[PR #203] [MERGED] Make cloning admin-only, check zones returned by formzonelist #205

New issue

Closed

opened 2026-02-28 01:21:25 +03:00 by kerem · 0 comments

kerem commented

2026-02-28 01:21:25 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/tuxis-ie/nsedit/pull/203
Author: @WilliamDEdwards
Created: 4/17/2024
Status: ✅ Merged
Merged: 4/17/2024
Merged by: @tuxis-ie

Base: master ← Head: fix/make-clone-admin-only

📝 Commits (1)

e8d028b Make cloning admin-only, check zones returned by formzonelist

📊 Changes

2 files changed (+8 additions, -3 deletions)

View changed files

📝 index.php (+6 -3)
📝 zones.php (+2 -0)

📄 Description

Cloning was meant to be an admin-only functionality. However, this was not fully implemented: when allowzoneadd = true, the user could clone zones, even when not an admin. This is not necessarily a problem. But in this case, it is. Because the endpoint that is used to get zones to clone (formzonelist), did not check whether those zones belong to the current user. In other words: when allowzoneadd = true and the user is not an admin, that user is able to see all zones under 'Clone a zone' button -> 'Source domain' dropdown.

This commit fixes that, by letting formzonelist return only zones belonging to the user, and showing the 'Clone a zone' button only when the user is an admin.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/tuxis-ie/nsedit/pull/203 **Author:** [@WilliamDEdwards](https://github.com/WilliamDEdwards) **Created:** 4/17/2024 **Status:** ✅ Merged **Merged:** 4/17/2024 **Merged by:** [@tuxis-ie](https://github.com/tuxis-ie) **Base:** `master` ← **Head:** `fix/make-clone-admin-only` --- ### 📝 Commits (1) - [`e8d028b`](https://github.com/tuxis-ie/nsedit/commit/e8d028ba7515d8db02b7048954259b8ffb00b378) Make cloning admin-only, check zones returned by formzonelist ### 📊 Changes **2 files changed** (+8 additions, -3 deletions) <details> <summary>View changed files</summary> 📝 `index.php` (+6 -3) 📝 `zones.php` (+2 -0) </details> ### 📄 Description Cloning was meant to be an admin-only functionality. However, this was not fully implemented: when `allowzoneadd = true`, the user could clone zones, even when not an admin. This is not necessarily a problem. But in this case, it is. Because the endpoint that is used to get zones to clone (`formzonelist`), did not check whether those zones belong to the current user. In other words: when `allowzoneadd = true` and the user is not an admin, that user is able to see *all zones* under 'Clone a zone' button -> 'Source domain' dropdown. This commit fixes that, by letting `formzonelist` return only zones belonging to the user, and showing the 'Clone a zone' button only when the user is an admin. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>