jostreff/nsedit
1
0
Fork 0
mirror of https://github.com/tuxis-ie/nsedit.git synced 2025-04-18 19:59:30 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

Make cloning admin-only, check zones returned by formzonelist

Browse source 
Cloning was meant to be an admin-only functionality. However, this was not fully implemented: when `allowzoneadd = true`, the user could clone zones, even when not an admin. This is not necessarily a problem. But in this case, it is. Because the endpoint that is used to get zones to clone (`formzonelist`), did not check whether those zones belong to the current user. In other words: when `allowzoneadd = true` and the user is not an admin, that user is able to see *all zones* under 'Clone a zone' button -> 'Source domain' dropdown.

This commit fixes that, by letting `formzonelist` return only zones belonging to the user, and showing the 'Clone a zone' button only when the user is an admin.
This commit is contained in:
William Edwards 2024-04-17 12:09:32 +02:00
parent 76d70251bb
commit e8d028ba75
2 changed files with 8 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
index.php
View file

@ -181,8 +181,10 @@ if ($blocklogin === TRUE) {
} }
?> ?>
<div id="zones"> <div id="zones">
<?php if (is_adminuser() or $allowzoneadd === TRUE) { ?> <?php if ($allowzoneadd === TRUE) { ?>
<div style="display: none;" id="ImportZone"></div> <div style="display: none;" id="ImportZone"></div>
<?php } ?>
<?php if (is_adminuser()) { ?>
<div style="display: none;" id="CloneZone"></div> <div style="display: none;" id="CloneZone"></div>
<?php } ?> <?php } ?>
<div class="tables" id="MasterZones"> <div class="tables" id="MasterZones">
@ -503,7 +505,7 @@ $(document).ready(function () {
hoverAnimationDuration: 60, hoverAnimationDuration: 60,
hoverAnimationEasing: undefined, hoverAnimationEasing: undefined,
items: [ items: [
<?php if (is_adminuser() or $allowzoneadd === TRUE) { ?> <?php if ($allowzoneadd === TRUE) { ?>
{ {
icon: 'jtable/lib/themes/metro/add.png', icon: 'jtable/lib/themes/metro/add.png',
text: 'Import a new zone', text: 'Import a new zone',
@ -511,6 +513,8 @@ $(document).ready(function () {
$('#ImportZone').jtable('showCreateForm'); $('#ImportZone').jtable('showCreateForm');
} }
}, },
<?php } ?>
<?php if (is_adminuser()) { ?>
{ {
icon: 'jtable/lib/themes/metro/add.png', icon: 'jtable/lib/themes/metro/add.png',
text: 'Clone a zone', text: 'Clone a zone',
@ -887,7 +891,6 @@ $(document).ready(function () {
} }
}); });
$('#CloneZone').jtable({ $('#CloneZone').jtable({
title: 'Clone zone', title: 'Clone zone',
actions: { actions: {

2
zones.php
View file

@ -546,6 +546,8 @@ case "formzonelist":
usort($zones, "zone_compare"); usort($zones, "zone_compare");
$ret = array(); $ret = array();
foreach ($zones as $zone) { foreach ($zones as $zone) {
if (!check_account($zone))
continue;
if ($zone['kind'] == 'Slave') if ($zone['kind'] == 'Slave')
continue; continue;
array_push($ret, array( array_push($ret, array(