From 98737dcb59fa7939c6770e60f38b4eabadfe900a Mon Sep 17 00:00:00 2001
From: Usman Nasir <usman@cyberpersons.com>
Date: Thu, 23 Jan 2020 20:13:29 +0500
Subject: [PATCH] add owner protection

---
 plogical/acl.py             | 15 ++++++++++++++-
 userManagment/views.py      |  2 +-
 websiteFunctions/website.py | 12 +++++++++---
 3 files changed, 24 insertions(+), 5 deletions(-)

diff --git a/plogical/acl.py b/plogical/acl.py
index 0e4724f23..3fd12a4c3 100755
--- a/plogical/acl.py
+++ b/plogical/acl.py
@@ -612,4 +612,17 @@ class ACLManager:
             for childDomain in website.childdomains_set.all():
                 childDomains.append(childDomain.domain)
 
-        return childDomains
\ No newline at end of file
+        return childDomains
+
+    @staticmethod
+    def checkOwnerProtection(currentACL, owner, child):
+        if currentACL['admin'] == 1:
+            return 1
+        elif child.owner == owner.pk:
+            return 1
+        elif child == owner:
+            return 1
+        else:
+            return 0
+
+
diff --git a/userManagment/views.py b/userManagment/views.py
index eb1b6f164..a28880778 100755
--- a/userManagment/views.py
+++ b/userManagment/views.py
@@ -198,7 +198,7 @@ def submitUserCreation(request):
                 newAdmin.save()
             elif currentACL['createNewUser'] == 1:
 
-                if selectedACL != 'user':
+                if selectedACL.name != 'user':
                     data_ret = {'status': 0, 'createStatus': 0,
                                 'error_message': "You are not authorized to access this resource."}
 
diff --git a/websiteFunctions/website.py b/websiteFunctions/website.py
index a16cc5095..2066beacc 100755
--- a/websiteFunctions/website.py
+++ b/websiteFunctions/website.py
@@ -163,10 +163,7 @@ class WebsiteManager:
 
     def submitWebsiteCreation(self, userID=None, data=None):
         try:
-
             currentACL = ACLManager.loadedACL(userID)
-            if ACLManager.currentContextPermission(currentACL, 'createWebsite') == 0:
-                return ACLManager.loadErrorJson('createWebSiteStatus', 0)
 
             domain = data['domainName']
             adminEmail = data['adminEmail']
@@ -174,6 +171,15 @@ class WebsiteManager:
             packageName = data['package']
             websiteOwner = data['websiteOwner']
 
+            loggedUser = Administrator.objects.get(pk=userID)
+            newOwner = Administrator.objects.get(userName=websiteOwner)
+            if ACLManager.currentContextPermission(currentACL, 'createWebsite') == 0:
+                return ACLManager.loadErrorJson('createWebSiteStatus', 0)
+
+            if ACLManager.checkOwnerProtection(currentACL, loggedUser, newOwner) == 0:
+                return ACLManager.loadErrorJson('createWebSiteStatus', 0)
+
+
             if not match(r'([\da-z\.-]+\.[a-z\.]{2,12}|[\d\.]+)([\/:?=&#]{1}[\da-z\.-]+)*[\/\?]?', domain,
                   M | I):
                 data_ret = {'status': 0, 'createWebSiteStatus': 0, 'error_message': "Invalid domain."}