security fix: CP-24: Manage Website – Domain Alias (Delete)

usmannasir · usmannasir · commit a288a8875460 · 2021-08-20T19:42:06.000+05:00
diff --git a/plogical/acl.py b/plogical/acl.py
@@ -7,7 +7,7 @@
 from loginSystem.models import Administrator, ACL
 from django.shortcuts import HttpResponse
 from packages.models import Package
-from websiteFunctions.models import Websites, ChildDomains
+from websiteFunctions.models import Websites, ChildDomains, aliasDomains
 import json
 from subprocess import call, CalledProcessError
 from shlex import split
@@ -43,6 +43,16 @@ class ACLManager:
               '"dkimManager": 1, "createFTPAccount": 1, "deleteFTPAccount": 1, "listFTPAccounts": 1, "createBackup": 1,' \
               ' "restoreBackup": 0, "addDeleteDestinations": 0, "scheduleBackups": 0, "remoteBackups": 0, "googleDriveBackups": 1, "manageSSL": 1, ' \
               '"hostnameSSL": 0, "mailServerSSL": 0 }'
+    @staticmethod
+    def AliasDomainCheck(currentACL, aliasDomain, master):
+        aliasOBJ = aliasDomains.objects.get(aliasDomain=aliasDomain)
+        masterOBJ = Websites.objects.get(domain=master)
+        if currentACL['admin'] == 1:
+            return 1
+        elif aliasOBJ.master == masterOBJ:
+            return 1
+        else:
+            return 0
 
     @staticmethod
     def CheckPackageOwnership(package, admin, currentACL):
diff --git a/websiteFunctions/website.py b/websiteFunctions/website.py
@@ -1674,6 +1674,11 @@ def issueAliasSSL(self, userID=None, data=None):
             else:
                 return ACLManager.loadErrorJson('sslStatus', 0)
 
+            if ACLManager.AliasDomainCheck(currentACL, aliasDomain, self.domain) == 1:
+                pass
+            else:
+                return ACLManager.loadErrorJson('sslStatus', 0)
+
             sslpath = "/home/" + self.domain + "/public_html"
 
             ## Create Configurations
@@ -1711,6 +1716,11 @@ def delateAlias(self, userID=None, data=None):
             else:
                 return ACLManager.loadErrorJson('deleteAlias', 0)
 
+            if ACLManager.AliasDomainCheck(currentACL, aliasDomain, self.domain) == 1:
+                pass
+            else:
+                return ACLManager.loadErrorJson('deleteAlias', 0)
+
             ## Create Configurations
 
             execPath = "/usr/local/CyberCP/bin/python " + virtualHostUtilities.cyberPanel + "/plogical/virtualHostUtilities.py"
