From 1fb45f8c4aca0d0d61b017d4b7afe24d0157fd18 Mon Sep 17 00:00:00 2001 From: Elizabeth Date: Tue, 2 Apr 2024 14:33:11 -0600 Subject: [PATCH] allow user to fuck with .endpoints --- api/dns.go | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/api/dns.go b/api/dns.go index a1739d3..ad41103 100644 --- a/api/dns.go +++ b/api/dns.go @@ -2,6 +2,7 @@ package api import ( "database/sql" + "fmt" "log" "net/http" "strconv" @@ -20,10 +21,23 @@ type FormError struct { func userCanFuckWithDNSRecord(dbConn *sql.DB, user *database.User, record *database.DNSRecord) bool { ownedByUser := (user.ID == record.UserID) + if !ownedByUser { + return false + } if !record.Internal { - publicallyOwnedByUser := (record.Name == user.Username || strings.HasSuffix(record.Name, "."+user.Username)) - return ownedByUser && publicallyOwnedByUser + userOwnedDomains := []string{ + fmt.Sprintf("%s", user.Username), + fmt.Sprintf("%s.endpoints", user.Username), + } + + for _, domain := range userOwnedDomains { + isInSubDomain := strings.HasSuffix(record.Name, "."+domain) + if domain == record.Name || isInSubDomain { + return true + } + } + return false } owner, err := database.FindFirstDomainOwnerId(dbConn, record.Name)