Merge pull request #2 from thomasDOTde/upstream-access-control

Add access control for non-admin users from hackedd
2017-11-01 21:47:14 +01:00 · 2017-11-01 21:47:14 +01:00 · ff9a6fcfba
parent 9b0d1fdb6f 9a4021d5e5
commit ff9a6fcfba
2 changed files with 49 additions and 28 deletions
--- a/app/models.py
+++ b/app/models.py
@ -314,6 +314,13 @@ class User(db.Model):
            user_domains.append(q[2])
        return user_domains

+    def can_access_domain(self, domain_name):
+        if self.role.name == "Administrator":
+            return True
+
+        query = self.get_domain_query().filter(Domain.name == domain_name)
+        return query.count() >= 1
+
    def delete(self):
        """
        Delete a user
--- a/app/views.py
+++ b/app/views.py
@ -388,36 +388,39 @@ def dashboard():
 def domain(domain_name):
    r = Record()
    domain = Domain.query.filter(Domain.name == domain_name).first()
-    if domain:
-        # query domain info from PowerDNS API
-        zone_info = r.get_record_data(domain.name)
-        if zone_info:
-            jrecords = zone_info['records']
-        else:
-            # can not get any record, API server might be down
-            return redirect(url_for('error', code=500))
-
-        records = []
-        #TODO: This should be done in the "model" instead of "view"
-        if NEW_SCHEMA:
-            for jr in jrecords:
-                if jr['type'] in app.config['RECORDS_ALLOW_EDIT']:
-                    for subrecord in jr['records']:
-                        record = Record(name=jr['name'], type=jr['type'], status='Disabled' if subrecord['disabled'] else 'Active', ttl=jr['ttl'], data=subrecord['content'])
-                        records.append(record)
-        else:
-            for jr in jrecords:
-                if jr['type'] in app.config['RECORDS_ALLOW_EDIT']:
-                    record = Record(name=jr['name'], type=jr['type'], status='Disabled' if jr['disabled'] else 'Active', ttl=jr['ttl'], data=jr['content'])
-                    records.append(record)
-        if not re.search('ip6\.arpa|in-addr\.arpa$', domain_name):
-            editable_records = app.config['RECORDS_ALLOW_EDIT']
-        else:
-            editable_records = ['PTR']
-        return render_template('domain.html', domain=domain, records=records, editable_records=editable_records)
-    else:
+    if not domain:
        return redirect(url_for('error', code=404))

+    if not current_user.can_access_domain(domain_name):
+        abort(403)
+
+    # query domain info from PowerDNS API
+    zone_info = r.get_record_data(domain.name)
+    if zone_info:
+        jrecords = zone_info['records']
+    else:
+        # can not get any record, API server might be down
+        return redirect(url_for('error', code=500))
+
+    records = []
+    #TODO: This should be done in the "model" instead of "view"
+    if NEW_SCHEMA:
+        for jr in jrecords:
+            if jr['type'] in app.config['RECORDS_ALLOW_EDIT']:
+                for subrecord in jr['records']:
+                    record = Record(name=jr['name'], type=jr['type'], status='Disabled' if subrecord['disabled'] else 'Active', ttl=jr['ttl'], data=subrecord['content'])
+                    records.append(record)
+    else:
+        for jr in jrecords:
+            if jr['type'] in app.config['RECORDS_ALLOW_EDIT']:
+                record = Record(name=jr['name'], type=jr['type'], status='Disabled' if jr['disabled'] else 'Active', ttl=jr['ttl'], data=jr['content'])
+                records.append(record)
+    if not re.search('ip6\.arpa|in-addr\.arpa$', domain_name):
+        editable_records = app.config['RECORDS_ALLOW_EDIT']
+    else:
+        editable_records = ['PTR']
+    return render_template('domain.html', domain=domain, records=records, editable_records=editable_records)
+

@app.route('/admin/domain/add', methods=['GET', 'POST'])
@login_required
@ -508,6 +511,10 @@ def record_apply(domain_name):
    example jdata: {u'record_ttl': u'1800', u'record_type': u'CNAME', u'record_name': u'test4', u'record_status': u'Active', u'record_data': u'duykhanh.me'}
    """
    #TODO: filter removed records / name modified records.
+
+    if not current_user.can_access_domain(domain_name):
+        return make_response(jsonify({'status': 'error', 'msg': 'You do not have access to that domain'}), 403)
+
    try:
        pdata = request.data
        jdata = json.loads(pdata)
@ -532,6 +539,10 @@ def record_update(domain_name):
    This route is used for domain work as Slave Zone only
    Pulling the records update from its Master
    """
+
+    if not current_user.can_access_domain(domain_name):
+        return make_response(jsonify({'status': 'error', 'msg': 'You do not have access to that domain'}), 403)
+
    try:
        pdata = request.data
        jdata = json.loads(pdata)
@ -566,6 +577,9 @@ def record_delete(domain_name, record_name, record_type):
@app.route('/domain/<string:domain_name>/dnssec', methods=['GET'])
@login_required
 def domain_dnssec(domain_name):
+    if not current_user.can_access_domain(domain_name):
+        return make_response(jsonify({'status': 'error', 'msg': 'You do not have access to that domain'}), 403)
+
    domain = Domain()
    dnssec = domain.get_domain_dnssec(domain_name)
    return make_response(jsonify(dnssec), 200)