Author: falkotimme

interface/lib/classes/tform.inc.php

@@ -855,10 +855,10 @@ function checkPerm($record_id,$perm) {
                         $result = false;
                         if($this->formDef["auth_preset"]["userid"] == $_SESSION["s"]["user"]["userid"] && stristr($perm,$this->formDef["auth_preset"]["perm_user"])) $result = true;
                         if($this->formDef["auth_preset"]["groupid"] == $_SESSION["s"]["user"]["groupid"] && stristr($perm,$this->formDef["auth_preset"]["perm_group"])) $result = true;
-                        if(@stristr($perm,$this->formDef["auth_preset"]["perm_other"])) $result = true;
+                        if(@stristr($this->formDef["auth_preset"]["perm_other"],$perm)) $result = true;
 
                         // if preset == 0, everyone can insert a record of this type
-                        if($this->formDef["auth_preset"]["userid"] == 0 AND $this->formDef["auth_preset"]["groupid"] == 0 AND (@stristr($perm,$this->formDef["auth_preset"]["perm_user"] OR @stristr($perm,$this->formDef["auth_preset"]["perm_group"])) $result = true;
+                        if($this->formDef["auth_preset"]["userid"] == 0 AND $this->formDef["auth_preset"]["groupid"] == 0 AND (@stristr($this->formDef["auth_preset"]["perm_user"],$perm) OR @stristr($this->formDef["auth_preset"]["perm_group"],$perm))) $result = true;
 
                         return $result;
 

interface/lib/classes/validate_dns.inc.php

@@ -103,7 +103,7 @@ function validate_field($field, $area, $zoneid, $wildcard_allowed = 1){
   if(substr($field, -1) == '.'){
     if($i > 2 && $empty > 1) $error .= $desc." ".$app->tform->wordbook['error_invalid_characters']."<br>\r\n";
   } else {
-    if($empty > 0) $error .= $desc." ".$app->tform->wordbook['error_invalid_characters']."<br>\r\n";
+    if($empty > 0 && $field != '') $error .= $desc." ".$app->tform->wordbook['error_invalid_characters']."<br>\r\n";
   }
 
   if(substr($field, -1) == '.' && $area == 'Name'){

interface/web/dns/form/rr.tform.php

@@ -42,7 +42,7 @@
 $form["db_history"]                = "yes";
 $form["tab_default"]        = "rr";
 $form["list_default"]        = "rr_list.php";
-$form["auth"]                        = 'no';  // yes / no
+$form["auth"]                        = 'yes';  // yes / no
 
 $form["auth_preset"]["userid"]  = 0; // 0 = id of the user, > 0 id must match with id of current user
 $form["auth_preset"]["groupid"] = 0; // 0 = default groupid of the user, > 0 id must match with groupid of current user

interface/web/dns/form/soa.tform.php

@@ -42,7 +42,7 @@
 $form["db_history"]                = "yes";
 $form["tab_default"]        = "soa";
 $form["list_default"]        = "soa_list.php";
-$form["auth"]                        = 'no'; // yes / no
+$form["auth"]                        = 'yes'; // yes / no
 
 $form["auth_preset"]["userid"]  = 0; // 0 = id of the user, > 0 id must match with id of current user
 $form["auth_preset"]["groupid"] = 0; // 0 = default groupid of the user, > 0 id must match with groupid of current user

interface/web/dns/rr_del.php

@@ -56,7 +56,10 @@ class page_action extends tform_actions {
         function onDelete() {
                 global $app, $conf;
 
-                $rr = $app->db->queryOneRecord("SELECT * FROM rr WHERE id = ".$_REQUEST['id']);
+                $app->uses('tform');
+                if(!$rr = $app->db->queryOneRecord("SELECT * FROM rr WHERE id = ".$_REQUEST['id']." AND ".$app->tform->getAuthSQL('d'))) $app->error('not allowed');
+
+                //$rr = $app->db->queryOneRecord("SELECT * FROM rr WHERE id = ".$_REQUEST['id']);
                 $zone_id = $rr['zone'];
 
                 // update serial

interface/web/dns/rr_edit.php

@@ -53,9 +53,16 @@
 
 class page_action extends tform_actions {
 
+
         function onSubmit() {
                 global $app, $conf;
 
+                if($this->dataRecord['id'] > 0){
+                  if(!$app->tform->checkPerm($this->dataRecord['id'],'u')) $app->error('not allowed');
+                } else {
+                  if(!$app->tform->checkPerm($this->dataRecord['id'],'i')) $app->error('not allowed');
+                }
+
                 $this->dataRecord["zone"] = $_SESSION['s']['list']['rr']['parent_id'];
 
                 $app->uses('validate_dns');

interface/web/dns/soa_del.php

@@ -56,9 +56,12 @@ class page_action extends tform_actions {
         function onDelete() {
                 global $app, $conf;
 
+                $app->uses('tform');
+                if(!$soa = $app->db->queryOneRecord("SELECT * FROM soa WHERE id = ".$_REQUEST['id']." AND ".$app->tform->getAuthSQL('d'))) $app->error('not allowed');
+
                 // PTR
                 if($conf['auto_create_ptr'] == 1 && trim($conf['default_ns']) != '' && trim($conf['default_mbox']) != ''){
-                  $soa = $app->db->queryOneRecord("SELECT * FROM soa WHERE id = ".$_REQUEST['id']);
+                  //$soa = $app->db->queryOneRecord("SELECT * FROM soa WHERE id = ".$_REQUEST['id']);
                   $rrs = $app->db->queryAllRecords("SELECT * FROM rr WHERE zone = '".$_REQUEST['id']."' AND (type = 'A' OR type = 'AAAA')");
                   if(!empty($rrs)){
                     foreach($rrs as $rr){

interface/web/dns/soa_edit.php

@@ -56,6 +56,12 @@ class page_action extends tform_actions {
         function onSubmit() {
                 global $app, $conf;
 
+                if($this->dataRecord['id'] > 0){
+                  if(!$app->tform->checkPerm($this->dataRecord['id'],'u')) $app->error('not allowed');
+                } else {
+                  if(!$app->tform->checkPerm($this->dataRecord['id'],'i')) $app->error('not allowed');
+                }
+
                 $app->uses('validate_dns');
                 $app->tform->errorMessage .= $app->validate_dns->validate_soa($this->dataRecord);