security fix: CP-11: Admin Packages Delete Package

2025-11-07 05:45:59 +01:00 · 2021-08-02 12:21:11 +05:00
parent c0a8aee7d7
commit a84e2c29b2
2 changed files with 18 additions and 0 deletions
--- a/packages/packagesManager.py
+++ b/packages/packagesManager.py
@@ -109,6 +109,12 @@ class PackagesManager:
            packageName = data['packageName']

            delPackage = Package.objects.get(packageName=packageName)
+
+            ## Check package ownership
+            admin = Administrator.objects.get(pk=userID)
+            if ACLManager.CheckPackageOwnership(delPackage, admin, currentACL) == 0:
+                return ACLManager.loadErrorJson('deleteStatus', 0)
+
            delPackage.delete()

            data_ret = {'status': 1, 'deleteStatus': 1, 'error_message': "None"}
--- a/plogical/acl.py
+++ b/plogical/acl.py
@@ -43,6 +43,18 @@ class ACLManager:
              '"dkimManager": 1, "createFTPAccount": 1, "deleteFTPAccount": 1, "listFTPAccounts": 1, "createBackup": 1,' \
              ' "restoreBackup": 0, "addDeleteDestinations": 0, "scheduleBackups": 0, "remoteBackups": 0, "googleDriveBackups": 1, "manageSSL": 1, ' \
              '"hostnameSSL": 0, "mailServerSSL": 0 }'
+
+    @staticmethod
+    def CheckPackageOwnership(package, admin, currentACL):
+        if currentACL['admin'] == 1:
+            return 1
+        elif package.admin == admin:
+            return 1
+        else:
+            return 0
+
+
+
    @staticmethod
    def FindIfChild():
        try: