Added ability for user to change slave domain with permission in backend

2018-04-09 16:17:27 +02:00 · 2018-04-09 16:17:27 +02:00 · b4f6922c96
parent 0701388c7e
commit b4f6922c96
2 changed files with 18 additions and 6 deletions
--- a/backend/src/controllers/Domains.php
+++ b/backend/src/controllers/Domains.php
@ -123,10 +123,12 @@ class Domains

    public function put(Request $req, Response $res, array $args)
    {
+        $userId = $req->getAttribute('userId');
+        $domainId = intval($args['domainId']);
        $ac = new \Operations\AccessControl($this->c);
-        if (!$ac->isAdmin($req->getAttribute('userId'))) {
-            $this->logger->info('Non admin user tries to delete domain');
-            return $res->withJson(['error' => 'You must be admin to use this feature'], 403);
+        if (!$ac->canAccessDomain($userId, $domainId)) {
+            $this->logger->info('User tries to update domain without permission');
+            return $res->withJson(['error' => 'You have no permissions for this domain.'], 403);
        }

        $body = $req->getParsedBody();
@ -136,7 +138,6 @@ class Domains
            return $res->withJson(['error' => 'One of the required fields is missing'], 422);
        }

-        $domainId = $args['domainId'];
        $master = $body['master'];

        $domains = new \Operations\Domains($this->c);
--- a/backend/test/tests/domains-crud.js
+++ b/backend/test/tests/domains-crud.js
@ -232,7 +232,7 @@ test.run(async function () {

        assert.equal(res.status, 403, 'Domain deletion should be forbidden for users.');

-        //Test insufficient permissions
+        //Test update for domain with permissions
        var res = await req({
            url: '/domains/2',
            method: 'put',
@ -241,7 +241,18 @@ test.run(async function () {
            }
        });

-        assert.equal(res.status, 403, 'Update of slave zone should be forbidden for non admins.');
+        assert.equal(res.status, 204, 'Update of slave zone should work if user has permissions.');
+
+        //Test insufficient permissions
+        var res = await req({
+            url: '/domains/3',
+            method: 'put',
+            data: {
+                master: '9.8.7.6'
+            }
+        });
+
+        assert.equal(res.status, 403, 'Update of slave zone should fail without permissions.');

        //Test insufficient privileges for get
        var res = await req({