security fix: CP-36: DNS – Add / Delete Records

2026-02-28 09:20:43 +01:00 · 2021-08-30 13:25:53 +05:00
parent f6fcbe9b0a
commit 238208d662
2 changed files with 15 additions and 0 deletions
--- a/dns/dnsManager.py
+++ b/dns/dnsManager.py
@@ -434,6 +434,11 @@ class DNSManager:

            record = Records.objects.get(pk=data['id'])

+            if ACLManager.VerifyRecordOwner(currentACL, record, zoneDomain) == 1:
+                pass
+            else:
+                return ACLManager.loadErrorJson()
+
            if data['nameNow'] != None:
                record.name = data['nameNow']

--- a/plogical/acl.py
+++ b/plogical/acl.py
@@ -53,6 +53,16 @@ class ACLManager:
        else:
            return 0

+    @staticmethod
+    def VerifyRecordOwner(currentACL, record, domain):
+        if currentACL['admin'] == 1:
+            return 1
+        elif record.domainOwner.name == domain:
+            return 1
+        else:
+            return 0
+
+
    @staticmethod
    def AliasDomainCheck(currentACL, aliasDomain, master):
        aliasOBJ = aliasDomains.objects.get(aliasDomain=aliasDomain)