
-    if current_user.role.name == 'Administrator':
+    if current_user.role.name in ['Administrator', 'Operator']:
         domains = Domain.query
     else:
         domains = User(id=current_user.id).get_domain_query()
@@ -508,7 +508,7 @@ def dashboard_domains():
         start = "" if search.startswith("^") else "%"
         end = "" if search.endswith("$") else "%"
 
-        if current_user.role.name == 'Administrator':
+        if current_user.role.name in ['Administrator', 'Operator']:
             domains = domains.outerjoin(Account).filter(Domain.name.ilike(start + search.strip("^$") + end) |
                                                         Account.name.ilike(start + search.strip("^$") + end) |
                                                         Account.description.ilike(start + search.strip("^$") + end))
@@ -603,7 +603,7 @@ def domain(domain_name):
 
 @app.route('/admin/domain/add', methods=['GET', 'POST'])
 @login_required
-@admin_role_required
+@operator_role_required
 def domain_add():
     templates = DomainTemplate.query.all()
     if request.method == 'POST':
@@ -661,7 +661,7 @@ def domain_add():
 
 @app.route('/admin/domain/<path:domain_name>/delete', methods=['GET'])
 @login_required
-@admin_role_required
+@operator_role_required
 def domain_delete(domain_name):
     d = Domain()
     result = d.delete(domain_name)
@@ -677,7 +677,7 @@ def domain_delete(domain_name):
 
 @app.route('/admin/domain/<path:domain_name>/manage', methods=['GET', 'POST'])
 @login_required
-@admin_role_required
+@operator_role_required
 def domain_management(domain_name):
     if request.method == 'GET':
         domain = Domain.query.filter(Domain.name == domain_name).first()
@@ -712,7 +712,7 @@ def domain_management(domain_name):
 
 @app.route('/admin/domain/<path:domain_name>/change_soa_setting', methods=['POST'])
 @login_required
-@admin_role_required
+@operator_role_required
 def domain_change_soa_edit_api(domain_name):
     domain = Domain.query.filter(Domain.name == domain_name).first()
     if not domain:
@@ -738,7 +738,7 @@ def domain_change_soa_edit_api(domain_name):
 
 @app.route('/admin/domain/<path:domain_name>/change_account', methods=['POST'])
 @login_required
-@admin_role_required
+@operator_role_required
 def domain_change_account(domain_name):
     domain = Domain.query.filter(Domain.name == domain_name).first()
     if not domain:
@@ -816,7 +816,7 @@ def record_update(domain_name):
 
 @app.route('/domain/<path:domain_name>/record/<path:record_name>/type/<path:record_type>/delete', methods=['GET'])
 @login_required
-@admin_role_required
+@operator_role_required
 def record_delete(domain_name, record_name, record_type):
     try:
         r = Record(name=record_name, type=record_type)
@@ -873,7 +873,7 @@ def domain_dnssec_disable(domain_name):
 
 @app.route('/domain/<path:domain_name>/managesetting', methods=['GET', 'POST'])
 @login_required
-@admin_role_required
+@operator_role_required
 def admin_setdomainsetting(domain_name):
     if request.method == 'POST':
         #
@@ -914,7 +914,7 @@ def admin_setdomainsetting(domain_name):
 @app.route('/templates', methods=['GET', 'POST'])
 @app.route('/templates/list', methods=['GET', 'POST'])
 @login_required
-@admin_role_required
+@operator_role_required
 def templates():
     templates = DomainTemplate.query.all()
     return render_template('template.html', templates=templates)
@@ -922,7 +922,7 @@ def templates():
 
 @app.route('/template/create', methods=['GET', 'POST'])
 @login_required
-@admin_role_required
+@operator_role_required
 def create_template():
     if request.method == 'GET':
         return render_template('template_add.html')
@@ -955,7 +955,7 @@ def create_template():
 
 @app.route('/template/createfromzone', methods=['POST'])
 @login_required
-@admin_role_required
+@operator_role_required
 def create_template_from_zone():
     try:
         jdata = request.json
@@ -1015,7 +1015,7 @@ def create_template_from_zone():
 
 @app.route('/template/<path:template>/edit', methods=['GET'])
 @login_required
-@admin_role_required
+@operator_role_required
 def edit_template(template):
     try:
         t = DomainTemplate.query.filter(DomainTemplate.name == template).first()
@@ -1066,7 +1066,7 @@ def apply_records(template):
 
 @app.route('/template/<path:template>/delete', methods=['GET'])
 @login_required
-@admin_role_required
+@operator_role_required
 def delete_template(template):
     try:
         t = DomainTemplate.query.filter(DomainTemplate.name == template).first()
@@ -1085,10 +1085,10 @@ def delete_template(template):
     return redirect(url_for('templates'))
 
 
-@app.route('/admin', methods=['GET', 'POST'])
+@app.route('/admin/pdns', methods=['GET'])
 @login_required
-@admin_role_required
-def admin():
+@operator_role_required
+def admin_pdns():
     if not Setting().get('pdns_api_url') or not Setting().get('pdns_api_key') or not Setting().get('pdns_version'):
         return redirect(url_for('admin_setting_pdns'))
 
@@ -1111,7 +1111,7 @@ def admin():
 @app.route('/admin/user/edit/<user_username>', methods=['GET', 'POST'])
 @app.route('/admin/user/edit', methods=['GET', 'POST'])
 @login_required
-@admin_role_required
+@operator_role_required
 def admin_edituser(user_username=None):
     if request.method == 'GET':
         if not user_username:
@@ -1150,11 +1150,12 @@ def admin_edituser(user_username=None):
 
 @app.route('/admin/manageuser', methods=['GET', 'POST'])
 @login_required
-@admin_role_required
+@operator_role_required
 def admin_manageuser():
     if request.method == 'GET':
+        roles = Role.query.all()
         users = User.query.order_by(User.username).all()
-        return render_template('admin_manageuser.html', users=users)
+        return render_template('admin_manageuser.html', users=users, roles=roles)
 
     if request.method == 'POST':
         #
@@ -1197,19 +1198,31 @@ def admin_manageuser():
                 else:
                     return make_response(jsonify( { 'status': 'error', 'msg': 'Cannot revoke user privilege.' } ), 500)
 
-            elif jdata['action'] == 'set_admin':
+            elif jdata['action'] == 'update_user_role':
                 username = data['username']
+                role_name = data['role_name']
+
                 if username == current_user.username:
-                    return make_response(jsonify( { 'status': 'error', 'msg': 'You cannot change you own admin rights.' } ), 400)
-                is_admin = data['is_admin']
+                    return make_response(jsonify( { 'status': 'error', 'msg': 'You cannot change you own roles.' } ), 400)
+
+                user = User.query.filter(User.username==username).first()
+                if not user:
+                    return make_response(jsonify( { 'status': 'error', 'msg': 'User does not exist.' } ), 404)
+
+                if user.role.name == 'Administrator' and current_user.role.name != 'Administrator':
+                    return make_response(jsonify( { 'status': 'error', 'msg': 'You do not have permission to change Administrator users role.' } ), 400)
+
+                if role_name == 'Administrator' and current_user.role.name != 'Administrator':
+                    return make_response(jsonify( { 'status': 'error', 'msg': 'You do not have permission to promote a user to Administrator role.' } ), 400)
+
                 user = User(username=username)
-                result = user.set_admin(is_admin)
-                if result:
-                    history = History(msg='Change user role of {0}'.format(username), created_by=current_user.username)
+                result = user.set_role(role_name)
+                if result['status']:
+                    history = History(msg='Change user role of {0} to {1}'.format(username, role_name), created_by=current_user.username)
                     history.add()
                     return make_response(jsonify( { 'status': 'ok', 'msg': 'Changed user role successfully.' } ), 200)
                 else:
-                    return make_response(jsonify( { 'status': 'error', 'msg': 'Cannot change user role.' } ), 500)
+                    return make_response(jsonify( { 'status': 'error', 'msg': 'Cannot change user role. {0}'.format(result['msg']) } ), 500)
             else:
                 return make_response(jsonify( { 'status': 'error', 'msg': 'Action not supported.' } ), 400)
         except:
@@ -1220,7 +1233,7 @@ def admin_manageuser():
 @app.route('/admin/account/edit/<account_name>', methods=['GET', 'POST'])
 @app.route('/admin/account/edit', methods=['GET', 'POST'])
 @login_required
-@admin_role_required
+@operator_role_required
 def admin_editaccount(account_name=None):
     users = User.query.all()
 
@@ -1274,7 +1287,7 @@ def admin_editaccount(account_name=None):
 
 @app.route('/admin/manageaccount', methods=['GET', 'POST'])
 @login_required
-@admin_role_required
+@operator_role_required
 def admin_manageaccount():
     if request.method == 'GET':
         accounts = Account.query.order_by(Account.name).all()
@@ -1308,7 +1321,7 @@ def admin_manageaccount():
 
 @app.route('/admin/history', methods=['GET', 'POST'])
 @login_required
-@admin_role_required
+@operator_role_required
 def admin_history():
     if request.method == 'POST':
         h = History()
@@ -1328,7 +1341,7 @@ def admin_history():
 
 @app.route('/admin/setting/basic', methods=['GET'])
 @login_required
-@admin_role_required
+@operator_role_required
 def admin_setting_basic():
     if request.method == 'GET':
         settings = Setting.query.filter(Setting.view=='basic').all()
@@ -1337,7 +1350,7 @@ def admin_setting_basic():
 
 @app.route('/admin/setting/basic/<path:setting>/edit', methods=['POST'])
 @login_required
-@admin_role_required
+@operator_role_required
 def admin_setting_basic_edit(setting):
     jdata = request.json
     new_value = jdata['value']
@@ -1351,7 +1364,7 @@ def admin_setting_basic_edit(setting):
 
 @app.route('/admin/setting/basic/<path:setting>/toggle', methods=['POST'])
 @login_required
-@admin_role_required
+@operator_role_required
 def admin_setting_basic_toggle(setting):
     result = Setting().toggle(setting)
     if (result):
@@ -1383,7 +1396,7 @@ def admin_setting_pdns():
 
 @app.route('/admin/setting/dns-records', methods=['GET', 'POST'])
 @login_required
-@admin_role_required
+@operator_role_required
 def admin_setting_records():
     if request.method == 'GET':
         f_records = literal_eval(Setting().get('forward_records_allow_edit'))
@@ -1438,6 +1451,7 @@ def admin_setting_authentication():
                 Setting().set('ldap_filter_username', request.form.get('ldap_filter_username'))
                 Setting().set('ldap_sg_enabled', True if request.form.get('ldap_sg_enabled')=='ON' else False)
                 Setting().set('ldap_admin_group', request.form.get('ldap_admin_group'))
+                Setting().set('ldap_operator_group', request.form.get('ldap_operator_group'))
                 Setting().set('ldap_user_group', request.form.get('ldap_user_group'))
                 result = {'status': True, 'msg': 'Saved successfully'}
         elif conf_type == 'google':
diff --git a/migrations/versions/4a666113c7bb_add_operator_role.py b/migrations/versions/4a666113c7bb_add_operator_role.py
new file mode 100644
index 0000000..43f91ba
--- /dev/null
+++ b/migrations/versions/4a666113c7bb_add_operator_role.py
@@ -0,0 +1,58 @@
+"""Adding Operator Role
+
+Revision ID: 4a666113c7bb
+Revises: 1274ed462010
+Create Date: 2018-08-30 13:28:06.836208
+
+"""
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision = '4a666113c7bb'
+down_revision = '1274ed462010'
+branch_labels = None
+depends_on = None
+
+
+def update_data():
+    setting_table = sa.sql.table('setting',
+        sa.sql.column('id', sa.Integer),
+        sa.sql.column('name', sa.String),
+        sa.sql.column('value', sa.String),
+        sa.sql.column('view', sa.String)
+    )
+
+    # add ldap_operator_group setting
+    op.bulk_insert(setting_table,
+        [
+            {'id': 44, 'name': 'ldap_operator_group', 'value': '', 'view': 'authentication'},
+        ]
+    )
+
+    role_table = sa.sql.table('role',
+        sa.sql.column('id', sa.Integer),
+        sa.sql.column('name', sa.String),
+        sa.sql.column('description', sa.String)
+    )
+
+    # add new role
+    op.bulk_insert(role_table,
+        [
+            {'id': 3, 'name': 'Operator', 'description': 'Operator'}
+        ]
+    )
+
+
+def upgrade():
+    update_data()
+
+
+def downgrade():
+    # remove user Operator role
+    op.execute("UPDATE user SET role_id = 2 WHERE role_id=3")
+    op.execute("DELETE FROM role WHERE name = 'Operator'")
+
+    # delete ldap setting
+    op.execute("DELETE FROM setting WHERE name = 'ldap_operator_group'")
\ No newline at end of file

From e6f82160c147bd46e3eb702c11befdb2d22ab1d8 Mon Sep 17 00:00:00 2001
From: Khanh Ngo <ngokhanhit@gmail.com>
Date: Fri, 31 Aug 2018 18:00:41 +0700
Subject: [PATCH 02/13] Fix python code as suggestion from LGTM

---
 app/__init__.py   |   2 +-
 app/decorators.py |   5 +-
 app/lib/log.py    |   1 -
 app/lib/utils.py  |   7 +--
 app/models.py     | 115 +++++++++++++++++++++++-----------------------
 app/oauth.py      |   7 ++-
 app/views.py      |  47 ++++++++-----------
 init_data.py      |   4 +-
 run.py            |   6 +--
 update_zones.py   |   2 -
 10 files changed, 87 insertions(+), 109 deletions(-)

diff --git a/app/__init__.py b/app/__init__.py
index b2425ce..00c510c 100644
--- a/app/__init__.py
+++ b/app/__init__.py
@@ -29,7 +29,7 @@ login_manager = LoginManager()
 login_manager.init_app(app)
 db = SQLAlchemy(app)            # database
 migrate = Migrate(app, db)      # flask-migrate
-oauth = OAuth(app)              # oauth
+oauth_client = OAuth(app)       # oauth
 
 if app.config.get('SAML_ENABLED') and app.config.get('SAML_ENCRYPT'):
     from app.lib import certutil
diff --git a/app/decorators.py b/app/decorators.py
index c563e00..f0e990c 100644
--- a/app/decorators.py
+++ b/app/decorators.py
@@ -1,8 +1,7 @@
 from functools import wraps
-from flask import g, request, redirect, url_for
+from flask import g, redirect, url_for
 
-from app import app
-from app.models import Role, Setting
+from app.models import Setting
 
 
 def admin_role_required(f):
diff --git a/app/lib/log.py b/app/lib/log.py
index 87a186f..ea329ea 100644
--- a/app/lib/log.py
+++ b/app/lib/log.py
@@ -1,4 +1,3 @@
-import os
 import logging
 
 class logger(object):
diff --git a/app/lib/utils.py b/app/lib/utils.py
index 5899acd..9e9b3be 100644
--- a/app/lib/utils.py
+++ b/app/lib/utils.py
@@ -1,5 +1,4 @@
 import re
-import sys
 import json
 import requests
 import hashlib
@@ -10,12 +9,10 @@ from urllib.parse import urlparse
 from datetime import datetime, timedelta
 from threading import Thread
 
-from .certutil import *
+from .certutil import KEY_FILE, CERT_FILE
 
 if app.config['SAML_ENABLED']:
     from onelogin.saml2.auth import OneLogin_Saml2_Auth
-    from onelogin.saml2.utils import OneLogin_Saml2_Utils
-    from onelogin.saml2.settings import OneLogin_Saml2_Settings
     from onelogin.saml2.idp_metadata_parser import OneLogin_Saml2_IdPMetadataParser
     idp_timestamp = datetime(1970, 1, 1)
     idp_data = None
@@ -227,7 +224,7 @@ def prepare_flask_request(request):
 
 def init_saml_auth(req):
     own_url = ''
-    if req['https'] is 'on':
+    if req['https'] == 'on':
         own_url = 'https://'
     else:
         own_url = 'http://'
diff --git a/app/models.py b/app/models.py
index 2117ea1..bef9fc9 100644
--- a/app/models.py
+++ b/app/models.py
@@ -1,7 +1,6 @@
 import os
 import ldap
 import ldap.filter
-import time
 import base64
 import bcrypt
 import itertools
@@ -11,7 +10,6 @@ import re
 import dns.reversename
 import dns.inet
 import dns.name
-import sys
 import logging as logger
 
 from ast import literal_eval
@@ -434,9 +432,9 @@ class User(db.Model):
             User.query.filter(User.username == self.username).delete()
             db.session.commit()
             return True
-        except:
+        except Exception as e:
             db.session.rollback()
-            logging.error('Cannot delete user {0} from DB'.format(self.username))
+            logging.error('Cannot delete user {0} from DB. DETAIL: {1}'.format(self.username, e))
             return False
 
     def revoke_privilege(self):
@@ -451,9 +449,9 @@ class User(db.Model):
                 DomainUser.query.filter(DomainUser.user_id == user_id).delete()
                 db.session.commit()
                 return True
-            except:
+            except Exception as e:
                 db.session.rollback()
-                logging.error('Cannot revoke user {0} privielges'.format(self.username))
+                logging.error('Cannot revoke user {0} privielges. DETAIL: {1}'.format(self.username, e))
                 return False
         return False
 
@@ -571,9 +569,9 @@ class Account(db.Model):
             db.session.commit()
             return True
 
-        except:
+        except Exception as e:
             db.session.rollback()
-            logging.error('Cannot delete account {0} from DB'.format(self.username))
+            logging.error('Cannot delete account {0} from DB. DETAIL: {1}'.format(self.username, e))
             return False
 
     def get_user(self):
@@ -602,18 +600,18 @@ class Account(db.Model):
             for uid in removed_ids:
                 AccountUser.query.filter(AccountUser.user_id == uid).filter(AccountUser.account_id==account_id).delete()
                 db.session.commit()
-        except:
+        except Exception as e:
             db.session.rollback()
-            logging.error('Cannot revoke user privielges on account {0}'.format(self.name))
+            logging.error('Cannot revoke user privielges on account {0}. DETAIL: {1}'.format(self.name, e))
 
         try:
             for uid in added_ids:
                 au = AccountUser(account_id, uid)
                 db.session.add(au)
                 db.session.commit()
-        except:
+        except Exception as e:
             db.session.rollback()
-            logging.error('Cannot grant user privileges to account {0}'.format(self.name))
+            logging.error('Cannot grant user privileges to account {0}. DETAIL: {1}'.format(self.name, e))
 
     def revoke_privileges_by_id(self, user_id):
         """
@@ -634,9 +632,9 @@ class Account(db.Model):
             db.session.add(au)
             db.session.commit()
             return True
-        except:
+        except Exception as e:
             db.session.rollback()
-            logging.error('Cannot add user privielges on account {0}'.format(self.name))
+            logging.error('Cannot add user privielges on account {0}. DETAIL: {1}'.format(self.name, e))
             return False
 
     def remove_user(self, user):
@@ -647,9 +645,9 @@ class Account(db.Model):
             AccountUser.query.filter(AccountUser.user_id == user.id).filter(AccountUser.account_id == self.id).delete()
             db.session.commit()
             return True
-        except:
+        except Exception as e:
             db.session.rollback()
-            logging.error('Cannot revoke user privielges on account {0}'.format(self.name))
+            logging.error('Cannot revoke user privielges on account {0}. DETAIL: {1}'.format(self.name, e))
             return False
 
 
@@ -698,8 +696,8 @@ class DomainSetting(db.Model):
             self.value = value
             db.session.commit()
             return True
-        except:
-            logging.error('Unable to set DomainSetting value')
+        except Exception as e:
+            logging.error('Unable to set DomainSetting value. DETAIL: {0}'.format(e))
             logging.debug(traceback.format_exc())
             db.session.rollback()
             return False
@@ -775,7 +773,8 @@ class Domain(db.Model):
         try:
             domain = Domain.query.filter(Domain.name==name).first()
             return domain.id
-        except:
+        except Exception as e:
+            logging.error('Domain does not exist. ERROR: {1}'.format(e))
             return None
 
     def update(self):
@@ -809,8 +808,8 @@ class Domain(db.Model):
                     # then remove domain
                     Domain.query.filter(Domain.name == d).delete()
                     db.session.commit()
-            except:
-                logging.error('Can not delete domain from DB')
+            except Exception as e:
+                logging.error('Can not delete domain from DB. DETAIL: {0}'.format(e))
                 logging.debug(traceback.format_exc())
                 db.session.rollback()
 
@@ -902,7 +901,7 @@ class Domain(db.Model):
                 return {'status': 'ok', 'msg': 'Added domain successfully'}
         except Exception as e:
             logging.error('Cannot add domain {0}'.format(domain_name))
-            logging.debug(traceback.print_exc())
+            logging.debug(traceback.format_exc())
             return {'status': 'error', 'msg': 'Cannot add this domain.'}
 
     def update_soa_setting(self, domain_name, soa_edit_api):
@@ -1000,12 +999,12 @@ class Domain(db.Model):
         headers = {}
         headers['X-API-Key'] = self.PDNS_API_KEY
         try:
-            jdata = utils.fetch_json(urljoin(self.PDNS_STATS_URL, self.API_EXTENDED_URL + '/servers/localhost/zones/{0}'.format(domain_name)), headers=headers, method='DELETE')
+            utils.fetch_json(urljoin(self.PDNS_STATS_URL, self.API_EXTENDED_URL + '/servers/localhost/zones/{0}'.format(domain_name)), headers=headers, method='DELETE')
             logging.info('Delete domain {0} successfully'.format(domain_name))
             return {'status': 'ok', 'msg': 'Delete domain successfully'}
         except Exception as e:
             logging.error('Cannot delete domain {0}'.format(domain_name))
-            logging.debug(traceback.print_exc())
+            logging.debug(traceback.format_exc())
             return {'status': 'error', 'msg': 'Cannot delete domain'}
 
     def get_user(self):
@@ -1035,18 +1034,18 @@ class Domain(db.Model):
             for uid in removed_ids:
                 DomainUser.query.filter(DomainUser.user_id == uid).filter(DomainUser.domain_id==domain_id).delete()
                 db.session.commit()
-        except:
+        except Exception as e:
             db.session.rollback()
-            logging.error('Cannot revoke user privielges on domain {0}'.format(self.name))
+            logging.error('Cannot revoke user privielges on domain {0}. DETAIL: {1}'.format(self.name, e))
 
         try:
             for uid in added_ids:
                 du = DomainUser(domain_id, uid)
                 db.session.add(du)
                 db.session.commit()
-        except:
+        except Exception as e:
             db.session.rollback()
-            logging.error('Cannot grant user privielges to domain {0}'.format(self.name))
+            logging.error('Cannot grant user privielges to domain {0}. DETAIL: {1}'.format(self.name, e))
 
     def update_from_master(self, domain_name):
         """
@@ -1057,9 +1056,10 @@ class Domain(db.Model):
             headers = {}
             headers['X-API-Key'] = self.PDNS_API_KEY
             try:
-                jdata = utils.fetch_json(urljoin(self.PDNS_STATS_URL, self.API_EXTENDED_URL + '/servers/localhost/zones/{0}/axfr-retrieve'.format(domain.name)), headers=headers, method='PUT')
+                utils.fetch_json(urljoin(self.PDNS_STATS_URL, self.API_EXTENDED_URL + '/servers/localhost/zones/{0}/axfr-retrieve'.format(domain.name)), headers=headers, method='PUT')
                 return {'status': 'ok', 'msg': 'Update from Master successfully'}
-            except:
+            except Exception as e:
+                logging.error('Cannot update from master. DETAIL: {0}'.format(e))
                 return {'status': 'error', 'msg': 'There was something wrong, please contact administrator'}
         else:
             return {'status': 'error', 'msg': 'This domain doesnot exist'}
@@ -1078,7 +1078,8 @@ class Domain(db.Model):
                     return {'status': 'error', 'msg': 'DNSSEC is not enabled for this domain'}
                 else:
                     return {'status': 'ok', 'dnssec': jdata}
-            except:
+            except Exception as e:
+                logging.error('Cannot get domain dnssec. DETAIL: {0}'.format(e))
                 return {'status': 'error', 'msg': 'There was something wrong, please contact administrator'}
         else:
             return {'status': 'error', 'msg': 'This domain doesnot exist'}
@@ -1111,8 +1112,9 @@ class Domain(db.Model):
 
                 return {'status': 'ok'}
 
-            except:
-                logging.error(traceback.print_exc())
+            except Exception as e:
+                logging.error('Cannot enable dns sec. DETAIL: {}'.format(e))
+                logging.debug(traceback.format_exc())
                 return {'status': 'error', 'msg': 'There was something wrong, please contact administrator'}
 
         else:
@@ -1142,8 +1144,9 @@ class Domain(db.Model):
 
                 return {'status': 'ok'}
 
-            except:
-                logging.error(traceback.print_exc())
+            except Exception as e:
+                logging.error('Cannot delete dnssec key. DETAIL: {0}'.format(e))
+                logging.debug(traceback.format_exc())
                 return {'status': 'error', 'msg': 'There was something wrong, please contact administrator','domain': domain.name, 'id': key_id}
 
         else:
@@ -1181,10 +1184,9 @@ class Domain(db.Model):
             if 'error' in jdata.keys():
                 logging.error(jdata['error'])
                 return {'status': 'error', 'msg': jdata['error']}
-
             else:
                 self.update()
-                logging.info('account changed for domain {0} successfully'.format(domain_name))
+                logging.info('Account changed for domain {0} successfully'.format(domain_name))
                 return {'status': 'ok', 'msg': 'account changed successfully'}
 
         except Exception as e:
@@ -1193,8 +1195,6 @@ class Domain(db.Model):
             logging.error('Cannot change account for domain {0}'.format(domain_name))
             return {'status': 'error', 'msg': 'Cannot change account for this domain.'}
 
-        return {'status': True, 'msg': 'Domain association successful'}
-
     def get_account(self):
         """
         Get current account associated with this domain
@@ -1264,8 +1264,8 @@ class Record(object):
         headers['X-API-Key'] = self.PDNS_API_KEY
         try:
             jdata = utils.fetch_json(urljoin(self.PDNS_STATS_URL, self.API_EXTENDED_URL + '/servers/localhost/zones/{0}'.format(domain)), headers=headers)
-        except:
-            logging.error("Cannot fetch domain's record data from remote powerdns api")
+        except Exception as e:
+            logging.error("Cannot fetch domain's record data from remote powerdns api. DETAIL: {0}".format(e))
             return False
 
         if self.NEW_SCHEMA:
@@ -1562,7 +1562,6 @@ class Record(object):
                         self.add(domain_reverse_name)
                 for r in deleted_records:
                     if r['type'] in ['A', 'AAAA']:
-                        r_name = r['name'] + '.'
                         r_content = r['content']
                         reverse_host_address = dns.reversename.from_address(r_content).to_text()
                         domain_reverse_name = d.get_reverse_domain_name(reverse_host_address)
@@ -1595,8 +1594,8 @@ class Record(object):
             jdata = utils.fetch_json(urljoin(self.PDNS_STATS_URL, self.API_EXTENDED_URL + '/servers/localhost/zones/{0}'.format(domain)), headers=headers, method='PATCH', data=data)
             logging.debug(jdata)
             return {'status': 'ok', 'msg': 'Record was removed successfully'}
-        except:
-            logging.error("Cannot remove record {0}/{1}/{2} from domain {3}".format(self.name, self.type, self.data, domain))
+        except Exception as e:
+            logging.error("Cannot remove record {0}/{1}/{2} from domain {3}. DETAIL: {4}".format(self.name, self.type, self.data, domain, e))
             return {'status': 'error', 'msg': 'There was something wrong, please contact administrator'}
 
     def is_allowed_edit(self):
@@ -1672,7 +1671,7 @@ class Record(object):
                     ]
                 }
         try:
-            jdata = utils.fetch_json(urljoin(self.PDNS_STATS_URL, self.API_EXTENDED_URL + '/servers/localhost/zones/{0}'.format(domain)), headers=headers, method='PATCH', data=data)
+            utils.fetch_json(urljoin(self.PDNS_STATS_URL, self.API_EXTENDED_URL + '/servers/localhost/zones/{0}'.format(domain)), headers=headers, method='PATCH', data=data)
             logging.debug("dyndns data: {0}".format(data))
             return {'status': 'ok', 'msg': 'Record was updated successfully'}
         except Exception as e:
@@ -1719,8 +1718,8 @@ class Server(object):
         try:
             jdata = utils.fetch_json(urljoin(self.PDNS_STATS_URL, self.API_EXTENDED_URL + '/servers/{0}/config'.format(self.server_id)), headers=headers, method='GET')
             return jdata
-        except:
-            logging.error("Can not get server configuration.")
+        except Exception as e:
+            logging.error("Can not get server configuration. DETAIL: {0}".format(e))
             logging.debug(traceback.format_exc())
             return []
 
@@ -1734,8 +1733,8 @@ class Server(object):
         try:
             jdata = utils.fetch_json(urljoin(self.PDNS_STATS_URL, self.API_EXTENDED_URL + '/servers/{0}/statistics'.format(self.server_id)), headers=headers, method='GET')
             return jdata
-        except:
-            logging.error("Can not get server statistics.")
+        except Exception as e:
+            logging.error("Can not get server statistics. DETAIL: {0}".format(e))
             logging.debug(traceback.format_exc())
             return []
 
@@ -1773,13 +1772,13 @@ class History(db.Model):
         Remove all history from DB
         """
         try:
-            num_rows_deleted = db.session.query(History).delete()
+            db.session.query(History).delete()
             db.session.commit()
             logging.info("Removed all history")
             return True
-        except:
+        except Exception as e:
             db.session.rollback()
-            logging.error("Cannot remove history")
+            logging.error("Cannot remove history. DETAIL: {0}".format(e))
             logging.debug(traceback.format_exc())
             return False
 
@@ -1863,8 +1862,8 @@ class Setting(db.Model):
                 maintenance.value = mode
                 db.session.commit()
             return True
-        except:
-            logging.error('Cannot set maintenance to {0}'.format(mode))
+        except Exception as e:
+            logging.error('Cannot set maintenance to {0}. DETAIL: {1}'.format(mode, e))
             logging.debug(traceback.format_exec())
             db.session.rollback()
             return False
@@ -1884,8 +1883,8 @@ class Setting(db.Model):
                 current_setting.value = "True"
             db.session.commit()
             return True
-        except:
-            logging.error('Cannot toggle setting {0}'.format(setting))
+        except Exception as e:
+            logging.error('Cannot toggle setting {0}. DETAIL: {1}'.format(setting, e))
             logging.debug(traceback.format_exec())
             db.session.rollback()
             return False
@@ -1903,8 +1902,8 @@ class Setting(db.Model):
             current_setting.value = value
             db.session.commit()
             return True
-        except:
-            logging.error('Cannot edit setting {0}'.format(setting))
+        except Exception as e:
+            logging.error('Cannot edit setting {0}. DETAIL: {1}'.format(setting, e))
             logging.debug(traceback.format_exec())
             db.session.rollback()
             return False
diff --git a/app/oauth.py b/app/oauth.py
index 17f30a0..17fd045 100644
--- a/app/oauth.py
+++ b/app/oauth.py
@@ -1,8 +1,7 @@
 from ast import literal_eval
 from flask import request, session, redirect, url_for
-from flask_oauthlib.client import OAuth
 
-from app import app, oauth
+from app import app, oauth_client
 from app.models import Setting
 
 # TODO: 
@@ -13,7 +12,7 @@ def github_oauth():
     if not Setting().get('github_oauth_enabled'):
         return None
 
-    github = oauth.remote_app(
+    github = oauth_client.remote_app(
         'github',
         consumer_key = Setting().get('github_oauth_key'),
         consumer_secret = Setting().get('github_oauth_secret'),
@@ -48,7 +47,7 @@ def google_oauth():
     if not Setting().get('google_oauth_enabled'):
         return None
 
-    google = oauth.remote_app(
+    google = oauth_client.remote_app(
         'google',
         consumer_key=Setting().get('google_oauth_client_id'),
         consumer_secret=Setting().get('google_oauth_client_secret'),
diff --git a/app/views.py b/app/views.py
index 8fbe130..c109199 100644
--- a/app/views.py
+++ b/app/views.py
@@ -1,5 +1,4 @@
 import base64
-import json
 import logging as logger
 import os
 import traceback
@@ -10,13 +9,11 @@ from functools import wraps
 from io import BytesIO
 from ast import literal_eval
 
-import jinja2
 import qrcode as qrc
 import qrcode.image.svg as qrc_svg
 from flask import g, request, make_response, jsonify, render_template, session, redirect, url_for, send_from_directory, abort, flash
 from flask_login import login_user, logout_user, current_user, login_required
 from werkzeug import secure_filename
-from werkzeug.security import gen_salt
 
 from .models import User, Account, Domain, Record, Role, Server, History, Anonymous, Setting, DomainSetting, DomainTemplate, DomainTemplateRecord
 from app import app, login_manager
@@ -25,7 +22,6 @@ from app.oauth import github_oauth, google_oauth
 from app.decorators import admin_role_required, operator_role_required, can_access_domain, can_configure_dnssec
 
 if app.config['SAML_ENABLED']:
-    from onelogin.saml2.auth import OneLogin_Saml2_Auth
     from onelogin.saml2.utils import OneLogin_Saml2_Utils
 
 google = None
@@ -284,7 +280,6 @@ def saml_authorized():
 @app.route('/login', methods=['GET', 'POST'])
 @login_manager.unauthorized_handler
 def login():
-    LOGIN_TITLE = app.config['LOGIN_TITLE'] if 'LOGIN_TITLE' in app.config.keys() else ''
     SAML_ENABLED = app.config.get('SAML_ENABLED')
 
     if g.user is not None and current_user.is_authenticated:
@@ -454,7 +449,7 @@ def dashboard():
     BG_DOMAIN_UPDATE = Setting().get('bg_domain_updates')
     if not BG_DOMAIN_UPDATE:
         logging.debug('Update domains in foreground')
-        d = Domain().update()
+        Domain().update()
     else:
         logging.debug('Update domains in background')
 
@@ -580,7 +575,7 @@ def domain(domain_name):
 
     if StrictVersion(Setting().get('pdns_version')) >= StrictVersion('4.0.0'):
         for jr in jrecords:
-            if jr['type'] in Setting().get_records_allow_to_edit():
+            if jr['type'] in records_allow_to_edit:
                 for subrecord in jr['records']:
                     record = Record(name=jr['name'], type=jr['type'], status='Disabled' if subrecord['disabled'] else 'Active', ttl=jr['ttl'], data=subrecord['content'])
                     records.append(record)
@@ -591,7 +586,7 @@ def domain(domain_name):
         return render_template('domain.html', domain=domain, records=records, editable_records=editable_records, quick_edit=quick_edit)
     else:
         for jr in jrecords:
-            if jr['type'] in Setting().get_records_allow_to_edit():
+            if jr['type'] in records_allow_to_edit:
                 record = Record(name=jr['name'], type=jr['type'], status='Disabled' if jr['disabled'] else 'Active', ttl=jr['ttl'], data=jr['content'])
                 records.append(record)
     if not re.search('ip6\.arpa|in-addr\.arpa$', domain_name):
@@ -651,7 +646,7 @@ def domain_add():
             else:
                 return render_template('errors/400.html', msg=result['msg']), 400
         except:
-            logging.error(traceback.print_exc())
+            logging.error(traceback.format_exc())
             return redirect(url_for('error', code=500))
 
     else:
@@ -697,10 +692,6 @@ def domain_management(domain_name):
         # username in right column
         new_user_list = request.form.getlist('domain_multi_user[]')
 
-        # get list of user ids to compare
-        d = Domain(name=domain_name)
-        domain_user_ids = d.get_user()
-
         # grant/revoke user privielges
         d.grant_privielges(new_user_list)
 
@@ -718,7 +709,7 @@ def domain_change_soa_edit_api(domain_name):
     if not domain:
         return redirect(url_for('error', code=404))
     new_setting = request.form.get('soa_edit_api')
-    if new_setting == None:
+    if new_setting is None:
         return redirect(url_for('error', code=500))
     if new_setting == '0':
         return redirect(url_for('domain_management', domain_name=domain_name))
@@ -787,7 +778,7 @@ def record_apply(domain_name):
         else:
             return make_response(jsonify( result ), 400)
     except:
-        logging.error(traceback.print_exc())
+        logging.error(traceback.format_exc())
         return make_response(jsonify( {'status': 'error', 'msg': 'Error when applying new changes'} ), 500)
 
 
@@ -810,7 +801,7 @@ def record_update(domain_name):
         else:
             return make_response(jsonify( {'status': 'error', 'msg': result['msg']} ), 500)
     except:
-        logging.error(traceback.print_exc())
+        logging.error(traceback.format_exc())
         return make_response(jsonify( {'status': 'error', 'msg': 'Error when applying new changes'} ), 500)
 
 
@@ -824,7 +815,7 @@ def record_delete(domain_name, record_name, record_type):
         if result['status'] == 'error':
             print(result['msg'])
     except:
-        logging.error(traceback.print_exc())
+        logging.error(traceback.format_exc())
         return redirect(url_for('error', code=500)), 500
     return redirect(url_for('domain', domain_name=domain_name))
 
@@ -866,7 +857,7 @@ def domain_dnssec_disable(domain_name):
     dnssec = domain.get_domain_dnssec(domain_name)
 
     for key in dnssec['dnssec']:
-        response = domain.delete_dnssec_key(domain_name,key['id']);
+        domain.delete_dnssec_key(domain_name,key['id']);
 
     return make_response(jsonify( { 'status': 'ok', 'msg': 'DNSSEC removed.' } ))
 
@@ -907,7 +898,7 @@ def admin_setdomainsetting(domain_name):
             else:
                 return make_response(jsonify( { 'status': 'error', 'msg': 'Action not supported.' } ), 400)
         except:
-            logging.error(traceback.print_exc())
+            logging.error(traceback.format_exc())
             return make_response(jsonify( { 'status': 'error', 'msg': 'There is something wrong, please contact Administrator.' } ), 400)
 
 
@@ -938,6 +929,7 @@ def create_template():
             if DomainTemplate.query.filter(DomainTemplate.name == name).first():
                 flash("A template with the name {0} already exists!".format(name), 'error')
                 return redirect(url_for('create_template'))
+
             t = DomainTemplate(name=name, description=description)
             result = t.create()
             if result['status'] == 'ok':
@@ -948,9 +940,8 @@ def create_template():
                 flash(result['msg'], 'error')
                 return redirect(url_for('create_template'))
         except:
-            logging.error(traceback.print_exc())
+            logging.error(traceback.format_exc())
             return redirect(url_for('error', code=500))
-        return redirect(url_for('templates'))
 
 
 @app.route('/template/createfromzone', methods=['POST'])
@@ -1003,13 +994,13 @@ def create_template_from_zone():
             if result_records['status'] == 'ok':
                     return make_response(jsonify({'status': 'ok', 'msg': result['msg']}), 200)
             else:
-                result = t.delete_template()
+                t.delete_template()
                 return make_response(jsonify({'status': 'error', 'msg': result_records['msg']}), 500)
 
         else:
             return make_response(jsonify({'status': 'error', 'msg': result['msg']}), 500)
     except:
-        logging.error(traceback.print_exc())
+        logging.error(traceback.format_exc())
         return make_response(jsonify({'status': 'error', 'msg': 'Error when applying new changes'}), 500)
 
 
@@ -1029,7 +1020,7 @@ def edit_template(template):
 
             return render_template('template_edit.html', template=t.name, records=records, editable_records=records_allow_to_edit)
     except:
-        logging.error(traceback.print_exc())
+        logging.error(traceback.format_exc())
         return redirect(url_for('error', code=500))
     return redirect(url_for('templates'))
 
@@ -1060,7 +1051,7 @@ def apply_records(template):
         else:
             return make_response(jsonify(result), 400)
     except:
-        logging.error(traceback.print_exc())
+        logging.error(traceback.format_exc())
         return make_response(jsonify({'status': 'error', 'msg': 'Error when applying new changes'}), 500)
 
 
@@ -1080,7 +1071,7 @@ def delete_template(template):
                 flash(result['msg'], 'error')
                 return redirect(url_for('templates'))
     except:
-        logging.error(traceback.print_exc())
+        logging.error(traceback.format_exc())
         return redirect(url_for('error', code=500))
     return redirect(url_for('templates'))
 
@@ -1226,7 +1217,7 @@ def admin_manageuser():
             else:
                 return make_response(jsonify( { 'status': 'error', 'msg': 'Action not supported.' } ), 400)
         except:
-            logging.error(traceback.print_exc())
+            logging.error(traceback.format_exc())
             return make_response(jsonify( { 'status': 'error', 'msg': 'There is something wrong, please contact Administrator.' } ), 400)
 
 
@@ -1315,7 +1306,7 @@ def admin_manageaccount():
             else:
                 return make_response(jsonify( { 'status': 'error', 'msg': 'Action not supported.' } ), 400)
         except:
-            logging.error(traceback.print_exc())
+            logging.error(traceback.format_exc())
             return make_response(jsonify( { 'status': 'error', 'msg': 'There is something wrong, please contact Administrator.' } ), 400)
 
 
diff --git a/init_data.py b/init_data.py
index f0573f7..2e2ca11 100755
--- a/init_data.py
+++ b/init_data.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python3
 
-from app import app, db
-from app.models import Role, Setting, DomainTemplate
+from app import db
+from app.models import Role, DomainTemplate
 
 admin_role = Role(name='Administrator', description='Administrator')
 user_role = Role(name='User', description='User')
diff --git a/run.py b/run.py
index 931faf6..fc7d651 100755
--- a/run.py
+++ b/run.py
@@ -1,11 +1,7 @@
 #!/usr/bin/env python3
 from app import app
 from config import PORT
-
-try:
-	from config import BIND_ADDRESS
-except:
-	BIND_ADDRESS = '127.0.0.1'
+from config import BIND_ADDRESS
 
 if __name__ == '__main__':
     app.run(debug = True, host=BIND_ADDRESS, port=PORT)
diff --git a/update_zones.py b/update_zones.py
index 599f0c4..270bf43 100644
--- a/update_zones.py
+++ b/update_zones.py
@@ -10,8 +10,6 @@
 ##############################################################
 
 ### Imports
-from app import app
-from app.lib import log
 from app.models import Domain
 from config import BG_DOMAIN_UPDATES
 

From 43830e5e63a540b866637df2a716f823917aad8c Mon Sep 17 00:00:00 2001
From: Khanh Ngo <ngokhanhit@gmail.com>
Date: Fri, 31 Aug 2018 21:57:52 +0700
Subject: [PATCH 03/13] Fix js code as suggestion from LGTM

---
 app/static/custom/js/custom.js  | 16 +++------
 app/templates/template.html     | 60 ++++++++++++++++-----------------
 app/templates/user_profile.html |  3 +-
 3 files changed, 35 insertions(+), 44 deletions(-)

diff --git a/app/static/custom/js/custom.js b/app/static/custom/js/custom.js
index e079130..d9e33f7 100644
--- a/app/static/custom/js/custom.js
+++ b/app/static/custom/js/custom.js
@@ -1,7 +1,6 @@
 var dnssecKeyList = []
 
 function applyChanges(data, url, showResult, refreshPage) {
-    var success = false;
     $.ajax({
         type : "POST",
         url : url,
@@ -36,7 +35,6 @@ function applyChanges(data, url, showResult, refreshPage) {
 }
 
 function applyRecordChanges(data, domain) {
-    var success = false;
     $.ajax({
         type : "POST",
         url : $SCRIPT_ROOT + '/domain/' + domain + '/apply',
@@ -67,8 +65,6 @@ function applyRecordChanges(data, domain) {
 }
 
 function getTableData(table) {
-    var rData = []
-
     // reformat - pretty format
     var records = []
     table.rows().every(function() {
@@ -86,16 +82,14 @@ function getTableData(table) {
 
 function saveRow(oTable, nRow) {
 
+    var status = 'Disabled';
     var jqInputs = $(oTable.row(nRow).node()).find("input");
     var jqSelect = $(oTable.row(nRow).node()).find("select");
 
     if (jqSelect[1].value == 'false') {
         status = 'Active';
-    } else {
-        status = 'Disabled';
     }
 
-
     oTable.cell(nRow,0).data(jqInputs[0].value);
     oTable.cell(nRow,1).data(jqSelect[0].value);
     oTable.cell(nRow,2).data(status);
@@ -114,12 +108,12 @@ function saveRow(oTable, nRow) {
 
 function restoreRow(oTable, nRow) {
     var aData = oTable.row(nRow).data();
-    var jqTds = $('>td', nRow);
     oTable.row(nRow).data(aData);
     oTable.draw();
 }
 
 function editRow(oTable, nRow) {
+    var isDisabled = 'true';
     var aData = oTable.row(nRow).data();
     var jqTds = oTable.cells(nRow,'').nodes();
     var record_types = "";
@@ -139,9 +133,6 @@ function editRow(oTable, nRow) {
     if (aData[2] == 'Active'){
         isDisabled = 'false';
     }
-    else {
-        isDisabled = 'true';
-    }
 
     SelectElement('record_type', aData[1]);
     SelectElement('record_status', isDisabled);
@@ -172,13 +163,14 @@ function enable_dns_sec(url) {
 function getdnssec(url, domain){
 
     $.getJSON(url, function(data) {
+        var dnssec_footer = '';
         var modal = $("#modal_dnssec_info");
 
         if (data['status'] == 'error'){
             modal.find('.modal-body p').text(data['msg']);
         }
         else {
-            dnssec_msg = '';
+            var dnssec_msg = '';
             var dnssec = data['dnssec'];
 
             if (dnssec.length == 0 && parseFloat(PDNS_VERSION) >= 4.1) {
diff --git a/app/templates/template.html b/app/templates/template.html
index 4f1e1fe..1ba42ca 100644
--- a/app/templates/template.html
+++ b/app/templates/template.html
@@ -20,22 +20,22 @@
     <section class="content">
     {% with errors = get_flashed_messages(category_filter=["error"]) %} {% if errors %}
 <div class="row">
-	<div class="col-md-12">
-		<div class="alert alert-danger alert-dismissible">
-			<button type="button" class="close" data-dismiss="alert"
-				aria-hidden="true">&times;</button>
-			<h4>
-				<i class="icon fa fa-ban"></i> Error!
-			</h4>
-			<div class="alert-message block-message error">
-				<a class="close" href="#">x</a>
-				<ul>
-					{%- for msg in errors %}
-					<li>{{ msg }}</li> {% endfor -%}
-				</ul>
-			</div>
-		</div>
-	</div>
+  <div class="col-md-12">
+    <div class="alert alert-danger alert-dismissible">
+      <button type="button" class="close" data-dismiss="alert"
+        aria-hidden="true">&times;</button>
+      <h4>
+        <i class="icon fa fa-ban"></i> Error!
+      </h4>
+      <div class="alert-message block-message error">
+        <a class="close" href="#">x</a>
+        <ul>
+          {%- for msg in errors %}
+          <li>{{ msg }}</li> {% endfor -%}
+        </ul>
+      </div>
+    </div>
+  </div>
 </div>
 {% endif %} {% endwith %}
       <div class="row">
@@ -45,11 +45,11 @@
               <h3 class="box-title">Templates</h3>
             </div>
             <div class="box-body">
-            	<a href="{{ url_for('create_template') }}">
-	              <button type="button" class="btn btn-flat btn-primary pull-left">
-	                  Create Template&nbsp;<i class="fa fa-plus"></i>
-	              </button>
-              	</a>
+              <a href="{{ url_for('create_template') }}">
+                <button type="button" class="btn btn-flat btn-primary pull-left">
+                    Create Template&nbsp;<i class="fa fa-plus"></i>
+                </button>
+                </a>
             </div>
             <div class="box-body">
               <table id="tbl_template_list" class="table table-bordered table-striped">
@@ -75,15 +75,15 @@
                   </td>
                   <td>
                   <a href="{{ url_for('edit_template', template=template.name) }}">
-                    <button type="button" class="btn btn-flat btn-warning button_edit" id="">
-                                            Edit&nbsp;<i class="fa fa-edit"></i>
-                                        </button>
-                                        </a>
-                  	<a href="{{ url_for('delete_template', template=template.name) }}">
-                   		<button type="button" class="btn btn-flat btn-danger button_delete" id="">
-                    		  Delete&nbsp;<i class="fa fa-trash"></i>
-                   		</button>
-                   	</a>
+                    <button type="button" class="btn btn-flat btn-warning button_edit" id="btn_edit">
+                      Edit&nbsp;<i class="fa fa-edit"></i>
+                    </button>
+                  </a>
+                    <a href="{{ url_for('delete_template', template=template.name) }}">
+                      <button type="button" class="btn btn-flat btn-danger button_delete" id="btn_delete">
+                          Delete&nbsp;<i class="fa fa-trash"></i>
+                      </button>
+                    </a>
                   </td>
                 </tr>
                 {% endfor %}
diff --git a/app/templates/user_profile.html b/app/templates/user_profile.html
index 6b9e3ba..90e9706 100644
--- a/app/templates/user_profile.html
+++ b/app/templates/user_profile.html
@@ -161,8 +161,7 @@
     // handle checkbox toggling
     $('.otp_toggle').on('ifToggled', function(event) {
         var enable_otp = $(this).prop('checked');
-        var username = $(this).prop('id');
-        postdata = {
+        var postdata = {
             'action' : 'enable_otp',
             'data' : {
                 'enable_otp' : enable_otp

From 40cb835b0e8871beb0f95e72c14e4675a2f83db0 Mon Sep 17 00:00:00 2001
From: Khanh Ngo <ngokhanhit@gmail.com>
Date: Fri, 31 Aug 2018 21:58:11 +0700
Subject: [PATCH 04/13] Add .lgtm.yml

---
 .lgtm.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)
 create mode 100644 .lgtm.yml

diff --git a/.lgtm.yml b/.lgtm.yml
new file mode 100644
index 0000000..a8c5b04
--- /dev/null
+++ b/.lgtm.yml
@@ -0,0 +1,10 @@
+extraction:
+  python:
+    python_setup:
+      version: 3
+    index:
+      exclude:
+        - .git
+        - upload
+        - flask
+        - node_modules

From 38d1d85a186ff1ebe217d7ff3447f6e61a9c7d09 Mon Sep 17 00:00:00 2001
From: Khanh Ngo <ngokhanhit@gmail.com>
Date: Fri, 31 Aug 2018 22:30:08 +0700
Subject: [PATCH 05/13] Fixing string format

---
 app/models.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/models.py b/app/models.py
index bef9fc9..816e226 100644
--- a/app/models.py
+++ b/app/models.py
@@ -774,7 +774,7 @@ class Domain(db.Model):
             domain = Domain.query.filter(Domain.name==name).first()
             return domain.id
         except Exception as e:
-            logging.error('Domain does not exist. ERROR: {1}'.format(e))
+            logging.error('Domain does not exist. ERROR: {0}'.format(e))
             return None
 
     def update(self):

From 3481af149b8a56e21bcfaec1c139f0adfaa0d89c Mon Sep 17 00:00:00 2001
From: Khanh Ngo <ngokhanhit@gmail.com>
Date: Sat, 1 Sep 2018 17:53:05 +0700
Subject: [PATCH 06/13] Add option to allow user to create domain

---
 app/decorators.py                                 | 15 +++++++++++++++
 app/models.py                                     |  1 +
 app/templates/admin_setting_basic.html            |  2 +-
 app/templates/base.html                           |  4 +++-
 app/views.py                                      | 10 ++++++++--
 .../versions/4a666113c7bb_add_operator_role.py    |  8 +++++---
 6 files changed, 33 insertions(+), 7 deletions(-)

diff --git a/app/decorators.py b/app/decorators.py
index f0e990c..a1cfacf 100644
--- a/app/decorators.py
+++ b/app/decorators.py
@@ -61,3 +61,18 @@ def can_configure_dnssec(f):
 
         return f(*args, **kwargs)
     return decorated_function
+
+
+def can_create_domain(f):
+    """
+    Grant access if:
+        - user is in Operator role or higher, or
+        - allow_user_create_domain is on
+    """
+    @wraps(f)
+    def decorated_function(*args, **kwargs):
+        if g.user.role.name not in ['Administrator', 'Operator'] and not Setting().get('allow_user_create_domain'):
+            return redirect(url_for('error', code=401))
+
+        return f(*args, **kwargs)
+    return decorated_function
diff --git a/app/models.py b/app/models.py
index 816e226..82fabf9 100644
--- a/app/models.py
+++ b/app/models.py
@@ -1799,6 +1799,7 @@ class Setting(db.Model):
         'allow_quick_edit': True,
         'pretty_ipv6_ptr': False,
         'dnssec_admins_only': False,
+        'allow_user_create_domain': False,
         'bg_domain_updates': False,
         'site_name': 'PowerDNS-Admin',
         'pdns_api_url': '',
diff --git a/app/templates/admin_setting_basic.html b/app/templates/admin_setting_basic.html
index b289f75..d5bdb84 100644
--- a/app/templates/admin_setting_basic.html
+++ b/app/templates/admin_setting_basic.html
@@ -69,7 +69,7 @@
 <script>
     // set up history data table
     $("#tbl_settings").DataTable({
-        "paging" : true,
+        "paging" : false,
         "lengthChange" : false,
         "searching" : true,
         "ordering" : true,
diff --git a/app/templates/base.html b/app/templates/base.html
index 0b1e220..b69873c 100644
--- a/app/templates/base.html
+++ b/app/templates/base.html
@@ -108,10 +108,12 @@
         <li class="{{ 'active' if active_page == 'dashboard' else '' }}">
           <a href="{{ url_for('dashboard') }}"><i class="fa fa-dashboard"></i> Dashboard</a>
         </li>
-        {% if current_user.role.name in ['Administrator', 'Operator'] %}
+        {% if SETTING.get('allow_user_create_domain') %}
         <li class="{{ 'active' if active_page == 'new_domain' else '' }}">
           <a href="{{ url_for('domain_add') }}"><i class="fa fa-plus"></i> New Domain</a>
         </li>
+        {% endif %}
+        {% if current_user.role.name in ['Administrator', 'Operator'] %}
         <li class="header">ADMINISTRATION</li>
         <li class="{{ 'active' if active_page == 'admin_console' else '' }}">
           <a href="{{ url_for('admin_pdns') }}"><i class="fa fa-info-circle"></i> PDNS</a>
diff --git a/app/views.py b/app/views.py
index c109199..691072d 100644
--- a/app/views.py
+++ b/app/views.py
@@ -19,7 +19,7 @@ from .models import User, Account, Domain, Record, Role, Server, History, Anonym
 from app import app, login_manager
 from app.lib import utils
 from app.oauth import github_oauth, google_oauth
-from app.decorators import admin_role_required, operator_role_required, can_access_domain, can_configure_dnssec
+from app.decorators import admin_role_required, operator_role_required, can_access_domain, can_configure_dnssec, can_create_domain
 
 if app.config['SAML_ENABLED']:
     from onelogin.saml2.utils import OneLogin_Saml2_Utils
@@ -598,7 +598,7 @@ def domain(domain_name):
 
 @app.route('/admin/domain/add', methods=['GET', 'POST'])
 @login_required
-@operator_role_required
+@can_create_domain
 def domain_add():
     templates = DomainTemplate.query.all()
     if request.method == 'POST':
@@ -627,6 +627,11 @@ def domain_add():
             if result['status'] == 'ok':
                 history = History(msg='Add domain {0}'.format(domain_name), detail=str({'domain_type': domain_type, 'domain_master_ips': domain_master_ips, 'account_id': account_id}), created_by=current_user.username)
                 history.add()
+
+                # grant user access to the domain
+                Domain(name=domain_name).grant_privielges([current_user.username])
+
+                # apply template if needed
                 if domain_template != '0':
                     template = DomainTemplate.query.filter(DomainTemplate.id == domain_template).first()
                     template_records = DomainTemplateRecord.query.filter(DomainTemplateRecord.template_id == domain_template).all()
@@ -693,6 +698,7 @@ def domain_management(domain_name):
         new_user_list = request.form.getlist('domain_multi_user[]')
 
         # grant/revoke user privielges
+        d = Domain(name=domain_name)
         d.grant_privielges(new_user_list)
 
         history = History(msg='Change domain {0} access control'.format(domain_name), detail=str({'user_has_access': new_user_list}), created_by=current_user.username)
diff --git a/migrations/versions/4a666113c7bb_add_operator_role.py b/migrations/versions/4a666113c7bb_add_operator_role.py
index 43f91ba..057937f 100644
--- a/migrations/versions/4a666113c7bb_add_operator_role.py
+++ b/migrations/versions/4a666113c7bb_add_operator_role.py
@@ -24,10 +24,11 @@ def update_data():
         sa.sql.column('view', sa.String)
     )
 
-    # add ldap_operator_group setting
+    # add new settings
     op.bulk_insert(setting_table,
         [
             {'id': 44, 'name': 'ldap_operator_group', 'value': '', 'view': 'authentication'},
+            {'id': 45, 'name': 'allow_user_create_domain', 'value': 'False', 'view': 'basic'},
         ]
     )
 
@@ -54,5 +55,6 @@ def downgrade():
     op.execute("UPDATE user SET role_id = 2 WHERE role_id=3")
     op.execute("DELETE FROM role WHERE name = 'Operator'")
 
-    # delete ldap setting
-    op.execute("DELETE FROM setting WHERE name = 'ldap_operator_group'")
\ No newline at end of file
+    # delete settings
+    op.execute("DELETE FROM setting WHERE name = 'ldap_operator_group'")
+    op.execute("DELETE FROM setting WHERE name = 'allow_user_create_domain'")

From 615413ae90da109309a2d94066c203eb76a5ea11 Mon Sep 17 00:00:00 2001
From: Khanh Ngo <ngokhanhit@gmail.com>
Date: Sun, 2 Sep 2018 08:03:01 +0700
Subject: [PATCH 07/13] Add record_quick_edit config to DB

---
 app/models.py                                         | 2 +-
 app/views.py                                          | 2 +-
 migrations/versions/4a666113c7bb_add_operator_role.py | 1 +
 3 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/app/models.py b/app/models.py
index 82fabf9..505fd62 100644
--- a/app/models.py
+++ b/app/models.py
@@ -1796,7 +1796,7 @@ class Setting(db.Model):
         'default_record_table_size': 15,
         'default_domain_table_size': 10,
         'auto_ptr': False,
-        'allow_quick_edit': True,
+        'record_quick_edit': True,
         'pretty_ipv6_ptr': False,
         'dnssec_admins_only': False,
         'allow_user_create_domain': False,
diff --git a/app/views.py b/app/views.py
index 691072d..4cdbda8 100644
--- a/app/views.py
+++ b/app/views.py
@@ -567,7 +567,7 @@ def domain(domain_name):
         # can not get any record, API server might be down
         return redirect(url_for('error', code=500))
 
-    quick_edit = Setting().get('allow_quick_edit')
+    quick_edit = Setting().get('record_quick_edit')
     records_allow_to_edit = Setting().get_records_allow_to_edit()
     forward_records_allow_to_edit = Setting().get_forward_records_allow_to_edit()
     reverse_records_allow_to_edit = Setting().get_reverse_records_allow_to_edit()
diff --git a/migrations/versions/4a666113c7bb_add_operator_role.py b/migrations/versions/4a666113c7bb_add_operator_role.py
index 057937f..b3f7522 100644
--- a/migrations/versions/4a666113c7bb_add_operator_role.py
+++ b/migrations/versions/4a666113c7bb_add_operator_role.py
@@ -29,6 +29,7 @@ def update_data():
         [
             {'id': 44, 'name': 'ldap_operator_group', 'value': '', 'view': 'authentication'},
             {'id': 45, 'name': 'allow_user_create_domain', 'value': 'False', 'view': 'basic'},
+            {'id': 46, 'name': 'record_quick_edit', 'value': 'True', 'view': 'basic'},
         ]
     )
 

From c7689e7ce7082b2bcb3d70cae316ae2966c2341d Mon Sep 17 00:00:00 2001
From: Khanh Ngo <ngokhanhit@gmail.com>
Date: Sun, 2 Sep 2018 11:12:07 +0700
Subject: [PATCH 08/13] Fix domain template record modification #346

---
 app/templates/base.html          |   2 +-
 app/templates/dashboard.html     |   2 +-
 app/templates/domain.html        |   9 ++-
 app/templates/template_edit.html | 101 +++++++++++++++++++++++--------
 app/views.py                     |  12 ++--
 5 files changed, 89 insertions(+), 37 deletions(-)

diff --git a/app/templates/base.html b/app/templates/base.html
index b69873c..7999e98 100644
--- a/app/templates/base.html
+++ b/app/templates/base.html
@@ -108,7 +108,7 @@
         <li class="{{ 'active' if active_page == 'dashboard' else '' }}">
           <a href="{{ url_for('dashboard') }}"><i class="fa fa-dashboard"></i> Dashboard</a>
         </li>
-        {% if SETTING.get('allow_user_create_domain') %}
+        {% if SETTING.get('allow_user_create_domain') or current_user.role.name in ['Administrator', 'Operator'] %}
         <li class="{{ 'active' if active_page == 'new_domain' else '' }}">
           <a href="{{ url_for('domain_add') }}"><i class="fa fa-plus"></i> New Domain</a>
         </li>
diff --git a/app/templates/dashboard.html b/app/templates/dashboard.html
index 871ff26..50c8e00 100644
--- a/app/templates/dashboard.html
+++ b/app/templates/dashboard.html
@@ -156,7 +156,7 @@
 {% endblock %}
 {% block extrascripts %}
 <script>
-    PDNS_VERSION = '{{ SETTING.get("pdns_version") }}'
+    PDNS_VERSION = '{{ SETTING.get("pdns_version") }}';
     // set up history data table
     $("#tbl_history").DataTable({
         "paging" : false,
diff --git a/app/templates/domain.html b/app/templates/domain.html
index ce435f2..07a6082 100644
--- a/app/templates/domain.html
+++ b/app/templates/domain.html
@@ -57,13 +57,13 @@
                                         {{ record.type }}
                                     </td>
                                     <td>
-                                         {{ record.status }}
+                                        {{ record.status }}
                                     </td>
                                     <td>
-                                         {{ record.ttl }}
+                                        {{ record.ttl }}
                                     </td>
                                     <td>
-                                         {{ record.data }}
+                                        {{ record.data }}
                                     </td>
                                 {% if domain.type != 'Slave' %}
                                     <td width="6%">
@@ -104,7 +104,6 @@
 {% endblock %}
 {% block extrascripts %}
 <script>
-    PDNS_VERSION = '{{ SETTING.get("pdns_version") }}'
     // superglobals
     window.records_allow_edit = {{ editable_records|tojson }};
     window.nEditing = null;
@@ -361,7 +360,7 @@
                 record_data.val(data);
                 modal.modal('hide');
             })
-			modal.modal('show');
+            modal.modal('show');
             } else if (record_type == "SOA") {
                 var modal = $("#modal_custom_record");
                 if (record_data.val() == "") {
diff --git a/app/templates/template_edit.html b/app/templates/template_edit.html
index 69a6c7c..c63e684 100644
--- a/app/templates/template_edit.html
+++ b/app/templates/template_edit.html
@@ -115,12 +115,23 @@
             "lengthMenu": " _MENU_ records"
         },
         "retrieve" : true,
-        "columnDefs": [{
-        	"targets": [ 7 ],
-        	"visible": false,
-        	"searchable": false
-        }]
-
+        "columnDefs": [
+            {
+                type: 'natural',
+                targets: [0, 4]
+            },
+            {
+                // hidden column so that we can add new records on top
+                // regardless of whatever sorting is done
+                visible: false,
+                targets: [ 7 ]
+            },
+            {
+                className: "length-break",
+                targets: [ 4 ]
+            }
+        ],
+        "orderFixed": [[7, 'asc']]
     });
 
     // handle delete button
@@ -132,15 +143,19 @@
         var nRow = $(this).parents('tr')[0];
         var info = "Are you sure you want to delete " + record + "?";
         modal.find('.modal-body p').text(info);
-        modal.find('#button_delete_confirm').click(function() {
-            table.row(nRow).remove().draw();
-            modal.modal('hide');
-        })
         modal.modal('show');
 
+        $("#button_delete_confirm").unbind().one('click', function(e) {
+            table.row(nRow).remove().draw();
+            modal.modal('hide');
+        });
+
+        $("#button_delete_cancel").unbind().one('click', function(e) {
+            modal.modal('hide');
+        });
     });
-    // handle edit button
-    $(document.body).on("click", ".button_edit, .row_record", function(e) {
+    // handle edit button and record click
+    $(document.body).on("click", ".button_edit{% if quick_edit %}, .row_record{% endif %}", function(e) {
          e.stopPropagation();
          if ($(this).is('tr')) {
             var nRow = $(this)[0];
@@ -176,7 +191,9 @@
         var template = $(this).prop('id');
         var info = "Are you sure you want to apply your changes?";
         modal.find('.modal-body p').text(info);
-        modal.find('#button_apply_confirm').click(function() {
+
+        // following unbind("click") is to avoid multiple times execution
+        modal.find('#button_apply_confirm').unbind("click").click(function() {
             var data = getTableData(table);
             applyChanges(data, '/template/' + template + '/apply', true);
             modal.modal('hide');
@@ -188,15 +205,19 @@
     // handle add record button
     $(document.body).on("click", ".button_add_record", function (e) {
             if (nNew || nEditing) {
-                // TODO: replace this alert with modal
-                alert("Previous record not saved. Please save it before adding more record.")
+                var modal = $("#modal_error");
+                modal.find('.modal-body p').text("Previous record not saved. Please save it before adding more record.");
+                modal.modal('show');
                 return;
             }
-            var table = $("#tbl_records").DataTable();
+            // clear search first
+            $("#tbl_records").DataTable().search('').columns().search('').draw();
 
-            var aiNew = table.row.add(['', 'A', 'Active', 3600, '', '', '', '']).draw();
-            var nRow = aiNew.index();
-            editRow(table, nRow);
+            // add new row
+            var default_type = records_allow_edit[0]
+            var nRow = jQuery('#tbl_records').dataTable().fnAddData(['', default_type, 'Active', 3600, '', '', '', '0']);
+            editRow($("#tbl_records").DataTable(), nRow);
+            document.getElementById("edit-row-focus").focus();
             nEditing = nRow;
             nNew = true;
         });
@@ -229,20 +250,50 @@
     $(document.body).on("focus", "#current_edit_record_data", function (e) {
         var record_type = $(this).parents("tr").find('#record_type').val();
         var record_data = $(this);
-        if (record_type == "MX") {
+        if (record_type == "CAA") {
+            var modal = $("#modal_custom_record");
+            if (record_data.val() == "") {
+                var form = "    <label for=\"caa_flag\">CAA Flag</label> \
+                                <input type=\"text\" class=\"form-control\" name=\"caa_flag\" id=\"caa_flag\" placeholder=\"0\"> \
+                                <label for=\"caa_tag\">CAA Tag</label> \
+                                <input type=\"text\" class=\"form-control\" name=\"caa_tag\" id=\"caa_tag\" placeholder=\"issue\"> \
+                                <label for=\"caa_value\">CAA Value</label> \
+                                <input type=\"text\" class=\"form-control\" name=\"caa_value\" id=\"caa_value\" placeholder=\"eg. letsencrypt.org\"> \
+                            ";
+            } else {
+                var parts = record_data.val().split(" ");
+                var form = "    <label for=\"caa_flag\">CAA Flag</label> \
+                                <input type=\"text\" class=\"form-control\" name=\"caa_flag\" id=\"caa_flag\" placeholder=\"0\" value=\"" + parts[0] + "\"> \
+                                <label for=\"caa_tag\">CAA Tag</label> \
+                                <input type=\"text\" class=\"form-control\" name=\"caa_tag\" id=\"caa_tag\" placeholder=\"issue\" value=\"" + parts[1] + "\"> \
+                                <label for=\"caa_value\">CAA Value</label> \
+                                <input type=\"text\" class=\"form-control\" name=\"caa_value\" id=\"caa_value\" placeholder=\"eg. letsencrypt.org\" value=\"" + parts[2] + "\"> \
+                            ";
+            }
+            modal.find('.modal-body p').html(form);
+            modal.find('#button_save').click(function() {
+                caa_flag = modal.find('#caa_flag').val();
+                caa_tag = modal.find('#caa_tag').val();
+                caa_value = modal.find('#caa_value').val();
+                data = caa_flag + " " + caa_tag + " " + '"' + caa_value + '"';
+                record_data.val(data);
+                modal.modal('hide');
+            })
+            modal.modal('show');
+        } else if (record_type == "MX") {
             var modal = $("#modal_custom_record");
             if (record_data.val() == "") {
                 var form = "    <label for=\"mx_priority\">MX Priority</label> \
-                                <input type=\"text\" class=\"form-control\" name=\"mx_priority\" id=\"mx_priority\" placeholder=\"10\"> \
+                                <input type=\"text\" class=\"form-control\" name=\"mx_priority\" id=\"mx_priority\" placeholder=\"eg. 10\"> \
                                 <label for=\"mx_server\">MX Server</label> \
-                                <input type=\"text\" class=\"form-control\" name=\"mx_server\" id=\"mx_server\" placeholder=\"postfix.example.com\"> \
+                                <input type=\"text\" class=\"form-control\" name=\"mx_server\" id=\"mx_server\" placeholder=\"eg. postfix.example.com\"> \
                             ";
             } else {
                 var parts = record_data.val().split(" ");
                 var form = "    <label for=\"mx_priority\">MX Priority</label> \
-                                <input type=\"text\" class=\"form-control\" name=\"mx_priority\" id=\"mx_priority\" placeholder=\"10\" value=\"" + parts[0] + "\"> \
+                                <input type=\"text\" class=\"form-control\" name=\"mx_priority\" id=\"mx_priority\" placeholder=\"eg. 10\" value=\"" + parts[0] + "\"> \
                                 <label for=\"mx_server\">MX Server</label> \
-                                <input type=\"text\" class=\"form-control\" name=\"mx_server\" id=\"mx_server\" placeholder=\"postfix.example.com\" value=\"" + parts[1] + "\"> \
+                                <input type=\"text\" class=\"form-control\" name=\"mx_server\" id=\"mx_server\" placeholder=\"eg. postfix.example.com\" value=\"" + parts[1] + "\"> \
                             ";
             }
             modal.find('.modal-body p').html(form);
@@ -360,7 +411,7 @@
                 <p></p>
             </div>
             <div class="modal-footer">
-                <button type="button" class="btn btn-flat btn-default pull-left"
+                <button type="button" class="btn btn-flat btn-default pull-left" id="button_delete_cancel"
                     data-dismiss="modal">Close</button>
                 <button type="button" class="btn btn-flat btn-danger" id="button_delete_confirm">Delete</button>
             </div>
diff --git a/app/views.py b/app/views.py
index 4cdbda8..9a9915e 100644
--- a/app/views.py
+++ b/app/views.py
@@ -1017,16 +1017,18 @@ def edit_template(template):
     try:
         t = DomainTemplate.query.filter(DomainTemplate.name == template).first()
         records_allow_to_edit = Setting().get_records_allow_to_edit()
+        quick_edit = Setting().get('record_quick_edit')
         if t is not None:
             records = []
             for jr in t.records:
                 if jr.type in records_allow_to_edit:
-                        record = DomainTemplateRecord(name=jr.name, type=jr.type, status='Disabled' if jr.status else 'Active', ttl=jr.ttl, data=jr.data)
-                        records.append(record)
+                    record = DomainTemplateRecord(name=jr.name, type=jr.type, status='Disabled' if jr.status else 'Active', ttl=jr.ttl, data=jr.data)
+                    records.append(record)
 
-            return render_template('template_edit.html', template=t.name, records=records, editable_records=records_allow_to_edit)
-    except:
-        logging.error(traceback.format_exc())
+            return render_template('template_edit.html', template=t.name, records=records, editable_records=records_allow_to_edit, quick_edit=quick_edit)
+    except Exception as e:
+        logging.error('Cannot open domain template page. DETAIL: {0}'.format(e))
+        logging.debug(traceback.format_exc())
         return redirect(url_for('error', code=500))
     return redirect(url_for('templates'))
 

From 26c2b5e16936967e82412c001150187cf08673f9 Mon Sep 17 00:00:00 2001
From: Khanh Ngo <ngokhanhit@gmail.com>
Date: Mon, 3 Sep 2018 17:27:09 +0700
Subject: [PATCH 09/13] Adjustment in setting handler to work without initial
 DB. Discussed in #350

---
 app/lib/utils.py                              |  9 ++++++
 app/models.py                                 | 19 ++++--------
 app/templates/admin_setting_basic.html        | 21 +++++++------
 app/views.py                                  | 23 ++++++++++++--
 ...4ed462010_remove_all_settings_in_the_db.py | 30 +++++++++++++++++++
 5 files changed, 75 insertions(+), 27 deletions(-)
 create mode 100644 migrations/versions/1274ed462010_remove_all_settings_in_the_db.py

diff --git a/app/lib/utils.py b/app/lib/utils.py
index 9e9b3be..881fddc 100644
--- a/app/lib/utils.py
+++ b/app/lib/utils.py
@@ -282,3 +282,12 @@ def init_saml_auth(req):
     settings['organization']['en-US']['url'] = own_url
     auth = OneLogin_Saml2_Auth(req, settings)
     return auth
+
+
+def display_setting_state(value):
+    if value == 1:
+        return "ON"
+    elif value == 0:
+        return "OFF"
+    else:
+        return "UNKNOWN"
diff --git a/app/models.py b/app/models.py
index 505fd62..812fff4 100644
--- a/app/models.py
+++ b/app/models.py
@@ -1786,7 +1786,6 @@ class Setting(db.Model):
     id = db.Column(db.Integer, primary_key = True)
     name = db.Column(db.String(64))
     value = db.Column(db.Text())
-    view = db.Column(db.String(64))
 
     defaults = {
         'maintenance': False,
@@ -1923,20 +1922,14 @@ class Setting(db.Model):
         return list(set(self.get_forward_records_allow_to_edit() + self.get_reverse_records_allow_to_edit()))
 
     def get_forward_records_allow_to_edit(self):
-        records = literal_eval(self.get('forward_records_allow_edit'))
-        return [r for r in records if records[r]]
+        records = self.get('forward_records_allow_edit')
+        f_records = literal_eval(records) if isinstance(records, str) else records
+        return [r for r in f_records if f_records[r]]
 
     def get_reverse_records_allow_to_edit(self):
-        records = literal_eval(self.get('reverse_records_allow_edit'))
-        return [r for r in records if records[r]]
-
-    def get_view(self, view):
-        r = {}
-        settings = Setting.query.filter(Setting.view == view).all()
-        for setting in settings:
-            d = setting.__dict__
-            r[d['name']] = d['value']
-        return r
+        records = self.get('reverse_records_allow_edit')
+        r_records = literal_eval(records) if isinstance(records, str) else records
+        return [r for r in r_records if r_records[r]]
 
 
 class DomainTemplate(db.Model):
diff --git a/app/templates/admin_setting_basic.html b/app/templates/admin_setting_basic.html
index d5bdb84..2b6834d 100644
--- a/app/templates/admin_setting_basic.html
+++ b/app/templates/admin_setting_basic.html
@@ -34,23 +34,22 @@
                         <tbody>
                             {% for setting in settings %}
                             <tr class="odd ">
-                                <td>{{ setting.name }}</td>
-                                {% if setting.value == "True" or setting.value == "False" %}
-                                <td>{{ setting.value }}</td>
-                                {% else %}
-                                <td><input name="value" id="value" value="{{ setting.value }}"></td>
-                                {% endif %}
+                                <td>{{ setting }}</td>
+                                {% if SETTING.get(setting) in [True, False] %}
+                                <td>{{ SETTING.get(setting)|display_setting_state }}</td>
                                 <td width="6%">
-                                    {% if setting.value == "True" or setting.value == "False" %}
-                                    <button type="button" class="btn btn-flat btn-warning setting-toggle-button" id="{{ setting.name }}">
+                                    <button type="button" class="btn btn-flat btn-warning setting-toggle-button" id="{{ setting }}">
                                         Toggle&nbsp;<i class="fa fa-info"></i>
                                     </button>
-                                    {% else %}
-                                    <button type="button" class="btn btn-flat btn-warning setting-save-button" id="{{ setting.name }}">
+                                </td>
+                                {% else %}
+                                <td><input name="value" id="value" value="{{ SETTING.get(setting) }}"></td>
+                                <td width="6%">
+                                    <button type="button" class="btn btn-flat btn-warning setting-save-button" id="{{ setting }}">
                                         Save&nbsp;<i class="fa fa-info"></i>
                                     </button>
-                                    {% endif %}
                                 </td>
+                                {% endif %}
                             </tr>
                             {% endfor %}
                         </tbody>
diff --git a/app/views.py b/app/views.py
index 9a9915e..9c51a23 100644
--- a/app/views.py
+++ b/app/views.py
@@ -34,6 +34,7 @@ app.jinja_env.filters['display_record_name'] = utils.display_record_name
 app.jinja_env.filters['display_master_name'] = utils.display_master_name
 app.jinja_env.filters['display_second_to_time'] = utils.display_time
 app.jinja_env.filters['email_to_gravatar_url'] = utils.email_to_gravatar_url
+app.jinja_env.filters['display_setting_state'] = utils.display_setting_state
 
 
 @app.context_processor
@@ -1343,7 +1344,20 @@ def admin_history():
 @operator_role_required
 def admin_setting_basic():
     if request.method == 'GET':
-        settings = Setting.query.filter(Setting.view=='basic').all()
+        settings = ['maintenance',
+                    'fullscreen_layout',
+                    'record_helper',
+                    'login_ldap_first',
+                    'default_record_table_size',
+                    'default_domain_table_size',
+                    'auto_ptr',
+                    'record_quick_edit',
+                    'pretty_ipv6_ptr',
+                    'dnssec_admins_only',
+                    'allow_user_create_domain',
+                    'bg_domain_updates',
+                    'site_name'] 
+
         return render_template('admin_setting_basic.html', settings=settings)
 
 
@@ -1398,8 +1412,11 @@ def admin_setting_pdns():
 @operator_role_required
 def admin_setting_records():
     if request.method == 'GET':
-        f_records = literal_eval(Setting().get('forward_records_allow_edit'))
-        r_records = literal_eval(Setting().get('reverse_records_allow_edit'))
+        _fr = Setting().get('forward_records_allow_edit')
+        _rr = Setting().get('reverse_records_allow_edit')
+        f_records = literal_eval(_fr) if isinstance(_fr, str) else _fr
+        r_records = literal_eval(_rr) if isinstance(_rr, str) else _rr
+
         return render_template('admin_setting_records.html', f_records=f_records, r_records=r_records)
     elif request.method == 'POST':
         fr = {}
diff --git a/migrations/versions/1274ed462010_remove_all_settings_in_the_db.py b/migrations/versions/1274ed462010_remove_all_settings_in_the_db.py
new file mode 100644
index 0000000..9c3b7da
--- /dev/null
+++ b/migrations/versions/1274ed462010_remove_all_settings_in_the_db.py
@@ -0,0 +1,30 @@
+"""Change setting.value data type
+
+Revision ID: 31a4ed468b18
+Revises: 4a666113c7bb
+Create Date: 2018-08-21 17:12:30.058782
+
+"""
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision = '31a4ed468b18'
+down_revision = '4a666113c7bb'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    # delete all settings from "setting" table.
+    # PDA should work without initial settings in the DB
+    # Once user change the settings from UI, they will be
+    # written to the DB.
+    op.execute("DELETE FROM setting")
+
+    # drop view column since we don't need it
+    op.drop_column('setting', 'view')
+
+def downgrade():
+    op.add_column('setting', sa.Column('view', sa.String(length=64), nullable=True))

From 0081adff364c92bde2258ab64fbfcd3373bf067a Mon Sep 17 00:00:00 2001
From: Khanh Ngo <ngokhanhit@gmail.com>
Date: Tue, 4 Sep 2018 08:57:41 +0700
Subject: [PATCH 10/13] Sort record list alphabetically if python version < 3.6

---
 app/models.py                                     | 15 ++++++++++++---
 app/templates/admin_setting_pdns.html             |  2 +-
 .../1274ed462010_remove_all_settings_in_the_db.py |  2 +-
 3 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/app/models.py b/app/models.py
index 812fff4..4ce23c4 100644
--- a/app/models.py
+++ b/app/models.py
@@ -1,4 +1,6 @@
+import sys
 import os
+import re
 import ldap
 import ldap.filter
 import base64
@@ -6,7 +8,6 @@ import bcrypt
 import itertools
 import traceback
 import pyotp
-import re
 import dns.reversename
 import dns.inet
 import dns.name
@@ -1924,12 +1925,20 @@ class Setting(db.Model):
     def get_forward_records_allow_to_edit(self):
         records = self.get('forward_records_allow_edit')
         f_records = literal_eval(records) if isinstance(records, str) else records
-        return [r for r in f_records if f_records[r]]
+        r_name = [r for r in f_records if f_records[r]]
+        # Sort alphabetically if python version is smaller than 3.6
+        if sys.version_info[0] < 3 or (sys.version_info[0] == 3 and sys.version_info[1] < 6):
+            r_name.sort()
+        return r_name
 
     def get_reverse_records_allow_to_edit(self):
         records = self.get('reverse_records_allow_edit')
         r_records = literal_eval(records) if isinstance(records, str) else records
-        return [r for r in r_records if r_records[r]]
+        r_name = [r for r in r_records if r_records[r]]
+        # Sort alphabetically if python version is smaller than 3.6
+        if sys.version_info[0] < 3 or (sys.version_info[0] == 3 and sys.version_info[1] < 6):
+            r_name.sort()
+        return r_name
 
 
 class DomainTemplate(db.Model):
diff --git a/app/templates/admin_setting_pdns.html b/app/templates/admin_setting_pdns.html
index 528b73c..3310680 100644
--- a/app/templates/admin_setting_pdns.html
+++ b/app/templates/admin_setting_pdns.html
@@ -41,7 +41,7 @@
                     </div>
                     <div class="form-group has-feedback">
                         <label class="control-label" for="pdns_api_key">PDNS API KEY</label>
-                        <input type="text" class="form-control" placeholder="PowerDNS API key" name="pdns_api_key" data-error="Please input a valid PowerDNS API key" required value="{{ pdns_api_key }}">
+                        <input type="password" class="form-control" placeholder="PowerDNS API key" name="pdns_api_key" data-error="Please input a valid PowerDNS API key" required value="{{ pdns_api_key }}">
                         <span class="help-block with-errors"></span>
                     </div>
                     <div class="form-group has-feedback">
diff --git a/migrations/versions/1274ed462010_remove_all_settings_in_the_db.py b/migrations/versions/1274ed462010_remove_all_settings_in_the_db.py
index 9c3b7da..f1f54e4 100644
--- a/migrations/versions/1274ed462010_remove_all_settings_in_the_db.py
+++ b/migrations/versions/1274ed462010_remove_all_settings_in_the_db.py
@@ -1,4 +1,4 @@
-"""Change setting.value data type
+"""Remove all setting in the DB
 
 Revision ID: 31a4ed468b18
 Revises: 4a666113c7bb

From fe070304877b887c50faf051840731651d1ecac6 Mon Sep 17 00:00:00 2001
From: Khanh Ngo <ngokhanhit@gmail.com>
Date: Tue, 4 Sep 2018 13:02:19 +0700
Subject: [PATCH 11/13] Only Administrator users can remove the history

---
 app/templates/admin_history.html | 2 +-
 app/views.py                     | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/app/templates/admin_history.html b/app/templates/admin_history.html
index 936cc7a..82f555b 100644
--- a/app/templates/admin_history.html
+++ b/app/templates/admin_history.html
@@ -23,7 +23,7 @@
                     <h3 class="box-title">History Management</h3>
                 </div>
                 <div class="box-body clearfix">
-                    <button type="button" class="btn btn-flat btn-danger pull-right" data-toggle="modal" data-target="#modal_clear_history">
+                    <button type="button" class="btn btn-flat btn-danger pull-right" data-toggle="modal" data-target="#modal_clear_history" {% if current_user.role != 'Administrator' %}disabled{% endif %}>
                         Clear History&nbsp;<i class="fa fa-trash"></i>
                     </button>
                 </div>
diff --git a/app/views.py b/app/views.py
index 9c51a23..2a8d1e2 100644
--- a/app/views.py
+++ b/app/views.py
@@ -1324,12 +1324,14 @@ def admin_manageaccount():
 @operator_role_required
 def admin_history():
     if request.method == 'POST':
+        if current_user.role != 'Administrator':
+            return make_response(jsonify( { 'status': 'error', 'msg': 'You do not have permission to remove history.' } ), 401)
+
         h = History()
         result = h.remove_all()
         if result:
             history = History(msg='Remove all histories', created_by=current_user.username)
             history.add()
-
             return make_response(jsonify( { 'status': 'ok', 'msg': 'Changed user role successfully.' } ), 200)
         else:
             return make_response(jsonify( { 'status': 'error', 'msg': 'Can not remove histories.' } ), 500)

From 902e63a64e4d245385be47be52de8b0152cd3905 Mon Sep 17 00:00:00 2001
From: Khanh Ngo <ngokhanhit@gmail.com>
Date: Tue, 4 Sep 2018 13:10:55 +0700
Subject: [PATCH 12/13] Fixing typo

---
 app/models.py                        | 4 ++--
 app/templates/domain_management.html | 2 +-
 app/views.py                         | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/app/models.py b/app/models.py
index 4ce23c4..09d2c1b 100644
--- a/app/models.py
+++ b/app/models.py
@@ -971,7 +971,7 @@ class Domain(db.Model):
                 domain_users.append(tmp.username)
             if 0 != len(domain_users):
                 self.name = domain_reverse_name
-                self.grant_privielges(domain_users)
+                self.grant_privileges(domain_users)
                 return {'status': 'ok', 'msg': 'New reverse lookup domain created with granted privilages'}
             return {'status': 'ok', 'msg': 'New reverse lookup domain created without users'}
         return {'status': 'ok', 'msg': 'Reverse lookup domain already exists'}
@@ -1018,7 +1018,7 @@ class Domain(db.Model):
             user_ids.append(q[0].user_id)
         return user_ids
 
-    def grant_privielges(self, new_user_list):
+    def grant_privileges(self, new_user_list):
         """
         Reconfigure domain_user table
         """
diff --git a/app/templates/domain_management.html b/app/templates/domain_management.html
index 0cbb9bc..4e504d1 100644
--- a/app/templates/domain_management.html
+++ b/app/templates/domain_management.html
@@ -174,7 +174,7 @@
                     <h3 class="box-title">Domain Deletion</h3>
                 </div>
                 <div class="box-body">
-                    <p>This function is used to remove a domain from PowerDNS-Admin <b>AND</b> PowerDNS. All records and user privileges which associated to this domain will also be removed. This change cannot be reverted.</p>
+                    <p>This function is used to remove a domain from PowerDNS-Admin <b>AND</b> PowerDNS. All records and user privileges associated with this domain will also be removed. This change cannot be reverted.</p>
                     <button type="button" class="btn btn-flat btn-danger pull-left delete_domain" id="{{ domain.name }}">
                         <i class="fa fa-trash"></i>&nbsp;DELETE DOMAIN {{ domain.name }}
                     </button>
diff --git a/app/views.py b/app/views.py
index 2a8d1e2..aeb82e9 100644
--- a/app/views.py
+++ b/app/views.py
@@ -630,7 +630,7 @@ def domain_add():
                 history.add()
 
                 # grant user access to the domain
-                Domain(name=domain_name).grant_privielges([current_user.username])
+                Domain(name=domain_name).grant_privileges([current_user.username])
 
                 # apply template if needed
                 if domain_template != '0':
@@ -700,7 +700,7 @@ def domain_management(domain_name):
 
         # grant/revoke user privielges
         d = Domain(name=domain_name)
-        d.grant_privielges(new_user_list)
+        d.grant_privileges(new_user_list)
 
         history = History(msg='Change domain {0} access control'.format(domain_name), detail=str({'user_has_access': new_user_list}), created_by=current_user.username)
         history.add()

From cd183c5731a7bb696f25431c18cfc4fa56121658 Mon Sep 17 00:00:00 2001
From: Khanh Ngo <ngokhanhit@gmail.com>
Date: Tue, 4 Sep 2018 15:12:11 +0700
Subject: [PATCH 13/13] Update docker entrypoint.sh to populate the pdns
 setting data

---
 docker/PowerDNS-Admin/entrypoint.sh | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/docker/PowerDNS-Admin/entrypoint.sh b/docker/PowerDNS-Admin/entrypoint.sh
index 149b75c..098cdf7 100755
--- a/docker/PowerDNS-Admin/entrypoint.sh
+++ b/docker/PowerDNS-Admin/entrypoint.sh
@@ -41,6 +41,11 @@ else
 fi
 
 echo "===> Update PDNS API connection info"
+# initial setting if not available in the DB
+mysql -h${PDA_DB_HOST} -u${PDA_DB_USER} -p${PDA_DB_PASSWORD} ${PDA_DB_NAME} -e "INSERT INTO setting (name, value) SELECT * FROM (SELECT 'pdns_api_url', 'http://${PDNS_HOST}:8081') AS tmp WHERE NOT EXISTS (SELECT name FROM setting WHERE name = 'pdns_api_url') LIMIT 1;"
+mysql -h${PDA_DB_HOST} -u${PDA_DB_USER} -p${PDA_DB_PASSWORD} ${PDA_DB_NAME} -e "INSERT INTO setting (name, value) SELECT * FROM (SELECT 'pdns_api_key', '${PDNS_API_KEY}') AS tmp WHERE NOT EXISTS (SELECT name FROM setting WHERE name = 'pdns_api_key') LIMIT 1;"
+
+# update pdns api setting if .env is changed.
 mysql -h${PDA_DB_HOST} -u${PDA_DB_USER} -p${PDA_DB_PASSWORD} ${PDA_DB_NAME} -e "UPDATE setting SET value='http://${PDNS_HOST}:8081' WHERE name='pdns_api_url';"
 mysql -h${PDA_DB_HOST} -u${PDA_DB_USER} -p${PDA_DB_PASSWORD} ${PDA_DB_NAME} -e "UPDATE setting SET value='${PDNS_API_KEY}' WHERE name='pdns_api_key';"