Fixes for access rights for the new history pages

2025-05-18 18:39:19 +02:00 · 2025-04-07 22:52:50 +03:00 · 2025-04-07 22:52:50 +03:00 · 2fa50bd72d
commit 2fa50bd72d
parent cae51f7cd0
4 changed files with 65 additions and 3 deletions
--- a/cp/app/Controllers/HostsController.php
+++ b/cp/app/Controllers/HostsController.php
@ -316,10 +316,26 @@ class HostsController extends Controller
                }
            }

-            $host = $db->selectRow('SELECT id, name FROM host WHERE name = ?',
+            $host = $db->selectRow('SELECT id, name, clid FROM host WHERE name = ?',
            [ $args ]);

            if ($host) {
+                $registrars = $db->selectRow('SELECT id, clid, name FROM registrar WHERE id = ?', [$host['clid']]);
+
+                // Check if the user is not an admin (assuming role 0 is admin)
+                if ($_SESSION["auth_roles"] != 0) {
+                    $userRegistrars = $db->select('SELECT registrar_id FROM registrar_users WHERE user_id = ?', [$_SESSION['auth_user_id']]);
+
+                    // Assuming $userRegistrars returns an array of arrays, each containing 'registrar_id'
+                    $userRegistrarIds = array_column($userRegistrars, 'registrar_id');
+
+                    // Check if the registrar's ID is in the user's list of registrar IDs
+                    if (!in_array($registrars['id'], $userRegistrarIds)) {
+                        // Redirect to the hosts view if the user is not authorized for this host
+                        return $response->withHeader('Location', '/hosts')->withStatus(302);
+                    }
+                }
+
                try {
                    $exists = $db_audit->selectValue('SELECT 1 FROM domain LIMIT 1');
                } catch (\PDOException $e) {