From 4f118af176376bf1bf217e84f0f9bb872502d0ea Mon Sep 17 00:00:00 2001
From: Richard Underwood <richard.underwood@digitaslbi.com>
Date: Mon, 9 Jan 2017 10:29:56 +0000
Subject: [PATCH] Permissions in zones.php

---
 includes/permissions.inc.php | 22 ++++++++++++
 index.php                    |  2 ++
 zones.php                    | 70 ++++++++++++++++++++++++++++++++----
 3 files changed, 87 insertions(+), 7 deletions(-)

diff --git a/includes/permissions.inc.php b/includes/permissions.inc.php
index cab5164..805899a 100644
--- a/includes/permissions.inc.php
+++ b/includes/permissions.inc.php
@@ -31,6 +31,9 @@ define('PERM_UPDATE',0x02);
 define('PERM_UPDATESPECIAL',0x04);
 define('PERM_ADMIN',0x08);
 
+define('PERM_ALL',0xffff);
+
+
 // Interface function - Return an array of permissions for the zone
 function get_zone_permissions($zone) {
     $db = get_db();
@@ -184,8 +187,27 @@ function group_permissions($zone,$groupid) {
     }
 }
 
+// utility function - get the owner of the domain. Move to misc?
+function zone_owner($zone) {
+    $db = get_db();
+
+    $q = $db->prepare('SELECT owner FROM zones WHERE zones.zone=?');
+    $q->bindValue(1,$zone,SQLITE3_TEXT);
+    $r = $q->execute();
+    if($r) {
+        $ret = $r->fetchArray(SQLITE3_NUM);
+        return $ret[0];
+    } else {
+        return null;
+    }
+}
+
 // Utility function - Return the calculated permissions for this user/zone
 function permissions($zone,$userid) {
+    if(is_adminuser() || ($userid == zone_owner($zone))) {
+        return PERM_ALL;
+    }
+
     $perm=user_permissions($zone,$userid);
 
     if(!is_null($perm)) {
diff --git a/index.php b/index.php
index c2ff50c..cf064b5 100644
--- a/index.php
+++ b/index.php
@@ -808,6 +808,7 @@ $(document).ready(function () {
                     return $img;
                 }
             },
+           <?php if (is_adminuser()) { ?>
             permissions: {
                 title: 'Permissions',
                 width: '10%',
@@ -881,6 +882,7 @@ $(document).ready(function () {
                     return $img;
                 }
             },
+            <?php } ?>
             exportzone: {
                 title: '',
                 width: '1%',
diff --git a/zones.php b/zones.php
index 55e7a6d..ac47e68 100644
--- a/zones.php
+++ b/zones.php
@@ -152,10 +152,6 @@ function quote_content($content) {
     return $content;
 }
 
-function check_account($zone) {
-    return is_adminuser() or ($zone->account === get_sess_user()) or check_permissions($zone->id,PERM_VIEW);
-}
-
 if (isset($_GET['action'])) {
     $action = $_GET['action'];
 } else {
@@ -178,7 +174,7 @@ case "listslaves":
             $zone->setAccount(get_zone_account($zone->name, 'admin'));
         }
 
-        if (!check_account($zone))
+        if (!check_permissions($zone->id,PERM_VIEW))
             continue;
 
         if ($action == "listslaves" and $zone->kind == "Slave") {
@@ -200,7 +196,10 @@ case "listrecords":
     $zone->parse($zonedata);
     $records = $zone->rrsets2records();
 
-//    if(permissions($zone->id))
+    if (!check_permissions($zone->id,PERM_VIEW)) {
+        jtable_respond(null, 'error', "You are not permitted to list records for " . $zone->id);
+        break;
+    }
     if(!empty($_POST['label'])) {
         $records=array_filter($records,
             function ($val) {
@@ -249,6 +248,12 @@ case "listrecords":
 
 case "delete":
     $zone = $api->loadzone($_POST['id']);
+
+    if (!check_permissions($zone->id,PERM_ADMIN)) {
+        jtable_respond(null, 'error', "You are not permitted to delete " . $zone->id);
+        break;
+    }
+
     $api->deletezone($_POST['id']);
 
     delete_db_zone($zone['name']);
@@ -263,13 +268,16 @@ case "create":
 
     if (!is_adminuser() and $allowzoneadd !== true) {
         jtable_respond(null, 'error', "You are not allowed to add zones");
+        break;
     }
     if (!_valid_label($zonename)) {
         jtable_respond(null, 'error', "Please only use [a-z0-9_/.-]");
+        break;
     }
 
     if (!$zonename || !$zonekind) {
         jtable_respond(null, 'error', "Not enough data");
+        break;
     }
 
     $zone = new Zone();
@@ -351,10 +359,15 @@ case "update":
         writelog("Set SOA-EDIT-API to ".$defaults['soa_edit_api']." for ",$zone->name);
     $zoneaccount = isset($_POST['account']) ? $_POST['account'] : $zone->account;
 
+    if (!check_permissions($zone->id,PERM_ADMIN)) {
+        jtable_respond(null, 'error', "You are not permitted to update " . $zone->id);
+        break;
+    }
+
     if ($zone->account !== $zoneaccount) {
         if (!is_adminuser()) {
             header("Status: 403 Access denied");
-            jtable_respond(null, 'error', "Can't change account");
+            jtable_respond(null, 'error', "Can't change owner");
         } else {
             add_db_zone($zone->name, $zoneaccount);
             $zone->setAccount($zoneaccount);
@@ -382,6 +395,18 @@ case "createrecord":
     $type = $_POST['type'];
     $content = $_POST['content'];
 
+    if (!check_permissions($zone->id,PERM_UPDATE)) {
+        jtable_respond(null, 'error', "You are not permitted to create records in " . $zone->id);
+        break;
+    }
+
+    if($restrictediting && $restrictedtypes[$type]) {
+        if (!check_permissions($zone->id,PERM_UPDATESPECIAL)) {
+            jtable_respond(null, 'error', "You are not permitted to create $type records in " . $zone->id);
+            break;
+        }
+    }
+
     if ('' == $name) {
         $name = $zone->name;
     } elseif (string_ends_with($name, '.')) {
@@ -425,6 +450,19 @@ case "editrecord":
     $old_record = decode_record_id(isset($_POST['id']) ? $_POST['id'] : '');
 
     $rrset = $zone->getRRSet($old_record['name'], $old_record['type']);
+
+    if (!check_permissions($zone->id,PERM_UPDATE)) {
+        jtable_respond(null, 'error', "You are not permitted to update records in " . $zone->id);
+        break;
+    }
+
+    if($restrictediting && $restrictedtypes[$old_record['type']]) {
+        if (!check_permissions($zone->id,PERM_UPDATESPECIAL)) {
+            jtable_respond(null, 'error', "You are not permitted to update " . $old_record['type'] . " records in " . $zone->id);
+            break;
+        }
+    }
+
     $rrset->deleteRecord($old_record['content']);
 
     $content = $_POST['content'];
@@ -449,6 +487,19 @@ case "deleterecord":
 
     $old_record = decode_record_id(isset($_POST['id']) ? $_POST['id'] : '');
     $rrset = $zone->getRRSet($old_record['name'], $old_record['type']);
+
+    if (!check_permissions($zone->id,PERM_UPDATE)) {
+        jtable_respond(null, 'error', "You are not permitted to delete records from " . $zone->id);
+        break;
+    }
+
+    if($restrictediting && $restrictedtypes[$old_record['type']]) {
+        if (!check_permissions($zone->id,PERM_UPDATESPECIAL)) {
+            jtable_respond(null, 'error', "You are not permitted to delete " . $old_record['type'] . " records from " . $zone->id);
+            break;
+        }
+    }
+
     $rrset->deleteRecord($old_record['content']);
 
     $api->savezone($zone->export());
@@ -466,6 +517,11 @@ case "clone":
     $name = $_POST['destname'];
     $src  = $_POST['sourcename'];
 
+    if (!is_adminuser() and $allowzoneadd !== true) {
+        jtable_respond(null, 'error', "You are not allowed to add zones");
+        break;
+    }
+
     if (!string_ends_with($name, '.')) {
         $name = $name.".";
     }