From 83aab83ea686d1926f8176c51147fd9aee6ff146 Mon Sep 17 00:00:00 2001
From: Joshua Rogers <MegaManSec@users.noreply.github.com>
Date: Sat, 6 Sep 2025 18:08:56 +0200
Subject: [PATCH] fix: require zone administrator role for API zone updates

---
 views/api.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/views/api.php b/views/api.php
index 537d1ad..d93a2a4 100644
--- a/views/api.php
+++ b/views/api.php
@@ -142,7 +142,7 @@ public function show_zone($zone_name) {
 	public function update_zone_rrsets($zone_name) {
 		global $zone_dir, $active_user;
 		$zone = $zone_dir->get_zone_by_name($zone_name);
-		if(!$active_user->admin && !$active_user->access_to($zone)) throw new AccessDenied;
+		if(!$active_user->admin && $active_user->access_to($zone) != 'administrator') throw new AccessDenied;
 		$json = file_get_contents('php://input');
 		$zone->process_bulk_json_rrset_update($json);
 		$this->output(null);