Merge branch 'stable' into v1.9.4

2025-11-06 21:35:55 +01:00 · 2020-01-23 20:14:13 +05:00
parent 4fb6355bf3 98737dcb59
commit c1eed3a432
3 changed files with 24 additions and 5 deletions
--- a/plogical/acl.py
+++ b/plogical/acl.py
@@ -613,3 +613,16 @@ class ACLManager:
                childDomains.append(childDomain.domain)

        return childDomains
+
+    @staticmethod
+    def checkOwnerProtection(currentACL, owner, child):
+        if currentACL['admin'] == 1:
+            return 1
+        elif child.owner == owner.pk:
+            return 1
+        elif child == owner:
+            return 1
+        else:
+            return 0
+
+
--- a/userManagment/views.py
+++ b/userManagment/views.py
@@ -198,7 +198,7 @@ def submitUserCreation(request):
                newAdmin.save()
            elif currentACL['createNewUser'] == 1:

-                if selectedACL != 'user':
+                if selectedACL.name != 'user':
                    data_ret = {'status': 0, 'createStatus': 0,
                                'error_message': "You are not authorized to access this resource."}

--- a/websiteFunctions/website.py
+++ b/websiteFunctions/website.py
@@ -163,10 +163,7 @@ class WebsiteManager:

    def submitWebsiteCreation(self, userID=None, data=None):
        try:
-
            currentACL = ACLManager.loadedACL(userID)
-            if ACLManager.currentContextPermission(currentACL, 'createWebsite') == 0:
-                return ACLManager.loadErrorJson('createWebSiteStatus', 0)

            domain = data['domainName']
            adminEmail = data['adminEmail']
@@ -174,6 +171,15 @@ class WebsiteManager:
            packageName = data['package']
            websiteOwner = data['websiteOwner']

+            loggedUser = Administrator.objects.get(pk=userID)
+            newOwner = Administrator.objects.get(userName=websiteOwner)
+            if ACLManager.currentContextPermission(currentACL, 'createWebsite') == 0:
+                return ACLManager.loadErrorJson('createWebSiteStatus', 0)
+
+            if ACLManager.checkOwnerProtection(currentACL, loggedUser, newOwner) == 0:
+                return ACLManager.loadErrorJson('createWebSiteStatus', 0)
+
+
            if not match(r'([\da-z\.-]+\.[a-z\.]{2,12}|[\d\.]+)([\/:?=&#]{1}[\da-z\.-]+)*[\/\?]?', domain,
                  M | I):
                data_ret = {'status': 0, 'createWebSiteStatus': 0, 'error_message': "Invalid domain."}