API: forbid rectify for presigned zones, only

diff --git a/pdns/ws-auth.cc b/pdns/ws-auth.cc
index 0f6eed87f4a8195a17234a5ef45cea561dbd6b4e..15a704b134610309e409e3e4d52e5370666f2071 100644 (file)
--- a/pdns/ws-auth.cc
+++ b/pdns/ws-auth.cc
@@ -1860,8 +1860,8 @@ static void apiServerZoneRectify(HttpRequest* req, HttpResponse* resp) {
 
   DNSSECKeeper dk(&B);
 
-  if (!dk.isSecuredZone(zonename))
-    throw ApiException("Zone '" + zonename.toString() + "' is not DNSSEC signed, not rectifying.");
+  if (dk.isPresigned(zonename))
+    throw ApiException("Zone '" + zonename.toString() + "' is pre-signed, not rectifying.");
 
   string error_msg = "";
   string info;

diff --git a/regression-tests.api/test_Zones.py b/regression-tests.api/test_Zones.py
index f95ede6e7b1ddb6b382234f34b19d4cb9a3edf83..09c1844dc4e865915a44ec71b0bd9dc4d3822185 100644 (file)
--- a/regression-tests.api/test_Zones.py
+++ b/regression-tests.api/test_Zones.py
@@ -1925,11 +1925,6 @@ $ORIGIN %NAME%
         dbrecs = get_db_records(name, 'SOA')
         self.assertIsNotNone(dbrecs[0]['ordername'])
 
-    def test_explicit_rectify_no_dnssec(self):
-        _, _, data = self.create_zone = self.create_zone(api_rectify=False, dnssec=False)
-        r = self.session.put(self.url("/api/v1/servers/localhost/zones/" + data['id'] + "/rectify"))
-        self.assertEquals(r.status_code, 422)
-
     def test_explicit_rectify_slave(self):
         # Some users want to move a zone to kind=Slave and then rectify, without a re-transfer.
         name, _, data = self.create_zone = self.create_zone(api_rectify=False, dnssec=True, nsec3param='1 0 1 ab')