Hello, i just wonder that the User who can add Domains can see all domains on the DNS Server..

I have over 3500 Domain owned by admin. Now i have add a normal User who

- Can view the index page.
- Can access PDNS-Admin. Should never be unchecked!
- Can create new domains.

all other option are unchecked..

But when he now login he see the complete Domain Listing of the Server also when he click on "Your Console" he see all Domains actually own by admin.. This must be wrong i think...

He should only see the Domains owned by him, or not...

Regards
Oli

Make sure you haven't added them to the "Domain Administrator" group by accident. That group is meant for folks who assist the site owner. A normal user account cannot access domains they don't own unless you've altered the group permission settings in the ACP. .........................
Sandbox | SmaugMuds.org | Arthmoor MUD Hosting Services | The Truth About Medievia: A Saga of Code Theft.

"The past was erased, the erasure was forgotten, the lie became truth." -- George Orwell, 1984

I' am sure the User is not in the Domain Administrator group...

I only wounder that the User can see all Domains own by admin..

Edit he can not "You are not permitted to edit domains you do not own."...

But i think not all the User need to know which domains are all on the server because when the User login he can see all. He can not edit but he see and this i think is not good.

Thanks

Oli

Hi,

I make a quick fix that Users only can see their own domains:

in func/main.php

add after

		if ($this->user['user_group'] == USER_MEMBER) {
			if ($check)
				$sql .= " AND z.owner=$id";
			else
				$sql .= " WHERE z.owner=$id";
		}

so after line 76 this

 
if ($id != '2'){
$sql .= " WHERE z.owner=$id";
}

Then the User only see their own Domains... And the Admin here $id != '2' see all domains..

Not perfect but first helps..

Regards
Oli

Hi,

i have optimize a little bit the code then the User also can use the search function:

Just change in func/main.php

		if ($this->user['user_group'] == USER_MEMBER) {
			if ($check)
				$sql .= " AND z.owner=$id";
			else
				$sql .= " WHERE z.owner=$id";
		}

with this (forget the previous post):

		if ($id != '2') {
			if ($check)
				$sql .= " AND z.owner=$id";
			else
				$sql .= " WHERE z.owner=$id";
		}

Thanks

Oli

The change you're proposing is entirely unnecessary. I have just verified with my own DNS data that a regular user cannot see domains that don't belong to them unless they are in the "domain administrator" group. They cannot be in this group unless you assign them there, and the domain list query does not look at the permissions table to override that. .........................
Sandbox | SmaugMuds.org | Arthmoor MUD Hosting Services | The Truth About Medievia: A Saga of Code Theft.

"The past was erased, the erasure was forgotten, the lie became truth." -- George Orwell, 1984

I find the problem i create an new User group and that is the reason why everybody can see all domains.. When i using the pre-installed grup "User" and change the permission that this group also can add Domains then is like you say....

So i think it is better not ask in the Script func/main.php

if ($this->user['user_group'] == USER_MEMBER)

That the User is in the Group "User" Better is to Ask that the User is not in the Group "Administrator" or "Domain Administrator". Then the function also working if you add additional groups.

Thanks

Oli.