From 238208d662d54748d8dbc4c8aa421fe1c6b6d223 Mon Sep 17 00:00:00 2001
From: Usman Nasir <usman@cyberpersons.com>
Date: Mon, 30 Aug 2021 13:25:53 +0500
Subject: [PATCH] =?UTF-8?q?security=20fix:=20CP-36:=20DNS=20=E2=80=93=20Ad?=
 =?UTF-8?q?d=20/=20Delete=20Records?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 dns/dnsManager.py |  5 +++++
 plogical/acl.py   | 10 ++++++++++
 2 files changed, 15 insertions(+)

diff --git a/dns/dnsManager.py b/dns/dnsManager.py
index 92dac0f9e..7142455b6 100755
--- a/dns/dnsManager.py
+++ b/dns/dnsManager.py
@@ -434,6 +434,11 @@ class DNSManager:
 
             record = Records.objects.get(pk=data['id'])
 
+            if ACLManager.VerifyRecordOwner(currentACL, record, zoneDomain) == 1:
+                pass
+            else:
+                return ACLManager.loadErrorJson()
+
             if data['nameNow'] != None:
                 record.name = data['nameNow']
 
diff --git a/plogical/acl.py b/plogical/acl.py
index 4ef34cd62..be7e1be2e 100644
--- a/plogical/acl.py
+++ b/plogical/acl.py
@@ -53,6 +53,16 @@ class ACLManager:
         else:
             return 0
 
+    @staticmethod
+    def VerifyRecordOwner(currentACL, record, domain):
+        if currentACL['admin'] == 1:
+            return 1
+        elif record.domainOwner.name == domain:
+            return 1
+        else:
+            return 0
+
+
     @staticmethod
     def AliasDomainCheck(currentACL, aliasDomain, master):
         aliasOBJ = aliasDomains.objects.get(aliasDomain=aliasDomain)