CLOUDSTACK-4830: allow create account and user by domain admin

client/tomcatconf/commands.properties.in

@@ -19,9 +19,9 @@
 ### Please standardize naming conventions to camel-case (even for acronyms).
 
 ### Account commands
-createAccount=3
-deleteAccount=3
-updateAccount=3
+createAccount=7
+deleteAccount=7
+updateAccount=7
 disableAccount=7
 enableAccount=7
 lockAccount=7
@@ -29,8 +29,8 @@ listAccounts=15
 markDefaultZoneForAccount=1
 
 #### User commands
-createUser=3
-deleteUser=3
+createUser=7
+deleteUser=7
 updateUser=15
 listUsers=7
 lockUser=7

server/src/com/cloud/api/ApiDBUtils.java

@@ -1473,7 +1473,15 @@ public class ApiDBUtils {
     }
 
     public static UserResponse newUserResponse(UserAccountJoinVO usr) {
-        return _userAccountJoinDao.newUserResponse(usr);
+        return newUserResponse(usr, null);
+    }
+    public static UserResponse newUserResponse(UserAccountJoinVO usr, Long domainId) {
+        UserResponse response = _userAccountJoinDao.newUserResponse(usr);
+        if (domainId != null && usr.getDomainId() != domainId)
+            response.setIsCallerChildDomain(true);
+        else
+            response.setIsCallerChildDomain(false);
+        return response;
     }
 
     public static UserAccountJoinVO newUserView(User usr){

server/src/com/cloud/api/query/QueryManagerImpl.java

@@ -336,8 +336,8 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
     public ListResponse<UserResponse> searchForUsers(ListUsersCmd cmd) throws PermissionDeniedException {
         Pair<List<UserAccountJoinVO>, Integer> result = searchForUsersInternal(cmd);
         ListResponse<UserResponse> response = new ListResponse<UserResponse>();
-        List<UserResponse> userResponses = ViewResponseHelper.createUserResponse(result.first().toArray(
-                new UserAccountJoinVO[result.first().size()]));
+        List<UserResponse> userResponses = ViewResponseHelper.createUserResponse(UserContext.current().getCaller().getDomainId(), 
+                result.first().toArray(new UserAccountJoinVO[result.first().size()]));
         response.setResponses(userResponses, result.second());
         return response;
     }

server/src/com/cloud/api/query/ViewResponseHelper.java

@@ -81,9 +81,13 @@ public class ViewResponseHelper {
     public static final Logger s_logger = Logger.getLogger(ViewResponseHelper.class);
 
     public static List<UserResponse> createUserResponse(UserAccountJoinVO... users) {
+        return createUserResponse(null, users);
+    }
+
+    public static List<UserResponse> createUserResponse(Long domainId, UserAccountJoinVO... users) {
         List<UserResponse> respList = new ArrayList<UserResponse>();
         for (UserAccountJoinVO vt : users){
-            respList.add(ApiDBUtils.newUserResponse(vt));
+            respList.add(ApiDBUtils.newUserResponse(vt, domainId));
         }
         return respList;
     }

ui/scripts/accounts.js

@@ -66,7 +66,7 @@
                         add: {
                             label: 'label.add.account',
                             preFilter: function(args) {
-                                if (isAdmin())
+                                if (isAdmin() || isDomainAdmin())
                                     return true;
                                 else
                                     return false;
@@ -1103,7 +1103,7 @@
                             label: 'label.add.user',
 
                             preFilter: function(args) {
-                                if (isAdmin())
+                                if (isAdmin() || isDomainAdmin())
                                     return true;
                                 else
                                     return false;
@@ -1602,6 +1602,16 @@
             }
             allowedActions.push("updateResourceCount");
         } else if (isDomainAdmin()) {
+            if (jsonObj.name != g_account) {
+                allowedActions.push("edit"); //updating networkdomain is allowed on any account, including system-generated default admin account
+                if (jsonObj.state == "enabled") {
+                    allowedActions.push("disable");
+                    allowedActions.push("lock");
+                } else if (jsonObj.state == "disabled" || jsonObj.state == "locked") {
+                    allowedActions.push("enable");
+                }
+                allowedActions.push("remove");
+            }
             allowedActions.push("updateResourceCount");
         }
         return allowedActions;
@@ -1627,6 +1637,14 @@
             }
         } else {
             if (isSelfOrChildDomainUser(jsonObj.username, jsonObj.accounttype, jsonObj.domainid, jsonObj.iscallerchilddomain)) {
+                if (isDomainAdmin() && jsonObj.username != g_username) {
+                    allowedActions.push("edit");
+                    if (jsonObj.state == "enabled")
+                        allowedActions.push("disable");
+                    if (jsonObj.state == "disabled")
+                        allowedActions.push("enable");
+                    allowedActions.push("remove");
+                }
                 allowedActions.push("changePassword");
                 allowedActions.push("generateKeys");
             }

ui/scripts/sharedFunctions.js

@@ -750,7 +750,7 @@ var addGuestNetworkDialog = {
     function isSelfOrChildDomainUser(username, useraccounttype, userdomainid, iscallerchilddomain) {
         if (username == g_username) { //is self
             return true;
-        } else if (isDomainAdmin() && iscallerchilddomain && (useraccounttype == 0)) { //domain admin to user
+        } else if (isDomainAdmin() && !iscallerchilddomain && (useraccounttype == 0)) { //domain admin to user
             return true;
         } else if (isDomainAdmin() && iscallerchilddomain && (userdomainid != g_domainid)) { //domain admin to subdomain admin and user
             return true;