jostreff/nsedit
1
0
Fork 0
mirror of https://github.com/tuxis-ie/nsedit.git synced 2025-05-08 22:43:58 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

Permissions in zones.php

Browse source
This commit is contained in:
Richard Underwood 2017-01-09 10:29:56 +00:00
parent 6d56c7a44f
commit 4f118af176
3 changed files with 87 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
includes/permissions.inc.php
View file

@ -31,6 +31,9 @@ define('PERM_UPDATE',0x02);
define('PERM_UPDATESPECIAL',0x04); define('PERM_UPDATESPECIAL',0x04);
define('PERM_ADMIN',0x08); define('PERM_ADMIN',0x08);
define('PERM_ALL',0xffff);
// Interface function - Return an array of permissions for the zone // Interface function - Return an array of permissions for the zone
function get_zone_permissions($zone) { function get_zone_permissions($zone) {
$db = get_db(); $db = get_db();
@ -184,8 +187,27 @@ function group_permissions($zone,$groupid) {
} }
} }
// utility function - get the owner of the domain. Move to misc?
function zone_owner($zone) {
$db = get_db();
$q = $db->prepare('SELECT owner FROM zones WHERE zones.zone=?');
$q->bindValue(1,$zone,SQLITE3_TEXT);
$r = $q->execute();
if($r) {
$ret = $r->fetchArray(SQLITE3_NUM);
return $ret[0];
} else {
return null;
}
}
// Utility function - Return the calculated permissions for this user/zone // Utility function - Return the calculated permissions for this user/zone
function permissions($zone,$userid) { function permissions($zone,$userid) {
if(is_adminuser() || ($userid == zone_owner($zone))) {
return PERM_ALL;
}
$perm=user_permissions($zone,$userid); $perm=user_permissions($zone,$userid);
if(!is_null($perm)) { if(!is_null($perm)) {

2
index.php
View file

@ -808,6 +808,7 @@ $(document).ready(function () {
return $img; return $img;
} }
}, },
<?php if (is_adminuser()) { ?>
permissions: { permissions: {
title: 'Permissions', title: 'Permissions',
width: '10%', width: '10%',
@ -881,6 +882,7 @@ $(document).ready(function () {
return $img; return $img;
} }
}, },
<?php } ?>
exportzone: { exportzone: {
title: '', title: '',
width: '1%', width: '1%',

70
zones.php
View file

@ -152,10 +152,6 @@ function quote_content($content) {
return $content; return $content;
} }
function check_account($zone) {
return is_adminuser() or ($zone->account === get_sess_user()) or check_permissions($zone->id,PERM_VIEW);
}
if (isset($_GET['action'])) { if (isset($_GET['action'])) {
$action = $_GET['action']; $action = $_GET['action'];
} else { } else {
@ -178,7 +174,7 @@ case "listslaves":
$zone->setAccount(get_zone_account($zone->name, 'admin')); $zone->setAccount(get_zone_account($zone->name, 'admin'));
} }
if (!check_account($zone)) if (!check_permissions($zone->id,PERM_VIEW))
continue; continue;
if ($action == "listslaves" and $zone->kind == "Slave") { if ($action == "listslaves" and $zone->kind == "Slave") {
@ -200,7 +196,10 @@ case "listrecords":
$zone->parse($zonedata); $zone->parse($zonedata);
$records = $zone->rrsets2records(); $records = $zone->rrsets2records();
// if(permissions($zone->id)) if (!check_permissions($zone->id,PERM_VIEW)) {
jtable_respond(null, 'error', "You are not permitted to list records for " . $zone->id);
break;
}
if(!empty($_POST['label'])) { if(!empty($_POST['label'])) {
$records=array_filter($records, $records=array_filter($records,
function ($val) { function ($val) {
@ -249,6 +248,12 @@ case "listrecords":
case "delete": case "delete":
$zone = $api->loadzone($_POST['id']); $zone = $api->loadzone($_POST['id']);
if (!check_permissions($zone->id,PERM_ADMIN)) {
jtable_respond(null, 'error', "You are not permitted to delete " . $zone->id);
break;
}
$api->deletezone($_POST['id']); $api->deletezone($_POST['id']);
delete_db_zone($zone['name']); delete_db_zone($zone['name']);
@ -263,13 +268,16 @@ case "create":
if (!is_adminuser() and $allowzoneadd !== true) { if (!is_adminuser() and $allowzoneadd !== true) {
jtable_respond(null, 'error', "You are not allowed to add zones"); jtable_respond(null, 'error', "You are not allowed to add zones");
break;
} }
if (!_valid_label($zonename)) { if (!_valid_label($zonename)) {
jtable_respond(null, 'error', "Please only use [a-z0-9_/.-]"); jtable_respond(null, 'error', "Please only use [a-z0-9_/.-]");
break;
} }
if (!$zonename || !$zonekind) { if (!$zonename || !$zonekind) {
jtable_respond(null, 'error', "Not enough data"); jtable_respond(null, 'error', "Not enough data");
break;
} }
$zone = new Zone(); $zone = new Zone();
@ -351,10 +359,15 @@ case "update":
writelog("Set SOA-EDIT-API to ".$defaults['soa_edit_api']." for ",$zone->name); writelog("Set SOA-EDIT-API to ".$defaults['soa_edit_api']." for ",$zone->name);
$zoneaccount = isset($_POST['account']) ? $_POST['account'] : $zone->account; $zoneaccount = isset($_POST['account']) ? $_POST['account'] : $zone->account;
if (!check_permissions($zone->id,PERM_ADMIN)) {
jtable_respond(null, 'error', "You are not permitted to update " . $zone->id);
break;
}
if ($zone->account !== $zoneaccount) { if ($zone->account !== $zoneaccount) {
if (!is_adminuser()) { if (!is_adminuser()) {
header("Status: 403 Access denied"); header("Status: 403 Access denied");
jtable_respond(null, 'error', "Can't change account"); jtable_respond(null, 'error', "Can't change owner");
} else { } else {
add_db_zone($zone->name, $zoneaccount); add_db_zone($zone->name, $zoneaccount);
$zone->setAccount($zoneaccount); $zone->setAccount($zoneaccount);
@ -382,6 +395,18 @@ case "createrecord":
$type = $_POST['type']; $type = $_POST['type'];
$content = $_POST['content']; $content = $_POST['content'];
if (!check_permissions($zone->id,PERM_UPDATE)) {
jtable_respond(null, 'error', "You are not permitted to create records in " . $zone->id);
break;
}
if($restrictediting && $restrictedtypes[$type]) {
if (!check_permissions($zone->id,PERM_UPDATESPECIAL)) {
jtable_respond(null, 'error', "You are not permitted to create $type records in " . $zone->id);
break;
}
}
if ('' == $name) { if ('' == $name) {
$name = $zone->name; $name = $zone->name;
} elseif (string_ends_with($name, '.')) { } elseif (string_ends_with($name, '.')) {
@ -425,6 +450,19 @@ case "editrecord":
$old_record = decode_record_id(isset($_POST['id']) ? $_POST['id'] : ''); $old_record = decode_record_id(isset($_POST['id']) ? $_POST['id'] : '');
$rrset = $zone->getRRSet($old_record['name'], $old_record['type']); $rrset = $zone->getRRSet($old_record['name'], $old_record['type']);
if (!check_permissions($zone->id,PERM_UPDATE)) {
jtable_respond(null, 'error', "You are not permitted to update records in " . $zone->id);
break;
}
if($restrictediting && $restrictedtypes[$old_record['type']]) {
if (!check_permissions($zone->id,PERM_UPDATESPECIAL)) {
jtable_respond(null, 'error', "You are not permitted to update " . $old_record['type'] . " records in " . $zone->id);
break;
}
}
$rrset->deleteRecord($old_record['content']); $rrset->deleteRecord($old_record['content']);
$content = $_POST['content']; $content = $_POST['content'];
@ -449,6 +487,19 @@ case "deleterecord":
$old_record = decode_record_id(isset($_POST['id']) ? $_POST['id'] : ''); $old_record = decode_record_id(isset($_POST['id']) ? $_POST['id'] : '');
$rrset = $zone->getRRSet($old_record['name'], $old_record['type']); $rrset = $zone->getRRSet($old_record['name'], $old_record['type']);
if (!check_permissions($zone->id,PERM_UPDATE)) {
jtable_respond(null, 'error', "You are not permitted to delete records from " . $zone->id);
break;
}
if($restrictediting && $restrictedtypes[$old_record['type']]) {
if (!check_permissions($zone->id,PERM_UPDATESPECIAL)) {
jtable_respond(null, 'error', "You are not permitted to delete " . $old_record['type'] . " records from " . $zone->id);
break;
}
}
$rrset->deleteRecord($old_record['content']); $rrset->deleteRecord($old_record['content']);
$api->savezone($zone->export()); $api->savezone($zone->export());
@ -466,6 +517,11 @@ case "clone":
$name = $_POST['destname']; $name = $_POST['destname'];
$src = $_POST['sourcename']; $src = $_POST['sourcename'];
if (!is_adminuser() and $allowzoneadd !== true) {
jtable_respond(null, 'error', "You are not allowed to add zones");
break;
}
if (!string_ends_with($name, '.')) { if (!string_ends_with($name, '.')) {
$name = $name."."; $name = $name.".";
} }