mirror of
https://github.com/tuxis-ie/nsedit.git
synced 2025-05-08 22:43:58 +03:00
Permissions in zones.php
This commit is contained in:
Richard Underwood
parent
6d56c7a44f
commit
4f118af176
3 changed files with 87 additions and 7 deletions
|
|
@ -31,6 +31,9 @@ define('PERM_UPDATE',0x02);
|
|||
define('PERM_UPDATESPECIAL',0x04);
|
||||
define('PERM_ADMIN',0x08);
|
||||
|
||||
define('PERM_ALL',0xffff);
|
||||
|
||||
|
||||
// Interface function - Return an array of permissions for the zone
|
||||
function get_zone_permissions($zone) {
|
||||
$db = get_db();
|
||||
|
|
@ -184,8 +187,27 @@ function group_permissions($zone,$groupid) {
|
|||
}
|
||||
}
|
||||
|
||||
// utility function - get the owner of the domain. Move to misc?
|
||||
function zone_owner($zone) {
|
||||
$db = get_db();
|
||||
|
||||
$q = $db->prepare('SELECT owner FROM zones WHERE zones.zone=?');
|
||||
$q->bindValue(1,$zone,SQLITE3_TEXT);
|
||||
$r = $q->execute();
|
||||
if($r) {
|
||||
$ret = $r->fetchArray(SQLITE3_NUM);
|
||||
return $ret[0];
|
||||
} else {
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
// Utility function - Return the calculated permissions for this user/zone
|
||||
function permissions($zone,$userid) {
|
||||
if(is_adminuser() || ($userid == zone_owner($zone))) {
|
||||
return PERM_ALL;
|
||||
}
|
||||
|
||||
$perm=user_permissions($zone,$userid);
|
||||
|
||||
if(!is_null($perm)) {
|
||||
|
|
|
|||
|
|
@ -808,6 +808,7 @@ $(document).ready(function () {
|
|||
return $img;
|
||||
}
|
||||
},
|
||||
<?php if (is_adminuser()) { ?>
|
||||
permissions: {
|
||||
title: 'Permissions',
|
||||
width: '10%',
|
||||
|
|
@ -881,6 +882,7 @@ $(document).ready(function () {
|
|||
return $img;
|
||||
}
|
||||
},
|
||||
<?php } ?>
|
||||
exportzone: {
|
||||
title: '',
|
||||
width: '1%',
|
||||
|
|
|
|||
70
zones.php
70
zones.php
|
|
@ -152,10 +152,6 @@ function quote_content($content) {
|
|||
return $content;
|
||||
}
|
||||
|
||||
function check_account($zone) {
|
||||
return is_adminuser() or ($zone->account === get_sess_user()) or check_permissions($zone->id,PERM_VIEW);
|
||||
}
|
||||
|
||||
if (isset($_GET['action'])) {
|
||||
$action = $_GET['action'];
|
||||
} else {
|
||||
|
|
@ -178,7 +174,7 @@ case "listslaves":
|
|||
$zone->setAccount(get_zone_account($zone->name, 'admin'));
|
||||
}
|
||||
|
||||
if (!check_account($zone))
|
||||
if (!check_permissions($zone->id,PERM_VIEW))
|
||||
continue;
|
||||
|
||||
if ($action == "listslaves" and $zone->kind == "Slave") {
|
||||
|
|
@ -200,7 +196,10 @@ case "listrecords":
|
|||
$zone->parse($zonedata);
|
||||
$records = $zone->rrsets2records();
|
||||
|
||||
// if(permissions($zone->id))
|
||||
if (!check_permissions($zone->id,PERM_VIEW)) {
|
||||
jtable_respond(null, 'error', "You are not permitted to list records for " . $zone->id);
|
||||
break;
|
||||
}
|
||||
if(!empty($_POST['label'])) {
|
||||
$records=array_filter($records,
|
||||
function ($val) {
|
||||
|
|
@ -249,6 +248,12 @@ case "listrecords":
|
|||
|
||||
case "delete":
|
||||
$zone = $api->loadzone($_POST['id']);
|
||||
|
||||
if (!check_permissions($zone->id,PERM_ADMIN)) {
|
||||
jtable_respond(null, 'error', "You are not permitted to delete " . $zone->id);
|
||||
break;
|
||||
}
|
||||
|
||||
$api->deletezone($_POST['id']);
|
||||
|
||||
delete_db_zone($zone['name']);
|
||||
|
|
@ -263,13 +268,16 @@ case "create":
|
|||
|
||||
if (!is_adminuser() and $allowzoneadd !== true) {
|
||||
jtable_respond(null, 'error', "You are not allowed to add zones");
|
||||
break;
|
||||
}
|
||||
if (!_valid_label($zonename)) {
|
||||
jtable_respond(null, 'error', "Please only use [a-z0-9_/.-]");
|
||||
break;
|
||||
}
|
||||
|
||||
if (!$zonename || !$zonekind) {
|
||||
jtable_respond(null, 'error', "Not enough data");
|
||||
break;
|
||||
}
|
||||
|
||||
$zone = new Zone();
|
||||
|
|
@ -351,10 +359,15 @@ case "update":
|
|||
writelog("Set SOA-EDIT-API to ".$defaults['soa_edit_api']." for ",$zone->name);
|
||||
$zoneaccount = isset($_POST['account']) ? $_POST['account'] : $zone->account;
|
||||
|
||||
if (!check_permissions($zone->id,PERM_ADMIN)) {
|
||||
jtable_respond(null, 'error', "You are not permitted to update " . $zone->id);
|
||||
break;
|
||||
}
|
||||
|
||||
if ($zone->account !== $zoneaccount) {
|
||||
if (!is_adminuser()) {
|
||||
header("Status: 403 Access denied");
|
||||
jtable_respond(null, 'error', "Can't change account");
|
||||
jtable_respond(null, 'error', "Can't change owner");
|
||||
} else {
|
||||
add_db_zone($zone->name, $zoneaccount);
|
||||
$zone->setAccount($zoneaccount);
|
||||
|
|
@ -382,6 +395,18 @@ case "createrecord":
|
|||
$type = $_POST['type'];
|
||||
$content = $_POST['content'];
|
||||
|
||||
if (!check_permissions($zone->id,PERM_UPDATE)) {
|
||||
jtable_respond(null, 'error', "You are not permitted to create records in " . $zone->id);
|
||||
break;
|
||||
}
|
||||
|
||||
if($restrictediting && $restrictedtypes[$type]) {
|
||||
if (!check_permissions($zone->id,PERM_UPDATESPECIAL)) {
|
||||
jtable_respond(null, 'error', "You are not permitted to create $type records in " . $zone->id);
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if ('' == $name) {
|
||||
$name = $zone->name;
|
||||
} elseif (string_ends_with($name, '.')) {
|
||||
|
|
@ -425,6 +450,19 @@ case "editrecord":
|
|||
$old_record = decode_record_id(isset($_POST['id']) ? $_POST['id'] : '');
|
||||
|
||||
$rrset = $zone->getRRSet($old_record['name'], $old_record['type']);
|
||||
|
||||
if (!check_permissions($zone->id,PERM_UPDATE)) {
|
||||
jtable_respond(null, 'error', "You are not permitted to update records in " . $zone->id);
|
||||
break;
|
||||
}
|
||||
|
||||
if($restrictediting && $restrictedtypes[$old_record['type']]) {
|
||||
if (!check_permissions($zone->id,PERM_UPDATESPECIAL)) {
|
||||
jtable_respond(null, 'error', "You are not permitted to update " . $old_record['type'] . " records in " . $zone->id);
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
$rrset->deleteRecord($old_record['content']);
|
||||
|
||||
$content = $_POST['content'];
|
||||
|
|
@ -449,6 +487,19 @@ case "deleterecord":
|
|||
|
||||
$old_record = decode_record_id(isset($_POST['id']) ? $_POST['id'] : '');
|
||||
$rrset = $zone->getRRSet($old_record['name'], $old_record['type']);
|
||||
|
||||
if (!check_permissions($zone->id,PERM_UPDATE)) {
|
||||
jtable_respond(null, 'error', "You are not permitted to delete records from " . $zone->id);
|
||||
break;
|
||||
}
|
||||
|
||||
if($restrictediting && $restrictedtypes[$old_record['type']]) {
|
||||
if (!check_permissions($zone->id,PERM_UPDATESPECIAL)) {
|
||||
jtable_respond(null, 'error', "You are not permitted to delete " . $old_record['type'] . " records from " . $zone->id);
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
$rrset->deleteRecord($old_record['content']);
|
||||
|
||||
$api->savezone($zone->export());
|
||||
|
|
@ -466,6 +517,11 @@ case "clone":
|
|||
$name = $_POST['destname'];
|
||||
$src = $_POST['sourcename'];
|
||||
|
||||
if (!is_adminuser() and $allowzoneadd !== true) {
|
||||
jtable_respond(null, 'error', "You are not allowed to add zones");
|
||||
break;
|
||||
}
|
||||
|
||||
if (!string_ends_with($name, '.')) {
|
||||
$name = $name.".";
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue