From b4f6922c963e663053b5f4f44f542e23ee1913a2 Mon Sep 17 00:00:00 2001
From: Lukas Metzger <developer@lukas-metzger.com>
Date: Mon, 9 Apr 2018 16:17:27 +0200
Subject: [PATCH] Added ability for user to change slave domain with permission
 in backend

---
 backend/src/controllers/Domains.php |  9 +++++----
 backend/test/tests/domains-crud.js  | 15 +++++++++++++--
 2 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/backend/src/controllers/Domains.php b/backend/src/controllers/Domains.php
index 3f03dea..5918da0 100644
--- a/backend/src/controllers/Domains.php
+++ b/backend/src/controllers/Domains.php
@@ -123,10 +123,12 @@ class Domains
 
     public function put(Request $req, Response $res, array $args)
     {
+        $userId = $req->getAttribute('userId');
+        $domainId = intval($args['domainId']);
         $ac = new \Operations\AccessControl($this->c);
-        if (!$ac->isAdmin($req->getAttribute('userId'))) {
-            $this->logger->info('Non admin user tries to delete domain');
-            return $res->withJson(['error' => 'You must be admin to use this feature'], 403);
+        if (!$ac->canAccessDomain($userId, $domainId)) {
+            $this->logger->info('User tries to update domain without permission');
+            return $res->withJson(['error' => 'You have no permissions for this domain.'], 403);
         }
 
         $body = $req->getParsedBody();
@@ -136,7 +138,6 @@ class Domains
             return $res->withJson(['error' => 'One of the required fields is missing'], 422);
         }
 
-        $domainId = $args['domainId'];
         $master = $body['master'];
 
         $domains = new \Operations\Domains($this->c);
diff --git a/backend/test/tests/domains-crud.js b/backend/test/tests/domains-crud.js
index b1e3576..844b972 100644
--- a/backend/test/tests/domains-crud.js
+++ b/backend/test/tests/domains-crud.js
@@ -232,7 +232,7 @@ test.run(async function () {
 
         assert.equal(res.status, 403, 'Domain deletion should be forbidden for users.');
 
-        //Test insufficient permissions
+        //Test update for domain with permissions
         var res = await req({
             url: '/domains/2',
             method: 'put',
@@ -241,7 +241,18 @@ test.run(async function () {
             }
         });
 
-        assert.equal(res.status, 403, 'Update of slave zone should be forbidden for non admins.');
+        assert.equal(res.status, 204, 'Update of slave zone should work if user has permissions.');
+
+        //Test insufficient permissions
+        var res = await req({
+            url: '/domains/3',
+            method: 'put',
+            data: {
+                master: '9.8.7.6'
+            }
+        });
+
+        assert.equal(res.status, 403, 'Update of slave zone should fail without permissions.');
 
         //Test insufficient privileges for get
         var res = await req({