From 0f67745296b68719b7cb9daa2bebb4b4b6386b52 Mon Sep 17 00:00:00 2001
From: Philippe Pittoli <karchnu@karchnu.fr>
Date: Wed, 27 Nov 2024 14:17:36 +0100
Subject: [PATCH] Server: enable admins to see, edit or remove domains.

---
 src/storage.cr | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/storage.cr b/src/storage.cr
index 0715f8d..133ea6c 100644
--- a/src/storage.cr
+++ b/src/storage.cr
@@ -474,6 +474,11 @@ class DNSManager::Storage
 		dnsmanagerd().assert_permissions! user_id, "*", AuthD::User::PermissionLevel::Admin
 	end
 
+	# Asks `authd` for the user's permissions and verifies the `dnsmanager` permissions are "Admin"-level.
+	def is_admin?(user_id : UserDataID) : Bool
+		dnsmanagerd().is_admin? user_id
+	end
+
 	# Verifies the existence of a zone.
 	def zone_must_exist!(domain : String) : Zone
 		zone = zones_by_domain.get? domain
@@ -482,13 +487,12 @@ class DNSManager::Storage
 	end
 
 	# Owning a domain means to be in the owners' list of the domain.
-	# TODO: accept admin users to override this test.
 	def user_should_own!(user_id : UserDataID, domain : String) : Nil
 		d = domains_by_name.get? domain
 		raise DomainNotFoundException.new if d.nil?
 
-		unless d.owners.includes? user_id || user_must_be_admin! user_id
-			raise NoOwnershipException.new
+		unless d.owners.includes? user_id
+			raise NoOwnershipException.new unless is_admin? user_id
 		end
 	end