We use cookies to ensure you get the best experience on our website
首頁 探索 說明
註冊 登入
0ct0pu5
/
desec-stack
1
0
複刻 0
檔案 問題管理 0 合併請求 0 Wiki
瀏覽代碼

fix(api): disallow deleting RRset while user is locked

When syncing domains during unlock, we send all known RRsets to pdns.
However, it is difficult to track which RRsets have been deleted while
the user is locked (to request deletion from pdns), so for now, we
disallow RRset deletion in this case.
Peter Thomassen 7 年之前
父節點
a8c793b564
當前提交
c80af3e611
共有 3 個文件被更改,包括 24 次插入0 次删除
分割檢視 顯示文件統計
  1. 1 0
      api/desecapi/models.py
  2. 20 0
      api/desecapi/tests/testrrsets.py
  3. 3 0
      api/desecapi/views.py

+ 1 - 0
api/desecapi/models.py
查看文件 

@@ -433,6 +433,7 @@ class RRset(models.Model, mixins.SetterMixin):
 
 
     @transaction.atomic
 
     def delete(self, *args, **kwargs):
 
+        assert not self.domain.owner.captcha_required
 
         super().delete(*args, **kwargs)
 
         pdns.set_rrset(self)
 
         self._dirties = {}

+ 20 - 0
api/desecapi/tests/testrrsets.py
查看文件 

@@ -379,6 +379,26 @@ class AuthenticatedRRsetTests(APITestCase):
 
         response = self.client.delete(url)
 
         self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT)
 
 
+    def testCantDeleteOwnRRsetWhileAccountIsLocked(self):
 
+        self.owner.captcha_required = True
 
+        self.owner.save()
 
+
 
+        url = reverse('rrsets', args=(self.ownedDomains[1].name,))
 
+        data = {'records': ['1.2.3.4'], 'ttl': 60, 'type': 'A'}
 
+        response = self.client.post(url, json.dumps(data), content_type='application/json')
 
+        self.assertEqual(response.status_code, status.HTTP_201_CREATED)
 
+
 
+        url = reverse('rrset', args=(self.ownedDomains[1].name, '', 'A',))
 
+
 
+        # Try PATCH with empty records
 
+        data = {'records': []}
 
+        response = self.client.patch(url, json.dumps(data), content_type='application/json')
 
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
 
+
 
+        # Try DELETE
 
+        response = self.client.delete(url)
 
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
 
+
 
     def testPostCausesPdnsAPICall(self):
 
         httpretty.enable()
 
         httpretty.register_uri(httpretty.PATCH, settings.NSLORD_PDNS_API + '/zones/' + self.ownedDomains[1].name + '.')

+ 3 - 0
api/desecapi/views.py
查看文件 

@@ -137,6 +137,9 @@ class RRsetDetail(generics.RetrieveUpdateDestroyAPIView):
 
     permission_classes = (permissions.IsAuthenticated, IsDomainOwner,)
 
 
     def delete(self, request, *args, **kwargs):
 
+        if request.user.captcha_required:
 
+            detail = "You cannot delete RRset while your account is locked."
 
+            raise PermissionDenied(detail)
 
         try:
 
             super().delete(request, *args, **kwargs)
 
         except Http404:

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5