Fix global_read_only behavior to preserve explicit zone permissions

Copilot · rwxd · Copilot · commit 5aa1fd609ff0 · 2025-08-07T21:12:20.000Z
Co-authored-by: rwxd &lt;40308458+rwxd@users.noreply.github.com&gt;
diff --git a/powerdns_api_proxy/models.py b/powerdns_api_proxy/models.py
@@ -26,7 +26,7 @@ class ProxyConfigZone(BaseModel):
     `admin` enabled creating and deleting the zone.
     `subzones` sets the same permissions on all subzones.
     `all_records` will be set to `True` if no `records` are defined.
-    `read_only` will be set to `True` if `global_read_only` is `True`.
+    `read_only` controls write permissions for this specific zone.
     """
 
     name: str
@@ -84,15 +84,10 @@ def validate_zones_or_global_read_only(self):
 
     def __init__(self, **data):
         super().__init__(**data)
-        if self.global_read_only:
-            logger.debug(
-                "Setting all subzones to read_only, because global_read_only is true"
-            )
-            for zone in self.zones:
-                zone.read_only = True
-
-                # populate zones lookup
-                self._zones_lookup[zone.name] = zone
+        
+        # populate zones lookup
+        for zone in self.zones:
+            self._zones_lookup[zone.name] = zone
 
     def __hash__(self):
         return hash(
diff --git a/tests/unit/config_test.py b/tests/unit/config_test.py
@@ -644,3 +644,29 @@ def test_proxy_config_with_global_read_only_environment():
     )
     assert config.environments[0].global_read_only is True
     assert config.environments[0].zones == []
+
+
+def test_global_read_only_with_explicit_zones_keeps_zone_permissions():
+    """Test that global_read_only=True doesn't force explicit zones to be read_only"""
+    # Create a zone that should remain writable
+    writable_zone = ProxyConfigZone(name="example.com", read_only=False)
+    readonly_zone = ProxyConfigZone(name="readonly.com", read_only=True)
+    
+    env = ProxyConfigEnvironment(
+        name="Test Global Read Only with Zones",
+        token_sha512=dummy_proxy_environment_token_sha512,
+        zones=[writable_zone, readonly_zone],
+        global_read_only=True
+    )
+    
+    # global_read_only should be True
+    assert env.global_read_only is True
+    
+    # But explicit zones should keep their original read_only settings
+    assert env.zones[0].read_only is False  # writable_zone should remain writable
+    assert env.zones[1].read_only is True   # readonly_zone should remain read_only
+    
+    # Should have access to zones via lookup
+    assert len(env._zones_lookup) == 2
+    assert "example.com" in env._zones_lookup
+    assert "readonly.com" in env._zones_lookup
