jostreff/nsedit
1
0
Fork 0
mirror of https://github.com/tuxis-ie/nsedit.git synced 2025-07-25 19:54:09 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

Make cloning admin-only, check zones returned by formzonelist

Browse source 
Cloning was meant to be an admin-only functionality. However, this was not fully implemented: when `allowzoneadd = true`, the user could clone zones, even when not an admin. This is not necessarily a problem. But in this case, it is. Because the endpoint that is used to get zones to clone (`formzonelist`), did not check whether those zones belong to the current user. In other words: when `allowzoneadd = true` and the user is not an admin, that user is able to see *all zones* under 'Clone a zone' button -> 'Source domain' dropdown.

This commit fixes that, by letting `formzonelist` return only zones belonging to the user, and showing the 'Clone a zone' button only when the user is an admin.
This commit is contained in:
William Edwards 2024-04-17 12:09:32 +02:00
parent 76d70251bb
commit e8d028ba75
2 changed files with 8 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

2
zones.php
View file

@ -546,6 +546,8 @@ case "formzonelist":
usort($zones, "zone_compare");
$ret = array();
foreach ($zones as $zone) {
if (!check_account($zone))
continue;
if ($zone['kind'] == 'Slave')
continue;
array_push($ret, array(