security fix: CP-24: Manage Website – Domain Alias (Delete)

2025-11-06 21:35:55 +01:00 · 2021-08-20 19:42:06 +05:00
parent 9a47edc9ec
commit a288a88754
2 changed files with 21 additions and 1 deletions
--- a/plogical/acl.py
+++ b/plogical/acl.py
@@ -7,7 +7,7 @@ django.setup()
 from loginSystem.models import Administrator, ACL
 from django.shortcuts import HttpResponse
 from packages.models import Package
-from websiteFunctions.models import Websites, ChildDomains
+from websiteFunctions.models import Websites, ChildDomains, aliasDomains
 import json
 from subprocess import call, CalledProcessError
 from shlex import split
@@ -43,6 +43,16 @@ class ACLManager:
              '"dkimManager": 1, "createFTPAccount": 1, "deleteFTPAccount": 1, "listFTPAccounts": 1, "createBackup": 1,' \
              ' "restoreBackup": 0, "addDeleteDestinations": 0, "scheduleBackups": 0, "remoteBackups": 0, "googleDriveBackups": 1, "manageSSL": 1, ' \
              '"hostnameSSL": 0, "mailServerSSL": 0 }'
+    @staticmethod
+    def AliasDomainCheck(currentACL, aliasDomain, master):
+        aliasOBJ = aliasDomains.objects.get(aliasDomain=aliasDomain)
+        masterOBJ = Websites.objects.get(domain=master)
+        if currentACL['admin'] == 1:
+            return 1
+        elif aliasOBJ.master == masterOBJ:
+            return 1
+        else:
+            return 0

    @staticmethod
    def CheckPackageOwnership(package, admin, currentACL):
--- a/websiteFunctions/website.py
+++ b/websiteFunctions/website.py
@@ -1674,6 +1674,11 @@ class WebsiteManager:
            else:
                return ACLManager.loadErrorJson('sslStatus', 0)

+            if ACLManager.AliasDomainCheck(currentACL, aliasDomain, self.domain) == 1:
+                pass
+            else:
+                return ACLManager.loadErrorJson('sslStatus', 0)
+
            sslpath = "/home/" + self.domain + "/public_html"

            ## Create Configurations
@@ -1711,6 +1716,11 @@ class WebsiteManager:
            else:
                return ACLManager.loadErrorJson('deleteAlias', 0)

+            if ACLManager.AliasDomainCheck(currentACL, aliasDomain, self.domain) == 1:
+                pass
+            else:
+                return ACLManager.loadErrorJson('deleteAlias', 0)
+
            ## Create Configurations

            execPath = "/usr/local/CyberCP/bin/python " + virtualHostUtilities.cyberPanel + "/plogical/virtualHostUtilities.py"