Fix a bug in building acl condition, now we get previous default list

behavior for admin,domain admin and user.
2013-10-10 23:02:49 -07:00 · 2013-10-10 23:02:49 -07:00 · 00ad19601b
parent 6b8cee5fc9
commit 00ad19601b
2 changed files with 42 additions and 15 deletions
--- a/server/src/com/cloud/api/query/QueryManagerImpl.java
+++ b/server/src/com/cloud/api/query/QueryManagerImpl.java
@ -757,6 +757,8 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
        // first search distinct vm id by using query criteria and pagination
        SearchBuilder<UserVmJoinVO> sb = _userVmJoinDao.createSearchBuilder();
        sb.select(null, Func.DISTINCT, sb.entity().getId()); // select distinct ids
+
+        // build acl search builder condition
        _accountMgr.buildACLViewSearchBuilder(sb, domainId, isRecursive, permittedAccounts,
                listProjectResourcesCriteria, grantedIds, revokedIds);

@ -824,10 +826,12 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
            sb.and("affinityGroupId", sb.entity().getAffinityGroupId(), SearchCriteria.Op.EQ);
        }

+
+
        // populate the search criteria with the values passed in
        SearchCriteria<UserVmJoinVO> sc = sb.create();

-        // building ACL condition
+        // building ACL search criteria
        _accountMgr.buildACLViewSearchCriteria(sc, domainId, isRecursive, permittedAccounts,
                listProjectResourcesCriteria);

--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@ -2368,7 +2368,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
                if (rolePerm.getScope() == PermissionScope.ACCOUNT || !listAll) {
                    // only resource owner can see it, only match account
                    permittedAccounts.add(caller.getId());
-                } else {
+                } else if (rolePerm.getScope() == PermissionScope.DOMAIN) {
                    // match domain tree based on cmd.isRecursive flag or not
                    domainIdRecursiveListProject.first(caller.getDomainId());
                }
@ -2403,29 +2403,52 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
    @Override
    public void buildACLViewSearchBuilder(SearchBuilder<? extends ControlledViewEntity> sb, Long domainId, boolean isRecursive, List<Long> permittedAccounts,
            ListProjectResourcesCriteria listProjectResourcesCriteria, List<Long> grantedIds, List<Long> revokedIds) {
-        sb.and().op("accountIdIN", sb.entity().getAccountId(), SearchCriteria.Op.IN);
-        sb.and("domainId", sb.entity().getDomainId(), SearchCriteria.Op.EQ);

-        if (((permittedAccounts.isEmpty()) && (domainId != null) && isRecursive)) {
-            // if accountId isn't specified, we can do a domain match for the
-            // admin case if isRecursive is true
-            sb.and("domainPath", sb.entity().getDomainPath(), SearchCriteria.Op.LIKE);
+        if (!revokedIds.isEmpty()) {
+            sb.and("idNIN", sb.entity().getId(), SearchCriteria.Op.NIN);
        }
+        if (permittedAccounts.isEmpty() && domainId == null && listProjectResourcesCriteria == null) {
+            // caller role authorize him to access everything matching query criteria
+            return;
+
+        }
+        boolean hasOp = true;
+        if (!permittedAccounts.isEmpty()) {
+            sb.and().op("accountIdIN", sb.entity().getAccountId(), SearchCriteria.Op.IN);
+        } else if (domainId != null) {
+            if (isRecursive) {
+                // if accountId isn't specified, we can do a domain match for the
+                // admin case if isRecursive is true
+                sb.and().op("domainPath", sb.entity().getDomainPath(), SearchCriteria.Op.LIKE);
+            } else {
+                sb.and().op("domainId", sb.entity().getDomainId(), SearchCriteria.Op.EQ);
+            }
+        } else {
+            hasOp = false;
+        }
+

        if (listProjectResourcesCriteria != null) {
-            if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.ListProjectResourcesOnly) {
-                sb.and("accountType", sb.entity().getAccountType(), SearchCriteria.Op.EQ);
-            } else if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.SkipProjectResources) {
-                sb.and("accountType", sb.entity().getAccountType(), SearchCriteria.Op.NEQ);
+            if (hasOp) {
+                if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.ListProjectResourcesOnly) {
+                    sb.and("accountType", sb.entity().getAccountType(), SearchCriteria.Op.EQ);
+                } else if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.SkipProjectResources) {
+                    sb.and("accountType", sb.entity().getAccountType(), SearchCriteria.Op.NEQ);
+                }
+            } else {
+                if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.ListProjectResourcesOnly) {
+                    sb.and().op("accountType", sb.entity().getAccountType(), SearchCriteria.Op.EQ);
+                } else if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.SkipProjectResources) {
+                    sb.and().op("accountType", sb.entity().getAccountType(), SearchCriteria.Op.NEQ);
+                }
            }
        }
+
        if (!grantedIds.isEmpty()) {
            sb.or("idIN", sb.entity().getId(), SearchCriteria.Op.IN);
        }
        sb.cp();
-        if (!revokedIds.isEmpty()) {
-            sb.and("idNIN", sb.entity().getId(), SearchCriteria.Op.NIN);
-        }
+

    }