tuxis-ie / nsedit

DNS Editor working with PowerDNS's new API
GNU General Public License v2.0
197 stars 56 forks source link

Make cloning admin-only, check zones returned by formzonelist #203

Closed WilliamDEdwards closed 7 months ago

WilliamDEdwards commented 7 months ago

Cloning was meant to be an admin-only functionality. However, this was not fully implemented: when allowzoneadd = true, the user could clone zones, even when not an admin. This is not necessarily a problem. But in this case, it is. Because the endpoint that is used to get zones to clone (formzonelist), did not check whether those zones belong to the current user. In other words: when allowzoneadd = true and the user is not an admin, that user is able to see all zones under 'Clone a zone' button -> 'Source domain' dropdown.

This commit fixes that, by letting formzonelist return only zones belonging to the user, and showing the 'Clone a zone' button only when the user is an admin.

tuxis-ie commented 7 months ago

Looks good!