From 6d56c7a44f710910fe61d83d19a5fbe658d3b657 Mon Sep 17 00:00:00 2001
From: Richard Underwood <richard.underwood@digitaslbi.com>
Date: Fri, 6 Jan 2017 15:50:54 +0000
Subject: [PATCH] group permissions check & first check on index page

---
 includes/permissions.inc.php | 19 ++++++++++++++++++-
 zones.php                    |  3 ++-
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/includes/permissions.inc.php b/includes/permissions.inc.php
index 19ff495..cab5164 100644
--- a/includes/permissions.inc.php
+++ b/includes/permissions.inc.php
@@ -82,7 +82,7 @@ function set_permissions($userid,$groupid,$zone,$permissions) {
         writelog("Added '$permissionmap[$permissions]' permissions for $who from zone $zone.");
         return $db->lastInsertRowID();
     } else {
-        writelog("Failed to add permissions to zone $zone for $who.");
+        writelog("Failed to add permissions to zone $zone ($zoneid) for $who.");
         return null;
     }
 }
@@ -192,8 +192,25 @@ function permissions($zone,$userid) {
         return $perm;
     } else {
         $perm=0;
+        $zoneid=get_zone_id($zone);
+        $db = get_db();
 
+        $q = $db->prepare('SELECT p.permissions FROM groupmembers gm LEFT JOIN permissions p ON p."group"=gm."group" WHERE zone=? AND p."group">0 AND gm.user=?');
+        $q->bindValue(1, $zoneid, SQLITE3_INTEGER);
+        $q->bindValue(2, $userid, SQLITE3_INTEGER);
+        $r = $q->execute();
+
+        while ($row = $r->fetchArray(SQLITE3_NUM)) {
+            $perm=$perm|$row[0];
+        }
+        return $perm;
     }
 }
 
+// Utility function - check a permission for current user
+function check_permissions($zone,$permmask) {
+    return (bool) (permissions($zone,get_user_id(get_sess_user()))&$permmask);    
+}
+
+
 ?>
diff --git a/zones.php b/zones.php
index 45f650d..55e7a6d 100644
--- a/zones.php
+++ b/zones.php
@@ -153,7 +153,7 @@ function quote_content($content) {
 }
 
 function check_account($zone) {
-    return is_adminuser() or ($zone->account === get_sess_user());
+    return is_adminuser() or ($zone->account === get_sess_user()) or check_permissions($zone->id,PERM_VIEW);
 }
 
 if (isset($_GET['action'])) {
@@ -200,6 +200,7 @@ case "listrecords":
     $zone->parse($zonedata);
     $records = $zone->rrsets2records();
 
+//    if(permissions($zone->id))
     if(!empty($_POST['label'])) {
         $records=array_filter($records,
             function ($val) {