security fix: CP-36: DNS – Add / Delete Records

usmannasir · usmannasir · commit 238208d662d5 · 2021-08-30T13:25:53.000+05:00
diff --git a/dns/dnsManager.py b/dns/dnsManager.py
@@ -434,6 +434,11 @@ def updateRecord(self, userID = None, data = None):
 
             record = Records.objects.get(pk=data['id'])
 
+            if ACLManager.VerifyRecordOwner(currentACL, record, zoneDomain) == 1:
+                pass
+            else:
+                return ACLManager.loadErrorJson()
+
             if data['nameNow'] != None:
                 record.name = data['nameNow']
 
diff --git a/plogical/acl.py b/plogical/acl.py
@@ -53,6 +53,16 @@ def VerifySMTPHost(currentACL, owner, user):
         else:
             return 0
 
+    @staticmethod
+    def VerifyRecordOwner(currentACL, record, domain):
+        if currentACL['admin'] == 1:
+            return 1
+        elif record.domainOwner.name == domain:
+            return 1
+        else:
+            return 0
+
+
     @staticmethod
     def AliasDomainCheck(currentACL, aliasDomain, master):
         aliasOBJ = aliasDomains.objects.get(aliasDomain=aliasDomain)
