From a288a8875460fbcaedaa2a526e20767337008fba Mon Sep 17 00:00:00 2001
From: Usman Nasir <usman@cyberpersons.com>
Date: Fri, 20 Aug 2021 19:42:06 +0500
Subject: [PATCH] =?UTF-8?q?security=20fix:=20CP-24:=20Manage=20Website=20?=
 =?UTF-8?q?=E2=80=93=20Domain=20Alias=20(Delete)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 plogical/acl.py             | 12 +++++++++++-
 websiteFunctions/website.py | 10 ++++++++++
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/plogical/acl.py b/plogical/acl.py
index f8f11fbf7..cf8d224ed 100644
--- a/plogical/acl.py
+++ b/plogical/acl.py
@@ -7,7 +7,7 @@ django.setup()
 from loginSystem.models import Administrator, ACL
 from django.shortcuts import HttpResponse
 from packages.models import Package
-from websiteFunctions.models import Websites, ChildDomains
+from websiteFunctions.models import Websites, ChildDomains, aliasDomains
 import json
 from subprocess import call, CalledProcessError
 from shlex import split
@@ -43,6 +43,16 @@ class ACLManager:
               '"dkimManager": 1, "createFTPAccount": 1, "deleteFTPAccount": 1, "listFTPAccounts": 1, "createBackup": 1,' \
               ' "restoreBackup": 0, "addDeleteDestinations": 0, "scheduleBackups": 0, "remoteBackups": 0, "googleDriveBackups": 1, "manageSSL": 1, ' \
               '"hostnameSSL": 0, "mailServerSSL": 0 }'
+    @staticmethod
+    def AliasDomainCheck(currentACL, aliasDomain, master):
+        aliasOBJ = aliasDomains.objects.get(aliasDomain=aliasDomain)
+        masterOBJ = Websites.objects.get(domain=master)
+        if currentACL['admin'] == 1:
+            return 1
+        elif aliasOBJ.master == masterOBJ:
+            return 1
+        else:
+            return 0
 
     @staticmethod
     def CheckPackageOwnership(package, admin, currentACL):
diff --git a/websiteFunctions/website.py b/websiteFunctions/website.py
index 0392b2db1..30f7aa81a 100755
--- a/websiteFunctions/website.py
+++ b/websiteFunctions/website.py
@@ -1674,6 +1674,11 @@ class WebsiteManager:
             else:
                 return ACLManager.loadErrorJson('sslStatus', 0)
 
+            if ACLManager.AliasDomainCheck(currentACL, aliasDomain, self.domain) == 1:
+                pass
+            else:
+                return ACLManager.loadErrorJson('sslStatus', 0)
+
             sslpath = "/home/" + self.domain + "/public_html"
 
             ## Create Configurations
@@ -1711,6 +1716,11 @@ class WebsiteManager:
             else:
                 return ACLManager.loadErrorJson('deleteAlias', 0)
 
+            if ACLManager.AliasDomainCheck(currentACL, aliasDomain, self.domain) == 1:
+                pass
+            else:
+                return ACLManager.loadErrorJson('deleteAlias', 0)
+
             ## Create Configurations
 
             execPath = "/usr/local/CyberCP/bin/python " + virtualHostUtilities.cyberPanel + "/plogical/virtualHostUtilities.py"