From a937d051635b6977569fe25408e7bf6f5c453814 Mon Sep 17 00:00:00 2001
From: Richard Underwood <richard.underwood@digitaslbi.com>
Date: Mon, 19 Sep 2016 15:40:10 +0100
Subject: [PATCH 01/20] Missing variable in users.php

---
 users.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/users.php b/users.php
index 019619c..e6273b3 100644
--- a/users.php
+++ b/users.php
@@ -85,6 +85,8 @@ case "update":
     break;
 
 case "delete":
+    $emailaddress = isset($_POST['emailaddress']) ? $_POST['emailaddress'] : '';
+
     if ($emailaddress != '' and delete_user($emailaddress) !== FALSE) {
         jtable_respond(null, 'delete');
     } else {

From e172ba6502053969d19f1f060463775b036f4d6b Mon Sep 17 00:00:00 2001
From: Richard Underwood <richard.underwood@digitaslbi.com>
Date: Fri, 30 Sep 2016 14:23:09 +0100
Subject: [PATCH 02/20] Added group table to users tab. Allow group name
 editing for now.

---
 groups.php              | 87 ++++++++++++++++++++++++++++++++++++++++
 includes/groups.inc.php | 88 +++++++++++++++++++++++++++++++++++++++++
 includes/misc.inc.php   |  5 ++-
 index.php               | 51 +++++++++++++++++++++---
 4 files changed, 224 insertions(+), 7 deletions(-)
 create mode 100644 groups.php
 create mode 100644 includes/groups.inc.php

diff --git a/groups.php b/groups.php
new file mode 100644
index 0000000..1037363
--- /dev/null
+++ b/groups.php
@@ -0,0 +1,87 @@
+<?php
+
+include_once('includes/config.inc.php');
+include_once('includes/session.inc.php');
+include_once('includes/misc.inc.php');
+
+if (!is_csrf_safe()) {
+    header('Status: 403');
+    header('Location: ./index.php');
+    jtable_respond(null, 'error', "Authentication required");
+}
+
+if (!is_adminuser()) {
+    header('Status: 403');
+    jtable_respond(null, 'error', "You need adminprivileges to get here");
+}
+
+if (!isset($_GET['action'])) {
+    header('Status: 400');
+    jtable_respond(null, 'error', 'No action given');
+}
+
+switch ($_GET['action']) {
+
+case "list":
+    $groups = get_all_groups();
+    jtable_respond($groups);
+    break;
+
+case "listoptions":
+    $groups = get_all_groups();
+    $retgroups = array();
+    foreach ($groups as $group) {
+        $retgroups[] = array(
+            'DisplayText' => $group['name'] . " - " . $group['desc'],
+            'Value'       => $group['name']);
+    }
+    jtable_respond($retgroups, 'options');
+    break;
+
+case "create":
+    $name = isset($_POST['name']) ? $_POST['name'] : '';
+    $desc = isset($_POST['desc']) ? $_POST['desc'] : '';
+
+    if (!valid_group($name)) {
+        jtable_respond(null, 'error', "Please only use ^[a-z0-9@_.-]+$ for group names");
+    }
+
+    if (group_exists($name)) {
+        jtable_respond(null, 'error', 'Group already exists');
+    }
+
+    if (add_group($name, $desc)) {
+        $result = array('name' => $name, 'desc' => $desc);
+        jtable_respond($result, 'single');
+    } else {
+        jtable_respond(null, 'error', 'Could not create group');
+    }
+    break;
+
+case "update":
+    $id = isset($_POST['id']) ? intval($_POST['id']) : '';
+    $name = isset($_POST['name']) ? $_POST['name'] : '';
+    $desc = isset($_POST['desc']) ? $_POST['desc'] : '';
+
+    if ($id != '' and update_group($id, $name, $desc)) {
+        $result = array('name' => $name, 'desc' => $desc);
+        jtable_respond($result, 'single');
+    } else {
+        jtable_respond(null, 'error', 'Could not update group');
+    }
+    break;
+
+case "delete":
+    $id = isset($_POST['id']) ? intval($_POST['id']) : '';
+
+    if ($id != '' and delete_group($id) !== FALSE) {
+        jtable_respond(null, 'delete');
+    } else {
+        jtable_respond(null, 'error', 'Could not delete group');
+    }
+    break;
+
+default:
+    jtable_respond(null, 'error', 'Invalid action');
+    break;
+}
diff --git a/includes/groups.inc.php b/includes/groups.inc.php
new file mode 100644
index 0000000..e9609d9
--- /dev/null
+++ b/includes/groups.inc.php
@@ -0,0 +1,88 @@
+<?php
+
+function get_all_groups() {
+    $db = get_db();
+    $r = $db->query('SELECT id, name, desc FROM groups ORDER BY name');
+    $ret = array();
+    while ($row = $r->fetchArray(SQLITE3_ASSOC)) {
+        array_push($ret, $row);
+    }
+
+    return $ret;
+}
+
+function get_group_info($name) {
+    $db = get_db();
+    $q = $db->prepare('SELECT * FROM groups WHERE name = ?');
+    $q->bindValue(1, $name);
+    $result = $q->execute();
+    $groupinfo = $result->fetchArray(SQLITE3_ASSOC);
+    $db->close();
+
+    return $groupinfo;
+}
+
+function group_exists($name) {
+    return (bool) get_group_info($name);
+}
+
+function add_group($name, $desc) {
+    $db = get_db();
+    $q = $db->prepare('INSERT INTO groups (name, desc) VALUES (?, ?)');
+    $q->bindValue(1, $name, SQLITE3_TEXT);
+    $q->bindValue(2, $desc, SQLITE3_TEXT);
+    $ret = $q->execute();
+    $db->close();
+
+    writelog("Added group $name ($desc).");
+    return $ret;
+}
+
+function update_group($id, $name, $desc) {
+    $db = get_db();
+
+    $q = $db->prepare('SELECT * FROM groups WHERE id = ?');
+    $q->bindValue(1, $id, SQLITE3_INTEGER);
+    $result = $q->execute();
+    $groupinfo = $result->fetchArray(SQLITE3_ASSOC);
+    $q->close();
+    $oldname = $groupinfo['name'];
+
+    $q = $db->prepare('UPDATE groups SET name = ?, desc = ? WHERE id = ?');
+    $q->bindValue(1, $name, SQLITE3_TEXT);
+    $q->bindValue(2, $desc, SQLITE3_TEXT);
+    $q->bindValue(3, $id, SQLITE3_INTEGER);
+    writelog("Updating group $oldname to: $name ($desc) ");
+    $ret = $q->execute();
+    $db->close();
+
+    return $ret;
+}
+
+function delete_group($id) {
+    $db = get_db();
+
+    $q = $db->prepare('SELECT * FROM groups WHERE id = ?');
+    $q->bindValue(1, $id, SQLITE3_INTEGER);
+    $result = $q->execute();
+    $groupinfo = $result->fetchArray(SQLITE3_ASSOC);
+    $q->close();
+
+    if($groupinfo) {
+        $q = $db->prepare('DELETE FROM groups WHERE id = ?');
+        $q->bindValue(1, $id, SQLITE3_INTEGER);
+        $ret = $q->execute();
+        $db->close();
+
+        writelog("Deleted group " . $groupinfo['name'] . ".");
+        return $ret;
+    } else {
+        return false;
+    }
+}
+
+function valid_group($name) {
+    return ( bool ) preg_match( "/^[a-z0-9@_.-]+$/i" , $name );
+}
+
+?>
diff --git a/includes/misc.inc.php b/includes/misc.inc.php
index a818cb2..5fa6b0b 100644
--- a/includes/misc.inc.php
+++ b/includes/misc.inc.php
@@ -1,6 +1,6 @@
 <?php
 
-include('config.inc.php');
+include_once('config.inc.php');
 
 $blocklogin = FALSE;
 
@@ -458,4 +458,7 @@ if (!function_exists('hash_pbkdf2')) {
     }
 }
 
+// Include functions for group management
+include_once('groups.inc.php');
+
 ?>
diff --git a/index.php b/index.php
index 8c764f4..95dcdb2 100644
--- a/index.php
+++ b/index.php
@@ -160,7 +160,7 @@ if ($blocklogin === TRUE) {
         <ul>
             <li><a href="#" id="zoneadmin">Zones</a></li>
             <?php if (is_adminuser()) { ?>
-                <li><a href="#" id="useradmin">Users</a></li>
+                <li><a href="#" id="useradmin">Users/Groups</a></li>
                 <li><a href="#" id="logadmin">Logs</a></li>
             <?php } ?>
             <li><a href="#" id="aboutme">About me</a></li>
@@ -186,6 +186,7 @@ if ($blocklogin === TRUE) {
     <?php if (is_adminuser()) { ?>
     <div id="users">
         <div class="tables" id="Users"></div>
+        <div class="tables" id="Groups"></div>
     </div>
     <div id="logs">
         <div class="tables" id="Logs"></div>
@@ -941,11 +942,11 @@ $(document).ready(function () {
 
     <?php if (is_adminuser()) { ?>
     $('#logs').hide();
-    $('#Users').hide();
+    $('#users').hide();
     $('#AboutMe').hide();
     $('#aboutme').click(function () {
         $('#logs').hide();
-        $('#Users').hide();
+        $('#users').hide();
         $('#MasterZones').hide();
         $('#SlaveZones').hide();
         $('#AboutMe').show();
@@ -956,17 +957,18 @@ $(document).ready(function () {
         $('#SlaveZones').hide();
         $('#AboutMe').hide();
         $('#Users').jtable('load');
-        $('#Users').show();
+        $('#Groups').jtable('load');
+        $('#users').show();
     });
     $('#zoneadmin').click(function () {
         $('#logs').hide();
-        $('#Users').hide();
+        $('#users').hide();
         $('#AboutMe').hide();
         $('#MasterZones').show();
         $('#SlaveZones').show();
     });
     $('#logadmin').click(function () {
-        $('#Users').hide();
+        $('#users').hide();
         $('#AboutMe').hide();
         $('#MasterZones').hide();
         $('#SlaveZones').hide();
@@ -1023,6 +1025,43 @@ $(document).ready(function () {
         }
     });
 
+    $('#Groups').jtable({
+        title: 'Groups',
+        paging: true,
+        pageSize: 20,
+        sorting: false,
+        actions: {
+            listAction: 'groups.php?action=list',
+            createAction: 'groups.php?action=create',
+            deleteAction: 'groups.php?action=delete',
+            updateAction: 'groups.php?action=update'
+        },
+        messages: {
+            addNewRecord: 'Add new group',
+            deleteConfirmation: 'This group will be deleted. Are you sure?'
+        },
+        fields: {
+            id: {
+                key: true,
+                type: 'hidden'
+            },
+            name: {
+                title: 'Group name',
+                display: displayContent('name'),
+                edit: true
+            },
+            desc: {
+                title: 'Description',
+                display: displayContent('desc')
+            }
+        },
+        recordAdded: function() {
+            $epoch = getEpoch();
+            $("#MasterZones").jtable('reload');
+            $("#SlaveZones").jtable('reload');
+        }
+    });
+
     $('#Logs').jtable({
         title: 'Logs',
         paging: true,

From 1aa0f0bbcaa795f7224990756d03756df8b875a0 Mon Sep 17 00:00:00 2001
From: Richard Underwood <richard.underwood@digitaslbi.com>
Date: Fri, 30 Sep 2016 16:31:17 +0100
Subject: [PATCH 03/20] Added a check as jtable expects a list here.

---
 includes/misc.inc.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/includes/misc.inc.php b/includes/misc.inc.php
index 5fa6b0b..1f57667 100644
--- a/includes/misc.inc.php
+++ b/includes/misc.inc.php
@@ -219,6 +219,10 @@ function valid_user($name) {
 }
 
 function jtable_respond($records, $method = 'multiple', $msg = 'Undefined errormessage') {
+    if($records == null) {
+      $records=array();
+    }
+
     $jTableResult = array();
     if ($method == 'error') {
         $jTableResult['Result'] = "ERROR";

From 417e9ca848e9fc6f213a33068ddb1d47a1934c57 Mon Sep 17 00:00:00 2001
From: Richard Underwood <richard.underwood@digitaslbi.com>
Date: Tue, 4 Oct 2016 09:25:32 +0100
Subject: [PATCH 04/20] Basic group management support. Lots more to do.

---
 groups.php              | 33 ++++++++++++++++++++
 includes/groups.inc.php | 67 +++++++++++++++++++++++++++++++++++++++++
 includes/misc.inc.php   | 20 ++++++++++++
 index.php               | 42 ++++++++++++++++++++++++++
 users.php               |  6 ++++
 5 files changed, 168 insertions(+)

diff --git a/groups.php b/groups.php
index 1037363..3712782 100644
--- a/groups.php
+++ b/groups.php
@@ -81,6 +81,39 @@ case "delete":
     }
     break;
 
+case "listmembers":
+    $groupid = isset($_GET['groupid']) ? intval($_GET['groupid']) : '';
+
+    if ($groupid != '') {
+        $groups = get_group_members($groupid);
+        jtable_respond($groups);
+    } else {
+        jtable_respond(null, 'error', 'Could not list group members');
+    }
+    break;
+
+case "addmember":
+    $groupid = isset($_GET['groupid']) ? intval($_GET['groupid']) : '';
+    $user = isset($_POST['user']) ? $_POST['user'] : '';
+
+    if ($groupid != '') {
+        if (user_exists($user)) {
+            if(is_group_member($groupid,$user)) {
+                jtable_respond(null, 'error', "User already a member of the group");
+            } elseif(add_group_member($groupid,$user)) {
+                $entry = array('user' => $user);
+                jtable_respond($entry, 'single');
+            } else {
+                jtable_respond(null, 'error', "Failed to add user to group");
+            }
+        } else {
+            jtable_respond(null, 'error', "User doesn't exist");
+        }
+    } else {
+        jtable_respond(null, 'error', 'Group not specified');
+    }
+    break;
+
 default:
     jtable_respond(null, 'error', 'Invalid action');
     break;
diff --git a/includes/groups.inc.php b/includes/groups.inc.php
index e9609d9..a5983d8 100644
--- a/includes/groups.inc.php
+++ b/includes/groups.inc.php
@@ -22,6 +22,17 @@ function get_group_info($name) {
     return $groupinfo;
 }
 
+function get_group_name($id) {
+    $db = get_db();
+    $q = $db->prepare('SELECT * FROM groups WHERE id = ?');
+    $q->bindValue(1, $id, SQLITE3_INTEGER);
+    $r = $q->execute();
+    $ret = $r->fetchArray(SQLITE3_NUM);
+    $db->close();
+
+    return $ret[0];
+}
+
 function group_exists($name) {
     return (bool) get_group_info($name);
 }
@@ -85,4 +96,60 @@ function valid_group($name) {
     return ( bool ) preg_match( "/^[a-z0-9@_.-]+$/i" , $name );
 }
 
+function get_group_members($id) {
+    $db = get_db();
+
+    $q = $db->prepare('SELECT groupmembers.id,users.emailaddress AS user FROM groupmembers,users WHERE "group" = ? AND groupmembers.user = users.id');
+    $q->bindValue(1, $id, SQLITE3_INTEGER);
+    $result = $q->execute();
+
+    $ret = array();
+
+    while ($row = $result->fetchArray(SQLITE3_ASSOC)) {
+        array_push($ret, $row);
+    }
+
+    return $ret;
+}
+
+// move to misc?
+function get_user_id($user) {
+    $info=get_user_info($user);
+    if($info) {
+        return $info['id'];
+    } else {
+        return null;
+    }
+}
+
+function is_group_member($id,$user) {
+    $db = get_db();
+
+    $q = $db->prepare('SELECT id FROM groupmembers WHERE "group" = ? AND user = ?');
+    $q->bindValue(1, $id, SQLITE3_INTEGER);
+    $q->bindValue(2, get_user_id($user), SQLITE3_INTEGER);
+    $r = $q->execute();
+    $ret = $r->fetchArray(SQLITE3_NUM);
+    return (bool) $ret;
+}
+
+function add_group_member($id,$user) {
+    $db = get_db();
+
+    $userid=get_user_id($user);
+
+    $q = $db->prepare('INSERT INTO groupmembers ("group", user) VALUES (?, ?)');
+    $q->bindValue(1, $id, SQLITE3_INTEGER);
+    $q->bindValue(2, $userid, SQLITE3_INTEGER);
+    $ret = $q->execute();
+    $db->close();
+
+    if($ret) {
+        writelog("Added user $user to group " . get_group_name($id) . ".");
+    } else {
+        writelog("Failed to add user $user to group " . get_group_name($id) . ".");
+    }
+    return $ret;
+}
+
 ?>
diff --git a/includes/misc.inc.php b/includes/misc.inc.php
index 1f57667..d64cdd1 100644
--- a/includes/misc.inc.php
+++ b/includes/misc.inc.php
@@ -104,6 +104,26 @@ function get_all_users() {
     return $ret;
 }
 
+/* Fetches a list of usernames from the DB for autocomplete.
+ * Restricts list by $term which can appear anywhere in the username
+ * Restricts results to $num responses
+ */
+function get_usernames_filtered($term, $num = 10) {
+    $db = get_db();
+    $q = $db->prepare("SELECT emailaddress FROM users WHERE emailaddress LIKE ? ORDER BY emailaddress LIMIT 0, ?");
+    $q->bindValue(1, "%" . $term . "%", SQLITE3_TEXT);
+    $q->bindValue(2, $num, SQLITE3_INTEGER);
+    $r = $q->execute();
+
+    $ret = array();
+    while ($row = $r->fetchArray(SQLITE3_NUM)) {
+        array_push($ret, $row[0]);
+    }
+    $db->close();
+
+    return $ret;
+}
+
 function get_user_info($u) {
     $db = get_db();
     $q = $db->prepare('SELECT * FROM users WHERE emailaddress = ?');
diff --git a/index.php b/index.php
index 95dcdb2..072c9d0 100644
--- a/index.php
+++ b/index.php
@@ -48,6 +48,8 @@ if (is_logged_in() and isset($_POST['formname']) and $_POST['formname'] === "cha
     <script src="jquery-ui/ui/button.js" type="text/javascript"></script>
     <script src="jquery-ui/ui/resizable.js" type="text/javascript"></script>
     <script src="jquery-ui/ui/dialog.js" type="text/javascript"></script>
+    <script src="jquery-ui/ui/menu.js" type="text/javascript"></script>
+    <script src="jquery-ui/ui/autocomplete.js" type="text/javascript"></script>
     <script src="jtable/lib/jquery.jtable.min.js" type="text/javascript"></script>
     <script src="js/addclear/addclear.js" type="text/javascript"></script>
 </head>
@@ -1030,6 +1032,7 @@ $(document).ready(function () {
         paging: true,
         pageSize: 20,
         sorting: false,
+        openChildAsAccordion: true,
         actions: {
             listAction: 'groups.php?action=list',
             createAction: 'groups.php?action=create',
@@ -1053,6 +1056,45 @@ $(document).ready(function () {
             desc: {
                 title: 'Description',
                 display: displayContent('desc')
+            },
+            members: {
+                width: '5%',
+                title: 'Members',
+                sorting: false,
+                edit: false,
+                create: false,
+                display: function (data) {
+                    var $img = $('<img class="list" src="img/list.png" title="Edit Members">');
+                    $img.click(function() {
+                        $('#Groups').jtable('openChildTable',
+                        $img.closest('tr'), {
+                            title: 'Members of ' + data.record.name,
+                            actions: {
+                                listAction: 'groups.php?action=listmembers&groupid=' + data.record.id,
+                                createAction: 'groups.php?action=addmember&groupid=' + data.record.id
+                            },
+                            fields: {
+                                id: {
+                                    key: true,
+                                    type: 'hidden'
+                                },
+                                user: {
+                                    title: 'Username',
+                                    inputClass: "userlist",
+                                    display: displayContent('user')
+                                }
+                            },
+                            formCreated: function(event, data) {
+                                $( ".userlist" ).autocomplete({
+                                    source: "users.php?action=autocomplete"
+                                });
+                            }
+                        }, function (data) { //opened handler
+                            data.childTable.jtable('load');
+                        });
+                    });
+                    return $img;
+                }
             }
         },
         recordAdded: function() {
diff --git a/users.php b/users.php
index e31c122..67df833 100644
--- a/users.php
+++ b/users.php
@@ -38,6 +38,12 @@ case "listoptions":
     jtable_respond($retusers, 'options');
     break;
 
+case "autocomplete":
+    $term = isset($_GET['term']) ? $_GET['term'] : '';
+    $users=get_usernames_filtered($term);
+    print json_encode($users);
+    break;
+
 case "create":
     $emailaddress = isset($_POST['emailaddress']) ? $_POST['emailaddress'] : '';
     $isadmin = isset($_POST['isadmin']) ? $_POST['isadmin'] : '0';

From d915137eff5bacdabafba50f14609489d3c9b64b Mon Sep 17 00:00:00 2001
From: Richard Underwood <richard.underwood@digitaslbi.com>
Date: Tue, 4 Oct 2016 10:05:22 +0100
Subject: [PATCH 05/20] Allow removal of members from groups.

---
 groups.php              | 18 ++++++++++++++++--
 includes/groups.inc.php | 28 ++++++++++++++++++++++++++--
 index.php               |  7 ++++++-
 3 files changed, 48 insertions(+), 5 deletions(-)

diff --git a/groups.php b/groups.php
index 3712782..59a0557 100644
--- a/groups.php
+++ b/groups.php
@@ -100,8 +100,8 @@ case "addmember":
         if (user_exists($user)) {
             if(is_group_member($groupid,$user)) {
                 jtable_respond(null, 'error', "User already a member of the group");
-            } elseif(add_group_member($groupid,$user)) {
-                $entry = array('user' => $user);
+            } elseif(!is_null($id=add_group_member($groupid,$user))) {
+                $entry = array('id' => $id,'user' => $user);
                 jtable_respond($entry, 'single');
             } else {
                 jtable_respond(null, 'error', "Failed to add user to group");
@@ -114,6 +114,20 @@ case "addmember":
     }
     break;
 
+case "removemember":
+    $id = isset($_POST['id']) ? $_POST['id'] : '';
+
+    if ($id != '') {
+        if(remove_group_member($id)) {
+            jtable_respond(null, 'delete');
+        } else {
+            jtable_respond(null, 'error', "Failed to delete user from group");
+        }
+    } else {
+        jtable_respond(null, 'error', 'ID not specified');
+    }
+    break;
+
 default:
     jtable_respond(null, 'error', 'Invalid action');
     break;
diff --git a/includes/groups.inc.php b/includes/groups.inc.php
index a5983d8..597ab3f 100644
--- a/includes/groups.inc.php
+++ b/includes/groups.inc.php
@@ -24,7 +24,7 @@ function get_group_info($name) {
 
 function get_group_name($id) {
     $db = get_db();
-    $q = $db->prepare('SELECT * FROM groups WHERE id = ?');
+    $q = $db->prepare('SELECT name FROM groups WHERE id = ?');
     $q->bindValue(1, $id, SQLITE3_INTEGER);
     $r = $q->execute();
     $ret = $r->fetchArray(SQLITE3_NUM);
@@ -142,12 +142,36 @@ function add_group_member($id,$user) {
     $q->bindValue(1, $id, SQLITE3_INTEGER);
     $q->bindValue(2, $userid, SQLITE3_INTEGER);
     $ret = $q->execute();
-    $db->close();
 
     if($ret) {
         writelog("Added user $user to group " . get_group_name($id) . ".");
+        return $db->lastInsertRowID();
     } else {
         writelog("Failed to add user $user to group " . get_group_name($id) . ".");
+        return null;
+    }
+}
+
+function remove_group_member($id) {
+    $db = get_db();
+
+    $q = $db->prepare('SELECT groups.name,users.emailaddress FROM groupmembers,users,groups WHERE groupmembers.id=? AND groupmembers.user=users.id AND groupmembers."group"=groups.id');
+    $q->bindValue(1, $id, SQLITE3_INTEGER);
+    $r = $q->execute();
+    $ret = $r->fetchArray(SQLITE3_NUM);
+    $group=$ret[0];
+    $user=$ret[1];
+    $q->close();
+
+    $q = $db->prepare('DELETE FROM groupmembers WHERE id=?');
+    $q->bindValue(1, $id, SQLITE3_INTEGER);
+    $ret = $q->execute();
+    $db->close();
+
+    if($ret) {
+        writelog("Removed user $user from group $group.");
+    } else {
+        writelog("Failed to remove user $user from group $group.");
     }
     return $ret;
 }
diff --git a/index.php b/index.php
index 072c9d0..ef52888 100644
--- a/index.php
+++ b/index.php
@@ -1069,9 +1069,14 @@ $(document).ready(function () {
                         $('#Groups').jtable('openChildTable',
                         $img.closest('tr'), {
                             title: 'Members of ' + data.record.name,
+                            messages: {
+                                addNewRecord: 'Add group member',
+                                deleteConfirmation: 'This user will be removed from the group. Are you sure?'
+                            },
                             actions: {
                                 listAction: 'groups.php?action=listmembers&groupid=' + data.record.id,
-                                createAction: 'groups.php?action=addmember&groupid=' + data.record.id
+                                createAction: 'groups.php?action=addmember&groupid=' + data.record.id,
+                                deleteAction: 'groups.php?action=removemember&groupid=' + data.record.id
                             },
                             fields: {
                                 id: {

From c1598fc99ac432135b04594cfab42ba1e8103f99 Mon Sep 17 00:00:00 2001
From: Richard Underwood <richard.underwood@digitaslbi.com>
Date: Tue, 4 Oct 2016 10:09:57 +0100
Subject: [PATCH 06/20] Fixed column widths

---
 index.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/index.php b/index.php
index ef52888..31f328f 100644
--- a/index.php
+++ b/index.php
@@ -1049,11 +1049,13 @@ $(document).ready(function () {
                 type: 'hidden'
             },
             name: {
+                width: '25%',
                 title: 'Group name',
                 display: displayContent('name'),
                 edit: true
             },
             desc: {
+                width: '70%',
                 title: 'Description',
                 display: displayContent('desc')
             },

From 2b5e7ea5f64b08c7da646f9c9b1c0be02d023c97 Mon Sep 17 00:00:00 2001
From: Richard Underwood <richard.underwood@digitaslbi.com>
Date: Wed, 4 Jan 2017 09:30:58 +0000
Subject: [PATCH 07/20] Uncomitted changes prior to merge. Permissions ...

---
 includes/config.inc.php-dist |  6 +++
 index.php                    | 69 ++++++++++++++++++++++++++++++
 permissions.php              | 83 ++++++++++++++++++++++++++++++++++++
 3 files changed, 158 insertions(+)
 create mode 100644 permissions.php

diff --git a/includes/config.inc.php-dist b/includes/config.inc.php-dist
index bc00616..4b1ff16 100644
--- a/includes/config.inc.php-dist
+++ b/includes/config.inc.php-dist
@@ -10,6 +10,12 @@ $logging = TRUE;
 $allowclearlogs = TRUE;  # Allow clearing of log entries
 $allowrotatelogs = FALSE;# Allow rotation to text file on server
 
+$restrictediting = TRUE; # Restrict editing of record types
+$restrictedtypes = array( 
+    'SOA' => 1,
+    'NS' => 1
+);
+
 # Log directory - if allowrotatelogs is set, this is where the logs will
 # be written. It must be writeable by the web server user.
 $logsdirectory = "../etc";
diff --git a/index.php b/index.php
index 31f328f..593ce29 100644
--- a/index.php
+++ b/index.php
@@ -796,6 +796,75 @@ $(document).ready(function () {
                 inputClass: 'serial',
                 listClass: 'serial'
             },
+            permissions: {
+                title: 'Permissions',
+                width: '10%',
+                create: false,
+                edit: false,
+                display: function(data) {
+                    var $img = $('<img class="list" src="img/list.png" title="Permissions" />');
+                    $img.click(function () {
+                        $('#SlaveZones').jtable('openChildTable',
+                            $img.closest('tr'), {
+                                title: 'Permissions for ' + data.record.name,
+                                openChildAsAccordion: true,
+                                actions: {
+                                    listAction: 'permissions.php?action=list&zoneid=' + data.record.id,
+                                    createAction: 'permissions.php?action=add&zoneid=' + data.record.id,
+                                    deleteAction: 'permissions.php?action=remove&zoneid=' + data.record.id
+                                },
+                                fields: {
+                                    id: {
+                                        key: true,
+                                        type: 'hidden'
+                                    },
+                                    type: {
+                                        title: 'Type',
+                                        inputClass: "permissionstype",
+                                        options: {
+                                            'user': 'User',
+                                            'group': 'Group'
+                                        },
+                                        create: true,
+                                        edit: false
+                                    },
+                                    value: {
+                                        title: 'Name',
+                                        inputClass: "usergrouplist",
+                                        display: displayContent('value')
+                                    },
+                                    permissions: {
+                                        title: 'Permissions',
+                                        options: {
+                                            '1' : 'View Only',
+<?php if($restrictediting) { ?>
+                                            '3' : 'Update normal records',
+                                            '7' : 'Update all records',
+<?php } else { ?>
+                                            '7' : 'Update',
+<?php } ?>
+                                            '15' : 'Admin'
+                                        }
+                                    }
+                                },
+                                formCreated: function(event, dat) {
+                                    $( ".usergrouplist" ).autocomplete({
+                                        source: "users.php?action=autocomplete&zoneid=" + data.record.id + "&type=" + $( ".permissionstype" ).val()
+                                    });
+                                    $( ".permissionstype" ).change(function() {
+                                      $( ".usergrouplist" ).val("");
+                                      $( ".usergrouplist" ).autocomplete({
+                                          source: "users.php?action=autocomplete&type=" + $( ".permissionstype" ).val()
+                                      });
+                                    });
+                                }
+                            }, function (data) {
+                                data.childTable.jtable('load');
+                            })
+                    });
+                    return $img;
+                }
+            },
             exportzone: {
                 title: '',
                 width: '1%',
diff --git a/permissions.php b/permissions.php
new file mode 100644
index 0000000..713e465
--- /dev/null
+++ b/permissions.php
@@ -0,0 +1,83 @@
+<?php
+
+include_once('includes/config.inc.php');
+include_once('includes/session.inc.php');
+include_once('includes/misc.inc.php');
+
+if (!is_csrf_safe()) {
+    header('Status: 403');
+    header('Location: ./index.php');
+    jtable_respond(null, 'error', "Authentication required");
+}
+
+$zoneid = isset($_GET['zoneid']) ? intval($_GET['zoneid']) : '';
+
+if (!is_adminuser()) {
+    header('Status: 403');
+    jtable_respond(null, 'error', "You need adminprivileges to get here");
+}
+
+if (!isset($_GET['action'])) {
+    header('Status: 400');
+    jtable_respond(null, 'error', 'No action given');
+}
+
+switch ($_GET['action']) {
+
+case "list":
+
+    if ($zoneid != '') {
+        $permissions = get_zone_permissions($zoneid);
+        jtable_respond($permissions);
+    } else {
+        jtable_respond(null, 'error', 'Could not list zone permissions');
+    }
+    break;
+
+case "add":
+    $type = isset($_POST['type']) ? $_POST['type'] : '';
+    $value = isset($_POST['value']) ? $_POST['value'] : '';
+    $permissons = isset($_POST['permissions']) ? $_POST['permissions'] : '';
+
+    if ($zoneid != '') {
+        if (user_exists($user)) {
+            if(is_group_member($groupid,$user)) {
+                jtable_respond(null, 'error', "User already a member of the group");
+            } elseif(!is_null($id=add_group_member($groupid,$user))) {
+                $entry = array('id' => $id,'user' => $user);
+                jtable_respond($entry, 'single');
+            } else {
+                jtable_respond(null, 'error', "Failed to add user to group");
+            }
+        } else {
+            jtable_respond(null, 'error', "User doesn't exist");
+        }
+    } else {
+        jtable_respond(null, 'error', 'Zone not specified');
+    }
+    break;
+
+case "remove":
+
+    if ($id != '') {
+        if(remove_group_member($id)) {
+            jtable_respond(null, 'delete');
+        } else {
+            jtable_respond(null, 'error', "Failed to delete user from group");
+        }
+    } else {
+        jtable_respond(null, 'error', 'ID not specified');
+    }
+    break;
+
+case "autocomplete":
+    $term = isset($_GET['type']) ? $_GET['type'] : '';
+    $term = isset($_GET['term']) ? $_GET['term'] : '';
+    $users=get_usernames_filtered($term);
+    print json_encode($users);
+    break;
+
+default:
+    jtable_respond(null, 'error', 'Invalid action');
+    break;
+}

From f2377913f04ff54e775160d8ca055ef069531677 Mon Sep 17 00:00:00 2001
From: Richard Underwood <richard.underwood@digitaslbi.com>
Date: Wed, 4 Jan 2017 11:45:01 +0000
Subject: [PATCH 08/20] Changed database schema for groups & permissions.
 Implemented versioning.

---
 includes/database.inc.php | 61 +++++++++++++++++++++++++++++++++++++++
 includes/misc.inc.php     | 32 +++++---------------
 includes/scheme.sql       | 36 +++++++++++++++++++++++
 includes/upgrade-0-1.sql  |  5 ++++
 includes/upgrade-1-2.sql  | 29 +++++++++++++++++++
 5 files changed, 138 insertions(+), 25 deletions(-)
 create mode 100644 includes/database.inc.php
 create mode 100644 includes/upgrade-0-1.sql
 create mode 100644 includes/upgrade-1-2.sql

diff --git a/includes/database.inc.php b/includes/database.inc.php
new file mode 100644
index 0000000..68a6be1
--- /dev/null
+++ b/includes/database.inc.php
@@ -0,0 +1,61 @@
+<?php
+
+// matches version in scheme.sql
+
+$db_version=2;
+
+// Initialise a new DB with latest version
+
+function init_db() {
+    global $authdb, $db;
+
+    is_dir(dirname($authdb)) || mkdir(dirname($authdb));
+    $db = new SQLite3($authdb, SQLITE3_OPEN_CREATE|SQLITE3_OPEN_READWRITE);
+    $createsql = file_get_contents('includes/scheme.sql');
+    $db->exec($createsql);
+    $salt = bin2hex(openssl_random_pseudo_bytes(16));
+    $db->exec("INSERT INTO users (emailaddress, password, isadmin) VALUES ('admin', '".crypt("admin", '$6$'.$salt)."', 1)");
+
+    return $db;
+}
+
+function open_db() {
+    global $authdb, $db;
+
+    if (!isset($db)) {
+        $db = new SQLite3($authdb, SQLITE3_OPEN_READWRITE);
+        $db->exec('PRAGMA foreign_keys = 1');
+    }
+
+    $version = intval($db->querySingle('SELECT value FROM metadata WHERE name = "version"'));
+
+    switch($version) {
+      case 0:
+        $sql = file_get_contents('includes/upgrade-0-1.sql');
+        $db->exec($sql);
+        writelog("Upgraded schema to version 1","system");
+        // continue
+      case 1: // never existed
+        $sql = file_get_contents('includes/upgrade-1-2.sql');
+        $db->exec($sql);
+        writelog("Upgraded schema to version 2","system");
+        // continue
+      case $db_version:
+        break;
+    }
+
+    return $db;
+}
+
+function get_db() {
+    global $authdb, $db;
+
+    if (!isset($db)) {
+        $db = new SQLite3($authdb, SQLITE3_OPEN_READWRITE);
+        $db->exec('PRAGMA foreign_keys = 1');
+    }
+
+    return $db;
+}
+
+?>
diff --git a/includes/misc.inc.php b/includes/misc.inc.php
index 9046647..30d0d24 100644
--- a/includes/misc.inc.php
+++ b/includes/misc.inc.php
@@ -1,6 +1,7 @@
 <?php
 
 include_once('config.inc.php');
+include_once('database.inc.php');
 
 $blocklogin = FALSE;
 
@@ -59,13 +60,12 @@ if (function_exists('openssl_random_pseudo_bytes') === FALSE) {
 
 $defaults['defaulttype'] = ucfirst(strtolower($defaults['defaulttype']));
 
-if (isset($authdb) && !file_exists($authdb) && class_exists('SQLite3')) {
-    is_dir(dirname($authdb)) || mkdir(dirname($authdb));
-    $db = new SQLite3($authdb, SQLITE3_OPEN_CREATE|SQLITE3_OPEN_READWRITE);
-    $createsql = file_get_contents('includes/scheme.sql');
-    $db->exec($createsql);
-    $salt = bin2hex(openssl_random_pseudo_bytes(16));
-    $db->exec("INSERT INTO users (emailaddress, password, isadmin) VALUES ('admin', '".crypt("admin", '$6$'.$salt)."', 1)");
+if(class_exists('SQLite3')) {
+    if (isset($authdb) && !file_exists($authdb)) {
+        init_db();
+    } else {
+        open_db();
+    }
 }
 
 function string_starts_with($string, $prefix)
@@ -84,17 +84,6 @@ function string_ends_with($string, $suffix)
     return (substr($string, -$length) === $suffix);
 }
 
-function get_db() {
-    global $authdb, $db;
-
-    if (!isset($db)) {
-        $db = new SQLite3($authdb, SQLITE3_OPEN_READWRITE);
-        $db->exec('PRAGMA foreign_keys = 1');
-    }
-
-    return $db;
-}
-
 function get_all_users() {
     $db = get_db();
     $r = $db->query('SELECT id, emailaddress, isadmin FROM users ORDER BY emailaddress');
@@ -379,13 +368,6 @@ function writelog($line, $user=False) {
 
     try {
         $db = get_db();
-        $q = $db->prepare('CREATE TABLE IF NOT EXISTS logs (
-            id INTEGER PRIMARY KEY,
-            user TEXT NOT NULL,
-            log TEXT NOT NULL,
-            timestamp DATETIME DEFAULT CURRENT_TIMESTAMP);');
-        $ret = $q->execute();
-
         $q = $db->prepare('INSERT INTO logs (user, log) VALUES (:user, :log)');
         $q->bindValue(':user', $user, SQLITE3_TEXT);
         $q->bindValue(':log', $line, SQLITE3_TEXT);
diff --git a/includes/scheme.sql b/includes/scheme.sql
index 9bdbd56..78c5a1b 100644
--- a/includes/scheme.sql
+++ b/includes/scheme.sql
@@ -12,3 +12,39 @@ CREATE TABLE zones (
     owner INTEGER NOT NULL,
     UNIQUE(zone),
     FOREIGN KEY(owner) REFERENCES users(id) ON DELETE CASCADE ON UPDATE CASCADE );
+
+CREATE TABLE logs (
+    id INTEGER PRIMARY KEY,
+    user TEXT NOT NULL,
+    log TEXT NOT NULL,
+    timestamp DATETIME DEFAULT CURRENT_TIMESTAMP);
+
+CREATE TABLE groups (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    name VARCHAR UNIQUE NOT NULL,
+    desc VARCHAR);
+
+CREATE TABLE groupmembers (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    "group" INTEGER NOT NULL,
+    user INTEGER NOT NULL,
+    UNIQUE("group",user),
+    FOREIGN KEY("group") REFERENCES groups(id) ON DELETE CASCADE,
+    FOREIGN KEY(user) REFERENCES users(id) ON DELETE CASCADE);
+
+CREATE TABLE permissions (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    zone INTEGER NOT NULL,
+    user INTEGER,
+    "group" INTEGER,
+    permissions INTEGER,
+    UNIQUE(zone,user,"group"),
+    FOREIGN KEY(zone) REFERENCES zones(id) ON DELETE CASCADE,
+    FOREIGN KEY(user) REFERENCES users(id) ON DELETE CASCADE,
+    FOREIGN KEY("group") REFERENCES groups(id) ON DELETE CASCADE);
+
+CREATE TABLE metadata (
+    name VARCHAR PRIMARY KEY,
+    value VARCHAR NOT NULL);
+
+INSERT INTO metadata (name, value) VALUES ("version","2");
diff --git a/includes/upgrade-0-1.sql b/includes/upgrade-0-1.sql
new file mode 100644
index 0000000..56796e0
--- /dev/null
+++ b/includes/upgrade-0-1.sql
@@ -0,0 +1,5 @@
+CREATE TABLE IF NOT EXISTS logs (
+    id INTEGER PRIMARY KEY,
+    user TEXT NOT NULL,
+    log TEXT NOT NULL,
+    timestamp DATETIME DEFAULT CURRENT_TIMESTAMP);
diff --git a/includes/upgrade-1-2.sql b/includes/upgrade-1-2.sql
new file mode 100644
index 0000000..f884fc2
--- /dev/null
+++ b/includes/upgrade-1-2.sql
@@ -0,0 +1,29 @@
+CREATE TABLE groups (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    name VARCHAR UNIQUE NOT NULL,
+    desc VARCHAR);
+
+CREATE TABLE groupmembers (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    "group" INTEGER NOT NULL,
+    user INTEGER NOT NULL,
+    UNIQUE("group",user),
+    FOREIGN KEY("group") REFERENCES groups(id) ON DELETE CASCADE,
+    FOREIGN KEY(user) REFERENCES users(id) ON DELETE CASCADE);
+
+CREATE TABLE permissions (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    zone INTEGER NOT NULL,
+    user INTEGER,
+    "group" INTEGER,
+    permissions INTEGER,
+    UNIQUE(zone,user,"group"),
+    FOREIGN KEY(zone) REFERENCES zones(id) ON DELETE CASCADE,
+    FOREIGN KEY(user) REFERENCES users(id) ON DELETE CASCADE,
+    FOREIGN KEY("group") REFERENCES groups(id) ON DELETE CASCADE);
+
+CREATE TABLE metadata (
+    name VARCHAR PRIMARY KEY,
+    value VARCHAR NOT NULL);
+
+INSERT INTO metadata (name, value) VALUES ("version","2");

From e9b6a49e5af3a866577c577db715ebed67532caa Mon Sep 17 00:00:00 2001
From: Richard Underwood <richard.underwood@digitaslbi.com>
Date: Wed, 4 Jan 2017 11:57:50 +0000
Subject: [PATCH 09/20] Missing global

---
 includes/database.inc.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/includes/database.inc.php b/includes/database.inc.php
index 68a6be1..a348c45 100644
--- a/includes/database.inc.php
+++ b/includes/database.inc.php
@@ -20,7 +20,7 @@ function init_db() {
 }
 
 function open_db() {
-    global $authdb, $db;
+    global $authdb, $db, $db_version;
 
     if (!isset($db)) {
         $db = new SQLite3($authdb, SQLITE3_OPEN_READWRITE);

From f978e784d5d87390f7f766235bf198efea034f76 Mon Sep 17 00:00:00 2001
From: Richard Underwood <richard.underwood@digitaslbi.com>
Date: Wed, 4 Jan 2017 12:07:53 +0000
Subject: [PATCH 10/20] Fixed issues as db can't be closed now.

---
 includes/database.inc.php | 3 +--
 includes/groups.inc.php   | 6 ------
 includes/misc.inc.php     | 1 -
 3 files changed, 1 insertion(+), 9 deletions(-)

diff --git a/includes/database.inc.php b/includes/database.inc.php
index a348c45..cfb9ff3 100644
--- a/includes/database.inc.php
+++ b/includes/database.inc.php
@@ -51,8 +51,7 @@ function get_db() {
     global $authdb, $db;
 
     if (!isset($db)) {
-        $db = new SQLite3($authdb, SQLITE3_OPEN_READWRITE);
-        $db->exec('PRAGMA foreign_keys = 1');
+        open_db();
     }
 
     return $db;
diff --git a/includes/groups.inc.php b/includes/groups.inc.php
index 597ab3f..a62a743 100644
--- a/includes/groups.inc.php
+++ b/includes/groups.inc.php
@@ -17,7 +17,6 @@ function get_group_info($name) {
     $q->bindValue(1, $name);
     $result = $q->execute();
     $groupinfo = $result->fetchArray(SQLITE3_ASSOC);
-    $db->close();
 
     return $groupinfo;
 }
@@ -28,7 +27,6 @@ function get_group_name($id) {
     $q->bindValue(1, $id, SQLITE3_INTEGER);
     $r = $q->execute();
     $ret = $r->fetchArray(SQLITE3_NUM);
-    $db->close();
 
     return $ret[0];
 }
@@ -43,7 +41,6 @@ function add_group($name, $desc) {
     $q->bindValue(1, $name, SQLITE3_TEXT);
     $q->bindValue(2, $desc, SQLITE3_TEXT);
     $ret = $q->execute();
-    $db->close();
 
     writelog("Added group $name ($desc).");
     return $ret;
@@ -65,7 +62,6 @@ function update_group($id, $name, $desc) {
     $q->bindValue(3, $id, SQLITE3_INTEGER);
     writelog("Updating group $oldname to: $name ($desc) ");
     $ret = $q->execute();
-    $db->close();
 
     return $ret;
 }
@@ -83,7 +79,6 @@ function delete_group($id) {
         $q = $db->prepare('DELETE FROM groups WHERE id = ?');
         $q->bindValue(1, $id, SQLITE3_INTEGER);
         $ret = $q->execute();
-        $db->close();
 
         writelog("Deleted group " . $groupinfo['name'] . ".");
         return $ret;
@@ -166,7 +161,6 @@ function remove_group_member($id) {
     $q = $db->prepare('DELETE FROM groupmembers WHERE id=?');
     $q->bindValue(1, $id, SQLITE3_INTEGER);
     $ret = $q->execute();
-    $db->close();
 
     if($ret) {
         writelog("Removed user $user from group $group.");
diff --git a/includes/misc.inc.php b/includes/misc.inc.php
index 30d0d24..2e9d374 100644
--- a/includes/misc.inc.php
+++ b/includes/misc.inc.php
@@ -110,7 +110,6 @@ function get_usernames_filtered($term, $num = 10) {
     while ($row = $r->fetchArray(SQLITE3_NUM)) {
         array_push($ret, $row[0]);
     }
-    $db->close();
 
     return $ret;
 }

From 4eb40af5b7ddd4c841767a15d9208b467f27339a Mon Sep 17 00:00:00 2001
From: Richard Underwood <richard.underwood@digitaslbi.com>
Date: Wed, 4 Jan 2017 14:22:50 +0000
Subject: [PATCH 11/20] Moved things around in index.php so that the selection
 for records doesn't stop the permissions list from working.

---
 index.php | 403 ++++++++++++++++++++++++++++--------------------------
 1 file changed, 207 insertions(+), 196 deletions(-)

diff --git a/index.php b/index.php
index e92e763..1df3400 100644
--- a/index.php
+++ b/index.php
@@ -513,199 +513,6 @@ $(document).ready(function () {
                 ],
         },
         sorting: false,
-        selecting: true,
-        selectOnRowClick: true,
-        selectionChanged: function (data) {
-            var $selectedRows = $('#MasterZones').jtable('selectedRows');
-            $selectedRows.each(function () {
-                var zone = $(this).data('record');
-                $('#MasterZones').jtable('openChildTable',
-                    $(this).closest('tr'), {
-                        title: 'Records in ' + zone.name,
-                        messages: {
-                            addNewRecord: 'Add to ' + zone.name,
-                            noDataAvailable: 'No records for ' + zone.name
-                        },
-                        toolbar: {
-                            items: [
-                                {
-                                    text: 'Search zone',
-                                    click: function() {
-                                        $("#searchzone").dialog({
-                                            modal: true,
-                                            title: "Search zone for ...",
-                                            width: 'auto',
-                                            buttons: {
-                                                Search: function() {
-                                                    $( this ).dialog( 'close' );
-                                                    opentable.find('.jtable-title-text').text(opentableTitle + " (filtered)");
-                                                    opentable.jtable('load', {
-                                                        label: $('#searchzone-label').val(),
-                                                        type: $('#searchzone-type').val(),
-                                                        content: $('#searchzone-content').val()
-                                                    });
-                                                },
-                                                Reset: function() {
-                                                    $('#searchzone-label').val('');
-                                                    $('#searchzone-type').val('');
-                                                    $('#searchzone-content').val('');
-                                                    $( this ).dialog( 'close' );
-                                                    opentable.find('.jtable-title-text').text(opentableTitle);
-                                                    opentable.jtable('load');
-                                                    return false;
-                                                }
-                                            }
-                                        });
-                                    }
-                                }
-                            ],
-                        },
-                        paging: true,
-                        sorting: true,
-                        pageSize: 20,
-                        openChildAsAccordion: true,
-                        actions: {
-                            listAction: 'zones.php?action=listrecords&zoneid=' + zone.id,
-                            createAction: 'zones.php?action=createrecord&zoneid=' + zone.id,
-                            deleteAction: 'zones.php?action=deleterecord&zoneid=' + zone.id,
-                            updateAction: 'zones.php?action=editrecord&zoneid=' + zone.id
-                        },
-                        fields: {
-                            domid: {
-                                create: true,
-                                type: 'hidden',
-                                defaultValue: zone.id
-                            },
-                            id: {
-                                key: true,
-                                type: 'hidden',
-                                create: false,
-                                edit: false,
-                                list: false
-                            },
-                            domain: {
-                                create: true,
-                                type: 'hidden',
-                                defaultValue: zone.name
-                            },
-                            name: {
-                                title: 'Label',
-                                width: '7%',
-                                sorting: true,
-                                create: true,
-                                display: displayContent('name', zone.name),
-                                inputClass: 'name',
-                                listClass: 'name'
-                            },
-                            type: {
-                                title: 'Type',
-                                width: '2%',
-                                options: function() {
-                                    zonename = new String(zone.name);
-                                    if (zonename.match(/(\.in-addr|\.ip6)\.arpa/)) {
-                                        return {
-                                            'PTR': 'PTR',
-                                            'NS': 'NS',
-                                            'MX': 'MX',
-                                            'TXT': 'TXT',
-                                            'SOA': 'SOA',
-                                            'A': 'A',
-                                            'AAAA': 'AAAA',
-                                            'CERT': 'CERT',
-                                            'CNAME': 'CNAME',
-                                            'LOC': 'LOC',
-                                            'NAPTR': 'NAPTR',
-                                            'SPF': 'SPF',
-                                            'SRV': 'SRV',
-                                            'SSHFP': 'SSHFP',
-                                            'TLSA': 'TLSA',
-                                            'DNAME': 'DNAME',
-                                            'DS': 'DS'
-                                        };
-                                    }
-                                    return {
-                                        'A': 'A',
-                                        'AAAA': 'AAAA',
-                                        'CERT': 'CERT',
-                                        'CNAME': 'CNAME',
-                                        'DNAME': 'DNAME',
-                                        'DS': 'DS',
-                                        'LOC': 'LOC',
-                                        'MX': 'MX',
-                                        'NAPTR': 'NAPTR',
-                                        'NS': 'NS',
-                                        'PTR': 'PTR',
-                                        'SOA': 'SOA',
-                                        'SPF': 'SPF',
-                                        'SRV': 'SRV',
-                                        'SSHFP': 'SSHFP',
-                                        'TLSA': 'TLSA',
-                                        'TXT': 'TXT',
-                                    };
-                                },
-                                display: displayContent('type'),
-                                create: true,
-                                inputClass: 'type',
-                                listClass: 'type'
-                            },
-                            content: {
-                                title: 'Content',
-                                width: '30%',
-                                create: true,
-                                sorting: true,
-                                display: displayContent('content'),
-                                inputClass: 'content',
-                                listClass: 'content'
-                            },
-                            ttl: {
-                                title: 'TTL',
-                                width: '2%',
-                                create: true,
-                                sorting: false,
-                                display: displayContent('ttl'),
-                                defaultValue: '<?php echo $defaults['ttl']; ?>',
-                                inputClass: 'ttl',
-                                listClass: 'ttl'
-                            },
-                            setptr: {
-                                title: 'Set PTR Record',
-                                width: '2%',
-                                list: false,
-                                create: true,
-                                defaultValue: 'false',
-                                inputClass: 'setptr',
-                                listClass: 'setptr',
-                                options: function() {
-                                    return {
-                                        '0': 'No',
-                                        '1': 'Yes',
-                                    };
-                                },
-                            },
-                            disabled: {
-                                title: 'Disabled',
-                                width: '2%',
-                                create: true,
-                                sorting: false,
-                                display: displayContent('disabled'),
-                                defaultValue: '<?php echo $defaults['disabled'] ? 'No' : 'Yes'; ?>',
-                                inputClass: 'disabled',
-                                listClass: 'disabled',
-                                options: function() {
-                                    return {
-                                        '0': 'No',
-                                        '1': 'Yes',
-                                    };
-                                },
-                            },
-                        }
-                    }, function (data) {
-                        opentable=data.childTable;
-                        opentableTitle=opentable.find('.jtable-title-text').text();
-                        data.childTable.jtable('load');
-                    });
-            });
-        },
         openChildAsAccordion: true,
         actions: {
             listAction: 'zones.php?action=list',
@@ -800,6 +607,207 @@ $(document).ready(function () {
                 inputClass: 'serial',
                 listClass: 'serial'
             },
+            records: {
+                title: 'Records',
+                width: '10%',
+                paging: true,
+                pageSize: 20,
+                create: false,
+                edit: false,
+                display: function(data) {
+                    var $img = $('<img class="list" src="img/list.png" title="Records" />');
+                    $img.click(function () {
+                    var zone = data.record;
+                    $('#MasterZones').jtable('openChildTable',
+                        $(this).closest('tr'), {
+                            title: 'Records in ' + zone.name,
+                            messages: {
+                                addNewRecord: 'Add to ' + zone.name,
+                                noDataAvailable: 'No records for ' + zone.name
+                            },
+                            toolbar: {
+                                items: [
+                                    {
+                                        text: 'Search zone',
+                                        click: function() {
+                                            $("#searchzone").dialog({
+                                                modal: true,
+                                                title: "Search zone for ...",
+                                                width: 'auto',
+                                                buttons: {
+                                                    Search: function() {
+                                                        $( this ).dialog( 'close' );
+                                                        opentable.find('.jtable-title-text').text(opentableTitle + " (filtered)");
+                                                        opentable.jtable('load', {
+                                                            label: $('#searchzone-label').val(),
+                                                            type: $('#searchzone-type').val(),
+                                                            content: $('#searchzone-content').val()
+                                                        });
+                                                    },
+                                                    Reset: function() {
+                                                        $('#searchzone-label').val('');
+                                                        $('#searchzone-type').val('');
+                                                        $('#searchzone-content').val('');
+                                                        $( this ).dialog( 'close' );
+                                                        opentable.find('.jtable-title-text').text(opentableTitle);
+                                                        opentable.jtable('load');
+                                                        return false;
+                                                    }
+                                                }
+                                            });
+                                        }
+                                    }
+                                ],
+                            },
+                            paging: true,
+                            sorting: true,
+                            pageSize: 20,
+                            openChildAsAccordion: true,
+                            actions: {
+                                listAction: 'zones.php?action=listrecords&zoneid=' + zone.id,
+                                createAction: 'zones.php?action=createrecord&zoneid=' + zone.id,
+                                deleteAction: 'zones.php?action=deleterecord&zoneid=' + zone.id,
+                                updateAction: 'zones.php?action=editrecord&zoneid=' + zone.id
+                            },
+                            fields: {
+                                domid: {
+                                    create: true,
+                                    type: 'hidden',
+                                    defaultValue: zone.id
+                                },
+                                id: {
+                                    key: true,
+                                    type: 'hidden',
+                                    create: false,
+                                    edit: false,
+                                    list: false
+                                },
+                                domain: {
+                                    create: true,
+                                    type: 'hidden',
+                                    defaultValue: zone.name
+                                },
+                                name: {
+                                    title: 'Label',
+                                    width: '7%',
+                                    sorting: true,
+                                    create: true,
+                                    display: displayContent('name', zone.name),
+                                    inputClass: 'name',
+                                    listClass: 'name'
+                                },
+                                type: {
+                                    title: 'Type',
+                                    width: '2%',
+                                    options: function() {
+                                        zonename = new String(zone.name);
+                                        if (zonename.match(/(\.in-addr|\.ip6)\.arpa/)) {
+                                            return {
+                                                'PTR': 'PTR',
+                                                'NS': 'NS',
+                                                'MX': 'MX',
+                                                'TXT': 'TXT',
+                                                'SOA': 'SOA',
+                                                'A': 'A',
+                                                'AAAA': 'AAAA',
+                                                'CERT': 'CERT',
+                                                'CNAME': 'CNAME',
+                                                'LOC': 'LOC',
+                                                'NAPTR': 'NAPTR',
+                                                'SPF': 'SPF',
+                                                'SRV': 'SRV',
+                                                'SSHFP': 'SSHFP',
+                                                'TLSA': 'TLSA',
+                                                'DNAME': 'DNAME',
+                                                'DS': 'DS'
+                                            };
+                                        }
+                                        return {
+                                            'A': 'A',
+                                            'AAAA': 'AAAA',
+                                            'CERT': 'CERT',
+                                            'CNAME': 'CNAME',
+                                            'DNAME': 'DNAME',
+                                            'DS': 'DS',
+                                            'LOC': 'LOC',
+                                            'MX': 'MX',
+                                            'NAPTR': 'NAPTR',
+                                            'NS': 'NS',
+                                            'PTR': 'PTR',
+                                            'SOA': 'SOA',
+                                            'SPF': 'SPF',
+                                            'SRV': 'SRV',
+                                            'SSHFP': 'SSHFP',
+                                            'TLSA': 'TLSA',
+                                            'TXT': 'TXT',
+                                        };
+                                    },
+                                    display: displayContent('type'),
+                                    create: true,
+                                    inputClass: 'type',
+                                    listClass: 'type'
+                                },
+                                content: {
+                                    title: 'Content',
+                                    width: '30%',
+                                    create: true,
+                                    sorting: true,
+                                    display: displayContent('content'),
+                                    inputClass: 'content',
+                                    listClass: 'content'
+                                },
+                                ttl: {
+                                    title: 'TTL',
+                                    width: '2%',
+                                    create: true,
+                                    sorting: false,
+                                    display: displayContent('ttl'),
+                                    defaultValue: '<?php echo $defaults['ttl']; ?>',
+                                    inputClass: 'ttl',
+                                    listClass: 'ttl'
+                                },
+                                setptr: {
+                                    title: 'Set PTR Record',
+                                    width: '2%',
+                                    list: false,
+                                    create: true,
+                                    defaultValue: 'false',
+                                    inputClass: 'setptr',
+                                    listClass: 'setptr',
+                                    options: function() {
+                                        return {
+                                            '0': 'No',
+                                            '1': 'Yes',
+                                        };
+                                    },
+                                },
+                                disabled: {
+                                    title: 'Disabled',
+                                    width: '2%',
+                                    create: true,
+                                    sorting: false,
+                                    display: displayContent('disabled'),
+                                    defaultValue: '<?php echo $defaults['disabled'] ? 'No' : 'Yes'; ?>',
+                                    inputClass: 'disabled',
+                                    listClass: 'disabled',
+                                    options: function() {
+                                        return {
+                                            '0': 'No',
+                                            '1': 'Yes',
+                                        };
+                                    },
+                                },
+                            }
+                        }, function (data) {
+                            opentable=data.childTable;
+                            opentableTitle=opentable.find('.jtable-title-text').text();
+                            data.childTable.jtable('load');
+                        });
+    
+                    });
+                    return $img;
+                }
+            },
             permissions: {
                 title: 'Permissions',
                 width: '10%',
@@ -815,6 +823,7 @@ $(document).ready(function () {
                                 actions: {
                                     listAction: 'permissions.php?action=list&zoneid=' + data.record.id,
                                     createAction: 'permissions.php?action=add&zoneid=' + data.record.id,
+                                    updateAction: 'permissions.php?action=update&zoneid=' + data.record.id,
                                     deleteAction: 'permissions.php?action=remove&zoneid=' + data.record.id
                                 },
                                 fields: {
@@ -835,7 +844,9 @@ $(document).ready(function () {
                                     value: {
                                         title: 'Name',
                                         inputClass: "usergrouplist",
-                                        display: displayContent('value')
+                                        display: displayContent('value'),
+                                        create: true,
+                                        edit: false
                                     },
                                     permissions: {
                                         title: 'Permissions',
@@ -853,12 +864,12 @@ $(document).ready(function () {
                                 },
                                 formCreated: function(event, dat) {
                                     $( ".usergrouplist" ).autocomplete({
-                                        source: "users.php?action=autocomplete&zoneid=" + data.record.id + "&type=" + $( ".permissionstype" ).val()
+                                        source: "permissions.php?action=autocomplete&type=" + $( ".permissionstype" ).val()
                                     });
                                     $( ".permissionstype" ).change(function() {
                                       $( ".usergrouplist" ).val("");
                                       $( ".usergrouplist" ).autocomplete({
-                                          source: "users.php?action=autocomplete&type=" + $( ".permissionstype" ).val()
+                                          source: "permissions.php?action=autocomplete&type=" + $( ".permissionstype" ).val()
                                       });
                                     });
                                 }

From 6033bc12aaa5ff592a7a1fa4d14d35842bb40f16 Mon Sep 17 00:00:00 2001
From: Richard Underwood <richard.underwood@digitaslbi.com>
Date: Fri, 6 Jan 2017 13:59:44 +0000
Subject: [PATCH 12/20] Admin side of permissions done, still need to be
 enforced.

---
 includes/groups.inc.php      |  15 ++-
 includes/misc.inc.php        |  15 +++
 includes/permissions.inc.php | 233 +++++++++++++++++++++++++++++++++++
 index.php                    |   9 +-
 permissions.php              |  71 ++++++++---
 5 files changed, 322 insertions(+), 21 deletions(-)
 create mode 100644 includes/permissions.inc.php

diff --git a/includes/groups.inc.php b/includes/groups.inc.php
index a62a743..5c02e52 100644
--- a/includes/groups.inc.php
+++ b/includes/groups.inc.php
@@ -28,7 +28,11 @@ function get_group_name($id) {
     $r = $q->execute();
     $ret = $r->fetchArray(SQLITE3_NUM);
 
-    return $ret[0];
+    if($ret) {
+        return $ret[0];
+    } else {
+        return null;
+    }
 }
 
 function group_exists($name) {
@@ -117,6 +121,15 @@ function get_user_id($user) {
     }
 }
 
+function get_group_id($group) {
+    $info=get_group_info($group);
+    if($info) {
+        return $info['id'];
+    } else {
+        return null;
+    }
+}
+
 function is_group_member($id,$user) {
     $db = get_db();
 
diff --git a/includes/misc.inc.php b/includes/misc.inc.php
index 2e9d374..b8071fb 100644
--- a/includes/misc.inc.php
+++ b/includes/misc.inc.php
@@ -114,6 +114,21 @@ function get_usernames_filtered($term, $num = 10) {
     return $ret;
 }
 
+function get_groups_filtered($term, $num = 10) {
+    $db = get_db();
+    $q = $db->prepare("SELECT name FROM groups WHERE name LIKE ? ORDER BY name LIMIT 0, ?");
+    $q->bindValue(1, "%" . $term . "%", SQLITE3_TEXT);
+    $q->bindValue(2, $num, SQLITE3_INTEGER);
+    $r = $q->execute();
+
+    $ret = array();
+    while ($row = $r->fetchArray(SQLITE3_NUM)) {
+        array_push($ret, $row[0]);
+    }
+
+    return $ret;
+}
+
 function get_user_info($u) {
     $db = get_db();
     $q = $db->prepare('SELECT * FROM users WHERE emailaddress = ?');
diff --git a/includes/permissions.inc.php b/includes/permissions.inc.php
new file mode 100644
index 0000000..a0a7726
--- /dev/null
+++ b/includes/permissions.inc.php
@@ -0,0 +1,233 @@
+<?php
+
+/*
+ * Permissions.
+ *
+ * Set on either users or groups.
+ * User permissions override any permissions on groups (as are more specific)
+ * Group permissions are additive
+ * "Account" renamed as "Owner" in interface, and will always have full permissions.
+ *
+ * Bitmask:
+ *      0x01 - View
+ *      0x02 - Update non-special records
+ *      0x04 - Update special records
+ *      0x08 - Admin (e.g. change permissions)
+ *
+ * The interface will use combinations of these shown in the permissionsmap below.
+ *
+ */
+
+$permissionmap=array(
+    '0' => 'No permissions',
+    '1' => 'View Only',
+    '3' => 'Update normal records',
+    '7' => 'Update all records',
+    '15' => 'Admin'
+);
+
+define('PERM_VIEW',0x01);
+define('PERM_UPDATE',0x02);
+define('PERM_UPDATESPECIAL',0x04);
+define('PERM_ADMIN',0x08);
+
+
+// move to misc?
+function get_zone_id($zone) {
+    $db = get_db();
+
+    $q = $db->prepare('SELECT id FROM zones WHERE zone=?');
+    $q->bindValue(1, $zone, SQLITE3_TEXT);
+    $r = $q->execute();
+    $ret = $r->fetchArray(SQLITE3_NUM);
+
+    if($ret) {
+        return $ret[0];
+    } else {
+        return null;
+    }
+
+}
+
+// move to misc?
+function get_user_name($userid) {
+    $db = get_db();
+
+    $q = $db->prepare('SELECT emailAddress FROM users WHERE id = ?');
+    $q->bindValue(1, $userid, SQLITE3_INTEGER);
+    $r = $q->execute();
+    $ret = $r->fetchArray(SQLITE3_NUM);
+
+    if($ret) {
+        return $ret[0];
+    } else {
+        return null;
+    }
+}
+
+// Interface function - Return an array of permissions for the zone
+function get_zone_permissions($zone) {
+    $db = get_db();
+
+    $q = $db->prepare('SELECT p.id,p.user,u.emailAddress AS uname,p."group",g.name AS gname, p.permissions FROM permissions p LEFT JOIN users u ON p.user=u.id LEFT JOIN groups g ON p."group"=g.id LEFT JOIN zones z ON p.zone=z.id WHERE z.zone=?');
+    $q->bindValue(1, $zone, SQLITE3_TEXT);
+    $result = $q->execute();
+
+    $ret = array();
+
+    while ($row = $result->fetchArray(SQLITE3_ASSOC)) {
+        $row2 = array();
+        $row2['id']=$row['id'];
+        if($row['user']>0) {
+            $row2['type']='user';
+            $row2['value']=$row['uname'];
+        } else {
+            $row2['type']='group';
+            $row2['value']=$row['gname'];
+        }
+        $row2['permissions']=$row['permissions'];
+        array_push($ret, $row2);
+    }
+
+    return $ret;
+}
+
+// Interface function - Set permissions for a zone - either userid or groupid should be null
+function set_permissions($userid,$groupid,$zone,$permissions) {
+    global $permissionmap;
+
+    $db = get_db();
+
+    $q = $db->prepare('INSERT INTO permissions (zone,user,"group",permissions) VALUES (?,?,?,?)');
+    $q->bindValue(1, get_zone_id($zone), SQLITE3_INTEGER);
+    $q->bindValue(2, $userid, SQLITE3_INTEGER);
+    $q->bindValue(3, $groupid, SQLITE3_INTEGER);
+    $q->bindValue(4, $permissions, SQLITE3_INTEGER);
+
+    $ret = $q->execute();
+
+    if(!is_null($userid)) {
+        $who="user " . get_user_name($userid);
+    } else {
+        $who="group " . get_group_name($groupid);
+    }
+
+    if($ret) {
+        writelog("Added '$permissionmap[$permissions]' permissions for $who from zone $zone.");
+        return $db->lastInsertRowID();
+    } else {
+        writelog("Failed to add permissions to zone $zone for $who.");
+        return null;
+    }
+}
+
+// Interface function - Update permissions for a zone
+function update_permissions($id,$permissions) {
+    global $permissionmap;
+
+    $db = get_db();
+
+    $q = $db->prepare('SELECT p.permissions, u.emailAddress, g.name, z.zone FROM permissions p LEFT JOIN users u ON p.user=u.id LEFT JOIN groups g ON p."group"=g.id LEFT JOIN zones z ON p.zone=z.id WHERE p.id=?');
+    $q->bindValue(1, $id, SQLITE3_INTEGER);
+    $r = $q->execute();
+    $ret = $r->fetchArray(SQLITE3_NUM);
+    if($ret[1]!='') {
+        $who="user " . $ret[1];
+    } else {
+        $who="group " . $ret[2];
+    }
+    $before=$ret[0];
+    $zone=$ret[3];
+    $q->close();
+
+    $q = $db->prepare('UPDATE permissions SET permissions=? WHERE id=?');
+    $q->bindValue(1, $permissions, SQLITE3_INTEGER);
+    $q->bindValue(2, $id, SQLITE3_INTEGER);
+
+    $ret = $q->execute();
+
+    if($ret) {
+        writelog("Permissions changed on zone $zone for $who from '$permissionmap[$before]' to '$permissionmap[$permissions]'.");
+        return $db->lastInsertRowID();
+    } else {
+        writelog("Failed to set permissions on zone $zone for $who (permissions id $id).");
+        return null;
+    }
+}
+
+// Interface function - Remove permissions from a zone
+function remove_permissions($id) {
+    global $permissionmap;
+
+    $db = get_db();
+
+    $q = $db->prepare('SELECT p.permissions, u.emailAddress, g.name, z.zone FROM permissions p LEFT JOIN users u ON p.user=u.id LEFT JOIN groups g ON p."group"=g.id LEFT JOIN zones z ON p.zone=z.id WHERE p.id=?');
+    $q->bindValue(1, $id, SQLITE3_INTEGER);
+    $r = $q->execute();
+    $ret = $r->fetchArray(SQLITE3_NUM);
+    if($ret[1]!='') {
+        $who="user " . $ret[1];
+    } else {
+        $who="group " . $ret[2];
+    }
+    $before=$ret[0];
+    $zone=$ret[3];
+    $q->close();
+
+    $q = $db->prepare('DELETE FROM permissions WHERE id=?');
+    $q->bindValue(1, $id, SQLITE3_INTEGER);
+    $ret = $q->execute();
+
+    if($ret) {
+        writelog("Removed '$permissionmap[$before]' permissions for $who from zone $zone");
+    } else {
+        writelog("Failed to remove permissions for $who from zone $zone (permissions id $id).");
+    }
+    return $ret;
+}
+
+// Utility function - Return the permissions set on the zone for this user *not including any group membership*
+function user_permissions($zone,$userid) {
+    $db = get_db();
+
+    $q = $db->prepare('SELECT p.permissions FROM permissions p LEFT JOIN zones z ON p.zone=z.id WHERE p.user=? AND z.zone=?');
+    $q->bindValue(1, $userid, SQLITE3_INTEGER);
+    $q->bindValue(2, $zone, SQLITE3_TEXT);
+    $r = $q->execute();
+    if($r) {
+        $ret = $r->fetchArray(SQLITE3_NUM);
+        return $ret[0];
+    } else {
+        return null;
+    }
+}
+
+// Utility function - Return the permissions set on the zone for this group
+function group_permissions($zone,$groupid) {
+    $db = get_db();
+
+    $q = $db->prepare('SELECT p.permissions FROM permissions p LEFT JOIN zones z ON p.zone=z.id WHERE p."group"=? AND z.zone=?');
+    $q->bindValue(1, $groupid, SQLITE3_INTEGER);
+    $q->bindValue(2, $zone, SQLITE3_TEXT);
+    $r = $q->execute();
+    if($r) {
+        $ret = $r->fetchArray(SQLITE3_NUM);
+        return $ret[0];
+    } else {
+        return null;
+    }
+}
+
+// Utility function - Return the calculated permissions for this user/zone
+function permissions($zone,$userid) {
+    $perm=user_permissions($zone,$userid);
+
+    if(!is_null($perm)) {
+        return $perm;
+    } else {
+        $perm=0;
+
+    }
+}
+
+?>
diff --git a/index.php b/index.php
index 1df3400..c2ff50c 100644
--- a/index.php
+++ b/index.php
@@ -371,7 +371,7 @@ $(document).ready(function () {
             },
             <?php if (is_adminuser()) { ?>
             account: {
-                title: 'Account',
+                title: 'Owner',
                 width: '8%',
                 display: displayContent('account'),
                 options: function(data) {
@@ -547,7 +547,7 @@ $(document).ready(function () {
             },
             <?php if (is_adminuser()) { ?>
             account: {
-                title: 'Account',
+                title: 'Owner',
                 width: '8%',
                 display: displayContent('account'),
                 options: function(data) {
@@ -851,6 +851,7 @@ $(document).ready(function () {
                                     permissions: {
                                         title: 'Permissions',
                                         options: {
+                                            '0' : 'No permissions',
                                             '1' : 'View Only',
 <?php if($restrictediting) { ?>
                                             '3' : 'Update normal records',
@@ -906,7 +907,7 @@ $(document).ready(function () {
             },
             <?php if (is_adminuser()) { ?>
             account: {
-                title: 'Account',
+                title: 'Owner',
                 options: function(data) {
                     return 'users.php?action=listoptions&e='+$epoch;
                 },
@@ -975,7 +976,7 @@ $(document).ready(function () {
                 inputClass: 'destname'
             },
             account: {
-                title: 'Account',
+                title: 'Owner',
                 options: function(data) {
                     return 'users.php?action=listoptions&e='+$epoch;
                 },
diff --git a/permissions.php b/permissions.php
index 713e465..32d55ae 100644
--- a/permissions.php
+++ b/permissions.php
@@ -3,6 +3,7 @@
 include_once('includes/config.inc.php');
 include_once('includes/session.inc.php');
 include_once('includes/misc.inc.php');
+include_once('includes/permissions.inc.php');
 
 if (!is_csrf_safe()) {
     header('Status: 403');
@@ -10,7 +11,7 @@ if (!is_csrf_safe()) {
     jtable_respond(null, 'error', "Authentication required");
 }
 
-$zoneid = isset($_GET['zoneid']) ? intval($_GET['zoneid']) : '';
+$zoneid = isset($_GET['zoneid']) ? $_GET['zoneid'] : '';
 
 if (!is_adminuser()) {
     header('Status: 403');
@@ -30,27 +31,45 @@ case "list":
         $permissions = get_zone_permissions($zoneid);
         jtable_respond($permissions);
     } else {
-        jtable_respond(null, 'error', 'Could not list zone permissions');
+        jtable_respond(null, 'error', 'Zone id required');
     }
     break;
 
 case "add":
     $type = isset($_POST['type']) ? $_POST['type'] : '';
     $value = isset($_POST['value']) ? $_POST['value'] : '';
-    $permissons = isset($_POST['permissions']) ? $_POST['permissions'] : '';
+    $permissions = isset($_POST['permissions']) ? $_POST['permissions'] : '';
+    $zone = isset($_GET['zoneid']) ? $_GET['zoneid'] : '';
 
     if ($zoneid != '') {
-        if (user_exists($user)) {
-            if(is_group_member($groupid,$user)) {
-                jtable_respond(null, 'error', "User already a member of the group");
-            } elseif(!is_null($id=add_group_member($groupid,$user))) {
-                $entry = array('id' => $id,'user' => $user);
-                jtable_respond($entry, 'single');
+        if($type == 'user') {
+            if (user_exists($value)) {
+                $userid=get_user_id($value);
+                if(!is_null(user_permissions($zone,$userid))) {
+                    jtable_respond(null, 'error', "User already has permissions set for this zone");
+                } elseif(!is_null($id=set_permissions($userid,null,$zone,$permissions))) {
+                    $entry = array('id' => $id, 'type' => 'user', 'value' => $value, 'permissions' => $permissions);
+                    jtable_respond($entry, 'single');
+                } else {
+                    jtable_respond(null, 'error', "Failed to set permissions");
+                }
             } else {
-                jtable_respond(null, 'error', "Failed to add user to group");
+                jtable_respond(null, 'error', "User doesn't exist");
             }
         } else {
-            jtable_respond(null, 'error', "User doesn't exist");
+            if (group_exists($value)) {
+                $groupid=get_group_id($value);
+                if(!is_null(group_permissions($zone,$groupid))) {
+                    jtable_respond(null, 'error', "Group already has permissions set for this zone");
+                } elseif(!is_null($id=set_permissions(null,$groupid,$zone,$permissions))) {
+                    $entry = array('id' => $id, 'type' => 'group', 'value' => $value, 'permissions' => $permissions);
+                    jtable_respond($entry, 'single');
+                } else {
+                    jtable_respond(null, 'error', "Failed to set permissions");
+                }
+            } else {
+                jtable_respond(null, 'error', "Group doesn't exist");
+            }
         }
     } else {
         jtable_respond(null, 'error', 'Zone not specified');
@@ -58,23 +77,43 @@ case "add":
     break;
 
 case "remove":
+    $id = isset($_POST['id']) ? $_POST['id'] : '';
 
     if ($id != '') {
-        if(remove_group_member($id)) {
+        if(remove_permissions($id)) {
             jtable_respond(null, 'delete');
         } else {
-            jtable_respond(null, 'error', "Failed to delete user from group");
+            jtable_respond(null, 'error', "Failed to remove permissions");
         }
     } else {
         jtable_respond(null, 'error', 'ID not specified');
     }
     break;
 
+case "update":
+    $id = isset($_POST['id']) ? $_POST['id'] : '';
+    $permissions = isset($_POST['permissions']) ? intval($_POST['permissions']) : 0;
+    if ($id != '') {
+        if(update_permissions($id,$permissions)) {
+            $result = array('id' => $id, 'permissions' => $permissions);
+            jtable_respond($result, 'single');
+        } else {
+            jtable_respond(null, 'error', 'Failed to set permissions');
+        }
+    } else {
+        jtable_respond(null, 'error', 'ID not specified');
+    }
+
 case "autocomplete":
-    $term = isset($_GET['type']) ? $_GET['type'] : '';
+    $type = isset($_GET['type']) ? $_GET['type'] : '';
     $term = isset($_GET['term']) ? $_GET['term'] : '';
-    $users=get_usernames_filtered($term);
-    print json_encode($users);
+    if($type == 'user') {
+        $users=get_usernames_filtered($term);
+        print json_encode($users);
+    } else {
+        $groups=get_groups_filtered($term);
+        print json_encode($groups);
+    }
     break;
 
 default:

From a57af479b84202743b0007d83737aa4de1c1665a Mon Sep 17 00:00:00 2001
From: Richard Underwood <richard.underwood@digitaslbi.com>
Date: Fri, 6 Jan 2017 14:05:12 +0000
Subject: [PATCH 13/20] Moved a few functions to misc, moved where permissions
 is included as it's needed everywhere.

---
 includes/groups.inc.php      | 10 --------
 includes/misc.inc.php        | 46 ++++++++++++++++++++++++++++++++++++
 includes/permissions.inc.php | 34 --------------------------
 permissions.php              |  1 -
 4 files changed, 46 insertions(+), 45 deletions(-)

diff --git a/includes/groups.inc.php b/includes/groups.inc.php
index 5c02e52..b2c2b8c 100644
--- a/includes/groups.inc.php
+++ b/includes/groups.inc.php
@@ -111,16 +111,6 @@ function get_group_members($id) {
     return $ret;
 }
 
-// move to misc?
-function get_user_id($user) {
-    $info=get_user_info($user);
-    if($info) {
-        return $info['id'];
-    } else {
-        return null;
-    }
-}
-
 function get_group_id($group) {
     $info=get_group_info($group);
     if($info) {
diff --git a/includes/misc.inc.php b/includes/misc.inc.php
index b8071fb..ca05131 100644
--- a/includes/misc.inc.php
+++ b/includes/misc.inc.php
@@ -475,7 +475,53 @@ if (!function_exists('hash_pbkdf2')) {
     }
 }
 
+// get user id from name
+function get_user_id($user) {
+    $info=get_user_info($user);
+    if($info) {
+        return $info['id'];
+    } else {
+        return null;
+    }
+}
+
+// get zone id from name
+function get_zone_id($zone) {
+    $db = get_db();
+
+    $q = $db->prepare('SELECT id FROM zones WHERE zone=?');
+    $q->bindValue(1, $zone, SQLITE3_TEXT);
+    $r = $q->execute();
+    $ret = $r->fetchArray(SQLITE3_NUM);
+
+    if($ret) {
+        return $ret[0];
+    } else {
+        return null;
+    }
+
+}
+
+// get user name from id
+function get_user_name($userid) {
+    $db = get_db();
+
+    $q = $db->prepare('SELECT emailAddress FROM users WHERE id = ?');
+    $q->bindValue(1, $userid, SQLITE3_INTEGER);
+    $r = $q->execute();
+    $ret = $r->fetchArray(SQLITE3_NUM);
+
+    if($ret) {
+        return $ret[0];
+    } else {
+        return null;
+    }
+}
+
+
 // Include functions for group management
 include_once('groups.inc.php');
+// Include functions for permissions management
+include_once('permissions.inc.php');
 
 ?>
diff --git a/includes/permissions.inc.php b/includes/permissions.inc.php
index a0a7726..19ff495 100644
--- a/includes/permissions.inc.php
+++ b/includes/permissions.inc.php
@@ -31,40 +31,6 @@ define('PERM_UPDATE',0x02);
 define('PERM_UPDATESPECIAL',0x04);
 define('PERM_ADMIN',0x08);
 
-
-// move to misc?
-function get_zone_id($zone) {
-    $db = get_db();
-
-    $q = $db->prepare('SELECT id FROM zones WHERE zone=?');
-    $q->bindValue(1, $zone, SQLITE3_TEXT);
-    $r = $q->execute();
-    $ret = $r->fetchArray(SQLITE3_NUM);
-
-    if($ret) {
-        return $ret[0];
-    } else {
-        return null;
-    }
-
-}
-
-// move to misc?
-function get_user_name($userid) {
-    $db = get_db();
-
-    $q = $db->prepare('SELECT emailAddress FROM users WHERE id = ?');
-    $q->bindValue(1, $userid, SQLITE3_INTEGER);
-    $r = $q->execute();
-    $ret = $r->fetchArray(SQLITE3_NUM);
-
-    if($ret) {
-        return $ret[0];
-    } else {
-        return null;
-    }
-}
-
 // Interface function - Return an array of permissions for the zone
 function get_zone_permissions($zone) {
     $db = get_db();
diff --git a/permissions.php b/permissions.php
index 32d55ae..fafaaea 100644
--- a/permissions.php
+++ b/permissions.php
@@ -3,7 +3,6 @@
 include_once('includes/config.inc.php');
 include_once('includes/session.inc.php');
 include_once('includes/misc.inc.php');
-include_once('includes/permissions.inc.php');
 
 if (!is_csrf_safe()) {
     header('Status: 403');

From 6d56c7a44f710910fe61d83d19a5fbe658d3b657 Mon Sep 17 00:00:00 2001
From: Richard Underwood <richard.underwood@digitaslbi.com>
Date: Fri, 6 Jan 2017 15:50:54 +0000
Subject: [PATCH 14/20] group permissions check & first check on index page

---
 includes/permissions.inc.php | 19 ++++++++++++++++++-
 zones.php                    |  3 ++-
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/includes/permissions.inc.php b/includes/permissions.inc.php
index 19ff495..cab5164 100644
--- a/includes/permissions.inc.php
+++ b/includes/permissions.inc.php
@@ -82,7 +82,7 @@ function set_permissions($userid,$groupid,$zone,$permissions) {
         writelog("Added '$permissionmap[$permissions]' permissions for $who from zone $zone.");
         return $db->lastInsertRowID();
     } else {
-        writelog("Failed to add permissions to zone $zone for $who.");
+        writelog("Failed to add permissions to zone $zone ($zoneid) for $who.");
         return null;
     }
 }
@@ -192,8 +192,25 @@ function permissions($zone,$userid) {
         return $perm;
     } else {
         $perm=0;
+        $zoneid=get_zone_id($zone);
+        $db = get_db();
 
+        $q = $db->prepare('SELECT p.permissions FROM groupmembers gm LEFT JOIN permissions p ON p."group"=gm."group" WHERE zone=? AND p."group">0 AND gm.user=?');
+        $q->bindValue(1, $zoneid, SQLITE3_INTEGER);
+        $q->bindValue(2, $userid, SQLITE3_INTEGER);
+        $r = $q->execute();
+
+        while ($row = $r->fetchArray(SQLITE3_NUM)) {
+            $perm=$perm|$row[0];
+        }
+        return $perm;
     }
 }
 
+// Utility function - check a permission for current user
+function check_permissions($zone,$permmask) {
+    return (bool) (permissions($zone,get_user_id(get_sess_user()))&$permmask);    
+}
+
+
 ?>
diff --git a/zones.php b/zones.php
index 45f650d..55e7a6d 100644
--- a/zones.php
+++ b/zones.php
@@ -153,7 +153,7 @@ function quote_content($content) {
 }
 
 function check_account($zone) {
-    return is_adminuser() or ($zone->account === get_sess_user());
+    return is_adminuser() or ($zone->account === get_sess_user()) or check_permissions($zone->id,PERM_VIEW);
 }
 
 if (isset($_GET['action'])) {
@@ -200,6 +200,7 @@ case "listrecords":
     $zone->parse($zonedata);
     $records = $zone->rrsets2records();
 
+//    if(permissions($zone->id))
     if(!empty($_POST['label'])) {
         $records=array_filter($records,
             function ($val) {

From 4f118af176376bf1bf217e84f0f9bb872502d0ea Mon Sep 17 00:00:00 2001
From: Richard Underwood <richard.underwood@digitaslbi.com>
Date: Mon, 9 Jan 2017 10:29:56 +0000
Subject: [PATCH 15/20] Permissions in zones.php

---
 includes/permissions.inc.php | 22 ++++++++++++
 index.php                    |  2 ++
 zones.php                    | 70 ++++++++++++++++++++++++++++++++----
 3 files changed, 87 insertions(+), 7 deletions(-)

diff --git a/includes/permissions.inc.php b/includes/permissions.inc.php
index cab5164..805899a 100644
--- a/includes/permissions.inc.php
+++ b/includes/permissions.inc.php
@@ -31,6 +31,9 @@ define('PERM_UPDATE',0x02);
 define('PERM_UPDATESPECIAL',0x04);
 define('PERM_ADMIN',0x08);
 
+define('PERM_ALL',0xffff);
+
+
 // Interface function - Return an array of permissions for the zone
 function get_zone_permissions($zone) {
     $db = get_db();
@@ -184,8 +187,27 @@ function group_permissions($zone,$groupid) {
     }
 }
 
+// utility function - get the owner of the domain. Move to misc?
+function zone_owner($zone) {
+    $db = get_db();
+
+    $q = $db->prepare('SELECT owner FROM zones WHERE zones.zone=?');
+    $q->bindValue(1,$zone,SQLITE3_TEXT);
+    $r = $q->execute();
+    if($r) {
+        $ret = $r->fetchArray(SQLITE3_NUM);
+        return $ret[0];
+    } else {
+        return null;
+    }
+}
+
 // Utility function - Return the calculated permissions for this user/zone
 function permissions($zone,$userid) {
+    if(is_adminuser() || ($userid == zone_owner($zone))) {
+        return PERM_ALL;
+    }
+
     $perm=user_permissions($zone,$userid);
 
     if(!is_null($perm)) {
diff --git a/index.php b/index.php
index c2ff50c..cf064b5 100644
--- a/index.php
+++ b/index.php
@@ -808,6 +808,7 @@ $(document).ready(function () {
                     return $img;
                 }
             },
+           <?php if (is_adminuser()) { ?>
             permissions: {
                 title: 'Permissions',
                 width: '10%',
@@ -881,6 +882,7 @@ $(document).ready(function () {
                     return $img;
                 }
             },
+            <?php } ?>
             exportzone: {
                 title: '',
                 width: '1%',
diff --git a/zones.php b/zones.php
index 55e7a6d..ac47e68 100644
--- a/zones.php
+++ b/zones.php
@@ -152,10 +152,6 @@ function quote_content($content) {
     return $content;
 }
 
-function check_account($zone) {
-    return is_adminuser() or ($zone->account === get_sess_user()) or check_permissions($zone->id,PERM_VIEW);
-}
-
 if (isset($_GET['action'])) {
     $action = $_GET['action'];
 } else {
@@ -178,7 +174,7 @@ case "listslaves":
             $zone->setAccount(get_zone_account($zone->name, 'admin'));
         }
 
-        if (!check_account($zone))
+        if (!check_permissions($zone->id,PERM_VIEW))
             continue;
 
         if ($action == "listslaves" and $zone->kind == "Slave") {
@@ -200,7 +196,10 @@ case "listrecords":
     $zone->parse($zonedata);
     $records = $zone->rrsets2records();
 
-//    if(permissions($zone->id))
+    if (!check_permissions($zone->id,PERM_VIEW)) {
+        jtable_respond(null, 'error', "You are not permitted to list records for " . $zone->id);
+        break;
+    }
     if(!empty($_POST['label'])) {
         $records=array_filter($records,
             function ($val) {
@@ -249,6 +248,12 @@ case "listrecords":
 
 case "delete":
     $zone = $api->loadzone($_POST['id']);
+
+    if (!check_permissions($zone->id,PERM_ADMIN)) {
+        jtable_respond(null, 'error', "You are not permitted to delete " . $zone->id);
+        break;
+    }
+
     $api->deletezone($_POST['id']);
 
     delete_db_zone($zone['name']);
@@ -263,13 +268,16 @@ case "create":
 
     if (!is_adminuser() and $allowzoneadd !== true) {
         jtable_respond(null, 'error', "You are not allowed to add zones");
+        break;
     }
     if (!_valid_label($zonename)) {
         jtable_respond(null, 'error', "Please only use [a-z0-9_/.-]");
+        break;
     }
 
     if (!$zonename || !$zonekind) {
         jtable_respond(null, 'error', "Not enough data");
+        break;
     }
 
     $zone = new Zone();
@@ -351,10 +359,15 @@ case "update":
         writelog("Set SOA-EDIT-API to ".$defaults['soa_edit_api']." for ",$zone->name);
     $zoneaccount = isset($_POST['account']) ? $_POST['account'] : $zone->account;
 
+    if (!check_permissions($zone->id,PERM_ADMIN)) {
+        jtable_respond(null, 'error', "You are not permitted to update " . $zone->id);
+        break;
+    }
+
     if ($zone->account !== $zoneaccount) {
         if (!is_adminuser()) {
             header("Status: 403 Access denied");
-            jtable_respond(null, 'error', "Can't change account");
+            jtable_respond(null, 'error', "Can't change owner");
         } else {
             add_db_zone($zone->name, $zoneaccount);
             $zone->setAccount($zoneaccount);
@@ -382,6 +395,18 @@ case "createrecord":
     $type = $_POST['type'];
     $content = $_POST['content'];
 
+    if (!check_permissions($zone->id,PERM_UPDATE)) {
+        jtable_respond(null, 'error', "You are not permitted to create records in " . $zone->id);
+        break;
+    }
+
+    if($restrictediting && $restrictedtypes[$type]) {
+        if (!check_permissions($zone->id,PERM_UPDATESPECIAL)) {
+            jtable_respond(null, 'error', "You are not permitted to create $type records in " . $zone->id);
+            break;
+        }
+    }
+
     if ('' == $name) {
         $name = $zone->name;
     } elseif (string_ends_with($name, '.')) {
@@ -425,6 +450,19 @@ case "editrecord":
     $old_record = decode_record_id(isset($_POST['id']) ? $_POST['id'] : '');
 
     $rrset = $zone->getRRSet($old_record['name'], $old_record['type']);
+
+    if (!check_permissions($zone->id,PERM_UPDATE)) {
+        jtable_respond(null, 'error', "You are not permitted to update records in " . $zone->id);
+        break;
+    }
+
+    if($restrictediting && $restrictedtypes[$old_record['type']]) {
+        if (!check_permissions($zone->id,PERM_UPDATESPECIAL)) {
+            jtable_respond(null, 'error', "You are not permitted to update " . $old_record['type'] . " records in " . $zone->id);
+            break;
+        }
+    }
+
     $rrset->deleteRecord($old_record['content']);
 
     $content = $_POST['content'];
@@ -449,6 +487,19 @@ case "deleterecord":
 
     $old_record = decode_record_id(isset($_POST['id']) ? $_POST['id'] : '');
     $rrset = $zone->getRRSet($old_record['name'], $old_record['type']);
+
+    if (!check_permissions($zone->id,PERM_UPDATE)) {
+        jtable_respond(null, 'error', "You are not permitted to delete records from " . $zone->id);
+        break;
+    }
+
+    if($restrictediting && $restrictedtypes[$old_record['type']]) {
+        if (!check_permissions($zone->id,PERM_UPDATESPECIAL)) {
+            jtable_respond(null, 'error', "You are not permitted to delete " . $old_record['type'] . " records from " . $zone->id);
+            break;
+        }
+    }
+
     $rrset->deleteRecord($old_record['content']);
 
     $api->savezone($zone->export());
@@ -466,6 +517,11 @@ case "clone":
     $name = $_POST['destname'];
     $src  = $_POST['sourcename'];
 
+    if (!is_adminuser() and $allowzoneadd !== true) {
+        jtable_respond(null, 'error', "You are not allowed to add zones");
+        break;
+    }
+
     if (!string_ends_with($name, '.')) {
         $name = $name.".";
     }

From dcae922075ac9621ee5bc187cebed125e9cffec4 Mon Sep 17 00:00:00 2001
From: Richard Underwood <richard.underwood@digitaslbi.com>
Date: Tue, 7 Nov 2017 11:28:03 +0000
Subject: [PATCH 16/20] Uncommitted changes - mostly permissions dor admin
 user.

---
 README.md                    |  2 +-
 includes/permissions.inc.php |  3 +-
 index.php                    | 71 +++++++++++++++++++++++++++++++++++-
 3 files changed, 72 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 2758077..44e34dc 100644
--- a/README.md
+++ b/README.md
@@ -19,7 +19,7 @@ Features
 User support
 ============
 Multiple users are supported. A user can be an admin or a normal user. You can
-configure wheter or not a normal user is allowed to add new zones.
+configure whether or not a normal user is allowed to add new zones.
 
 WeFact Login support
 ====================
diff --git a/includes/permissions.inc.php b/includes/permissions.inc.php
index 805899a..3869863 100644
--- a/includes/permissions.inc.php
+++ b/includes/permissions.inc.php
@@ -85,7 +85,7 @@ function set_permissions($userid,$groupid,$zone,$permissions) {
         writelog("Added '$permissionmap[$permissions]' permissions for $who from zone $zone.");
         return $db->lastInsertRowID();
     } else {
-        writelog("Failed to add permissions to zone $zone ($zoneid) for $who.");
+        writelog("Failed to add permissions to zone $zone for $who.");
         return null;
     }
 }
@@ -209,7 +209,6 @@ function permissions($zone,$userid) {
     }
 
     $perm=user_permissions($zone,$userid);
-
     if(!is_null($perm)) {
         return $perm;
     } else {
diff --git a/index.php b/index.php
index cf064b5..81acdda 100644
--- a/index.php
+++ b/index.php
@@ -469,6 +469,75 @@ $(document).ready(function () {
                     return $img;
                 }
             },
+           <?php if (is_adminuser()) { ?>
+            permissions: {
+                title: 'Permissions',
+                width: '10%',
+                create: false,
+                edit: false,
+                display: function(data) {
+                    var $img = $('<img class="list" src="img/list.png" title="Permissions" />');
+                    $img.click(function () {
+                        $('#SlaveZones').jtable('openChildTable',
+                            $img.closest('tr'), {
+                                title: 'Permissions for ' + data.record.name,
+                                openChildAsAccordion: true,
+                                actions: {
+                                    listAction: 'permissions.php?action=list&zoneid=' + data.record.id,
+                                    createAction: 'permissions.php?action=add&zoneid=' + data.record.id,
+                                    updateAction: 'permissions.php?action=update&zoneid=' + data.record.id,
+                                    deleteAction: 'permissions.php?action=remove&zoneid=' + data.record.id
+                                },
+                                fields: {
+                                    id: {
+                                        key: true,
+                                        type: 'hidden'
+                                    },
+                                    type: {
+                                        title: 'Type',
+                                        inputClass: "permissionstype",
+                                        options: {
+                                            'user': 'User',
+                                            'group': 'Group'
+                                        },
+                                        create: true,
+                                        edit: false
+                                    },
+                                    value: {
+                                        title: 'Name',
+                                        inputClass: "usergrouplist",
+                                        display: displayContent('value'),
+                                        create: true,
+                                        edit: false
+                                    },
+                                    permissions: {
+                                        title: 'Permissions',
+                                        options: {
+                                            '0' : 'No permissions',
+                                            '1' : 'View Only',
+                                            '15' : 'Admin'
+                                        }
+                                    }
+                                },
+                                formCreated: function(event, dat) {
+                                    $( ".usergrouplist" ).autocomplete({
+                                        source: "permissions.php?action=autocomplete&type=" + $( ".permissionstype" ).val()
+                                    });
+                                    $( ".permissionstype" ).change(function() {
+                                      $( ".usergrouplist" ).val("");
+                                      $( ".usergrouplist" ).autocomplete({
+                                          source: "permissions.php?action=autocomplete&type=" + $( ".permissionstype" ).val()
+                                      });
+                                    });
+                                }
+                            }, function (data) {
+                                data.childTable.jtable('load');
+                            })
+                    });
+                    return $img;
+                }
+            },
+            <?php } ?>
             exportzone: {
                 title: '',
                 width: '1%',
@@ -817,7 +886,7 @@ $(document).ready(function () {
                 display: function(data) {
                     var $img = $('<img class="list" src="img/list.png" title="Permissions" />');
                     $img.click(function () {
-                        $('#SlaveZones').jtable('openChildTable',
+                        $('#MasterZones').jtable('openChildTable',
                             $img.closest('tr'), {
                                 title: 'Permissions for ' + data.record.name,
                                 openChildAsAccordion: true,

From dbdfea2ae1c02564ee1cef1e93cfcd975ca41d4c Mon Sep 17 00:00:00 2001
From: Richard Underwood <richard.underwood@digitaslbi.com>
Date: Mon, 13 Nov 2017 11:59:53 +0000
Subject: [PATCH 17/20] Create sqlite zone entries for zones created outside of
 nsedit. Note that this will create users if they don't exist also.

---
 zones.php | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/zones.php b/zones.php
index 40b57d9..deb16ca 100644
--- a/zones.php
+++ b/zones.php
@@ -97,7 +97,7 @@ function record_compare_content($a, $b) {
     return 0;
 }
 
-function add_db_zone($zonename, $accountname) {
+function add_db_zone($zonename, $accountname, $createuser = false) {
     if (valid_user($accountname) === false) {
         jtable_respond(null, 'error', "$accountname is not a valid username");
     }
@@ -105,7 +105,7 @@ function add_db_zone($zonename, $accountname) {
         jtable_respond(null, 'error', "$zonename is not a valid zonename");
     }
 
-    if (is_apiuser() && !user_exists($accountname)) {
+    if ((is_apiuser() || $createuser) && !user_exists($accountname)) {
         add_user($accountname);
     }
 
@@ -174,6 +174,10 @@ case "listslaves":
             $zone->setAccount(get_zone_account($zone->name, 'admin'));
         }
 
+        if(is_null(get_zone_id($zone->name))) {
+            add_db_zone($zone->name, $zone->account, true);
+        }
+
         if (!check_permissions($zone->id,PERM_VIEW))
             continue;
 

From 9b519365749a2c4594271ef281627f41f8b3c4fe Mon Sep 17 00:00:00 2001
From: Richard Underwood <richard.underwood@digitaslbi.com>
Date: Mon, 20 Nov 2017 09:52:58 +0000
Subject: [PATCH 18/20] Fix a typo

---
 logs.php  | 2 +-
 users.php | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/logs.php b/logs.php
index 3e00b46..bede2aa 100644
--- a/logs.php
+++ b/logs.php
@@ -12,7 +12,7 @@ if (!is_csrf_safe()) {
 
 if (!is_adminuser()) {
     header('Status: 403');
-    jtable_respond(null, 'error', "You need adminprivileges to get here");
+    jtable_respond(null, 'error', "You need admin privileges to get here");
 }
 
 if (!isset($_GET['action'])) {
diff --git a/users.php b/users.php
index e31c122..3b88831 100644
--- a/users.php
+++ b/users.php
@@ -12,7 +12,7 @@ if (!is_csrf_safe()) {
 
 if (!is_adminuser()) {
     header('Status: 403');
-    jtable_respond(null, 'error', "You need adminprivileges to get here");
+    jtable_respond(null, 'error', "You need admin privileges to get here");
 }
 
 if (!isset($_GET['action'])) {

From d8389561390ed114acde9ee5e1c7317b356fd72c Mon Sep 17 00:00:00 2001
From: Richard Underwood <richard.underwood@digitaslbi.com>
Date: Mon, 20 Nov 2017 09:54:44 +0000
Subject: [PATCH 19/20] Fix typo.

---
 groups.php      | 2 +-
 logs.php        | 2 +-
 permissions.php | 2 +-
 users.php       | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/groups.php b/groups.php
index 59a0557..33df583 100644
--- a/groups.php
+++ b/groups.php
@@ -12,7 +12,7 @@ if (!is_csrf_safe()) {
 
 if (!is_adminuser()) {
     header('Status: 403');
-    jtable_respond(null, 'error', "You need adminprivileges to get here");
+    jtable_respond(null, 'error', "You need admin privileges to get here");
 }
 
 if (!isset($_GET['action'])) {
diff --git a/logs.php b/logs.php
index 3e00b46..bede2aa 100644
--- a/logs.php
+++ b/logs.php
@@ -12,7 +12,7 @@ if (!is_csrf_safe()) {
 
 if (!is_adminuser()) {
     header('Status: 403');
-    jtable_respond(null, 'error', "You need adminprivileges to get here");
+    jtable_respond(null, 'error', "You need admin privileges to get here");
 }
 
 if (!isset($_GET['action'])) {
diff --git a/permissions.php b/permissions.php
index fafaaea..691671f 100644
--- a/permissions.php
+++ b/permissions.php
@@ -14,7 +14,7 @@ $zoneid = isset($_GET['zoneid']) ? $_GET['zoneid'] : '';
 
 if (!is_adminuser()) {
     header('Status: 403');
-    jtable_respond(null, 'error', "You need adminprivileges to get here");
+    jtable_respond(null, 'error', "You need admin privileges to get here");
 }
 
 if (!isset($_GET['action'])) {
diff --git a/users.php b/users.php
index 67df833..31f9d3b 100644
--- a/users.php
+++ b/users.php
@@ -12,7 +12,7 @@ if (!is_csrf_safe()) {
 
 if (!is_adminuser()) {
     header('Status: 403');
-    jtable_respond(null, 'error', "You need adminprivileges to get here");
+    jtable_respond(null, 'error', "You need admin privileges to get here");
 }
 
 if (!isset($_GET['action'])) {

From e1df632852a461669c09d3cf90273198b79948a2 Mon Sep 17 00:00:00 2001
From: Richard Underwood <richard.underwood@digitaslbi.com>
Date: Mon, 20 Nov 2017 15:38:28 +0000
Subject: [PATCH 20/20] Allow copying of permissions when cloning a zone.

---
 includes/permissions.inc.php | 16 ++++++++++++++++
 index.php                    |  7 +++++++
 zones.php                    |  5 +++++
 3 files changed, 28 insertions(+)

diff --git a/includes/permissions.inc.php b/includes/permissions.inc.php
index 3869863..c007e98 100644
--- a/includes/permissions.inc.php
+++ b/includes/permissions.inc.php
@@ -90,6 +90,22 @@ function set_permissions($userid,$groupid,$zone,$permissions) {
     }
 }
 
+// Interface function - Copy permissions from one zone to another - used for cloning, so assumes no existing permissions on the domain
+
+function copy_permissions($srczone,$dstzone) {
+    $db = get_db();
+
+    $q = $db->prepare('SELECT p.user,p."group",p.permissions FROM permissions p, zones z WHERE p.zone=z.id AND z.zone=?');
+    $q->bindValue(1, $srczone, SQLITE3_TEXT);
+    $result = $q->execute();
+
+    while ($row = $result->fetchArray(SQLITE3_ASSOC)) {
+        set_permissions($row['user'],$row['group'],$dstzone,$row['permissions']);
+    }
+
+    return null;
+}
+
 // Interface function - Update permissions for a zone
 function update_permissions($id,$permissions) {
     global $permissionmap;
diff --git a/index.php b/index.php
index e380145..0b4d5df 100644
--- a/index.php
+++ b/index.php
@@ -1055,6 +1055,13 @@ $(document).ready(function () {
                 title: 'Domain',
                 inputClass: 'destname'
             },
+            copypermissions: {
+                title: 'Copy Permissions',
+                type: 'checkbox',
+                values: {'0': 'No', '1': 'Yes'},
+                defaultValue: 1,
+                inputClass: 'copypermissions'
+            },
             account: {
                 title: 'Owner',
                 options: function(data) {
diff --git a/zones.php b/zones.php
index 44ef601..74cad32 100644
--- a/zones.php
+++ b/zones.php
@@ -522,6 +522,7 @@ case "export":
 case "clone":
     $name = $_POST['destname'];
     $src  = $_POST['sourcename'];
+    $copypermissions  = $_POST['copypermissions'];
 
     if (!is_adminuser() and $allowzoneadd !== true) {
         jtable_respond(null, 'error', "You are not allowed to add zones");
@@ -566,6 +567,10 @@ case "clone":
 
     $zone = $api->savezone($srczone->export());
 
+    if($copypermissions==1) {
+        copy_permissions($src,$name);
+    }
+
     writelog("Cloned zone $src into $name");
     jtable_respond($zone, 'single');
     break;