Cloning was meant to be an admin-only functionality. However, this was not fully implemented: when allowzoneadd = true, the user could clone zones, even when not an admin. This is not necessarily a problem. But in this case, it is. Because the endpoint that is used to get zones to clone (formzonelist), did not check whether those zones belong to the current user. In other words: when allowzoneadd = true and the user is not an admin, that user is able to see all zones under 'Clone a zone' button -> 'Source domain' dropdown.
This commit fixes that, by letting formzonelist return only zones belonging to the user, and showing the 'Clone a zone' button only when the user is an admin.
tuxis-ie
commented
3 months ago
Cloning was meant to be an admin-only functionality. However, this was not fully implemented: when
allowzoneadd = true, the user could clone zones, even when not an admin. This is not necessarily a problem. But in this case, it is. Because the endpoint that is used to get zones to clone (formzonelist), did not check whether those zones belong to the current user. In other words: whenallowzoneadd = trueand the user is not an admin, that user is able to see all zones under 'Clone a zone' button -> 'Source domain' dropdown.This commit fixes that, by letting
formzonelistreturn only zones belonging to the user, and showing the 'Clone a zone' button only when the user is an admin.