diff --git a/api/src/org/apache/cloudstack/acl/SecurityChecker.java b/api/src/org/apache/cloudstack/acl/SecurityChecker.java index 4348255a3ab..d467307ee9c 100644 --- a/api/src/org/apache/cloudstack/acl/SecurityChecker.java +++ b/api/src/org/apache/cloudstack/acl/SecurityChecker.java @@ -67,18 +67,40 @@ public interface SecurityChecker extends Adapter { /** * Checks if the account can access the object. - * + * * @param caller * account to check against. * @param entity * object that the account is trying to access. * @param accessType * TODO - * @return true if access allowed. false if this adapter cannot provide permission. + * @return true if access allowed. false if this adapter cannot provide + * permission. * @throws PermissionDeniedException - * if this adapter is suppose to authenticate ownership and the check failed. + * if this adapter is suppose to authenticate ownership and the + * check failed. */ - boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType) throws PermissionDeniedException; + boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType) + throws PermissionDeniedException; + + /** + * Checks if the account can access the object. + * + * @param caller + * account to check against. + * @param entity + * object that the account is trying to access. + * @param accessType + * TODO + * @param action + * name of the API + * @return true if access allowed. false if this adapter cannot provide + * permission. + * @throws PermissionDeniedException + * if this adapter is suppose to authenticate ownership and the + * check failed. + */ + boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType, String action) throws PermissionDeniedException; /** * Checks if the user belongs to an account that can access the object. diff --git a/api/src/org/apache/cloudstack/api/ACL.java b/api/src/org/apache/cloudstack/api/ACL.java index ce93b6aa7ae..58698711e3b 100644 --- a/api/src/org/apache/cloudstack/api/ACL.java +++ b/api/src/org/apache/cloudstack/api/ACL.java @@ -30,6 +30,8 @@ public @interface ACL { AccessType accessType() default AccessType.ListEntry; + String action() default ""; + boolean checkKeyAccess() default false; boolean checkValueAccess() default false; } diff --git a/api/src/org/apache/cloudstack/api/command/user/vm/StartVMCmd.java b/api/src/org/apache/cloudstack/api/command/user/vm/StartVMCmd.java index 6497306b253..98a7ece77d4 100644 --- a/api/src/org/apache/cloudstack/api/command/user/vm/StartVMCmd.java +++ b/api/src/org/apache/cloudstack/api/command/user/vm/StartVMCmd.java @@ -18,7 +18,6 @@ package org.apache.cloudstack.api.command.user.vm; import org.apache.log4j.Logger; -import org.apache.cloudstack.acl.SecurityChecker.AccessType; import org.apache.cloudstack.api.ACL; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiCommandJobType; @@ -53,7 +52,7 @@ public class StartVMCmd extends BaseAsyncCmd { // ////////////// API parameters ///////////////////// // /////////////////////////////////////////////////// - @ACL(accessType = AccessType.OperateEntry) + @ACL @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType=UserVmResponse.class, required = true, description = "The ID of the virtual machine") private Long id; diff --git a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java b/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java index 6d1fe019ad0..ca55e1a0164 100644 --- a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java +++ b/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java @@ -70,6 +70,12 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur @Override public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType) throws PermissionDeniedException { + return checkAccess(caller, entity, accessType, null); + } + + @Override + public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType, String action) + throws PermissionDeniedException { if (entity instanceof VirtualMachine) { String entityType = AclEntityType.VM.toString(); diff --git a/server/src/com/cloud/acl/DomainChecker.java b/server/src/com/cloud/acl/DomainChecker.java index 4df968ef74f..5d38e9b1f3b 100755 --- a/server/src/com/cloud/acl/DomainChecker.java +++ b/server/src/com/cloud/acl/DomainChecker.java @@ -93,7 +93,8 @@ public class DomainChecker extends AdapterBase implements SecurityChecker { } @Override - public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType) throws PermissionDeniedException { + public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType) + throws PermissionDeniedException { if (entity instanceof VirtualMachineTemplate) { VirtualMachineTemplate template = (VirtualMachineTemplate) entity; @@ -315,4 +316,10 @@ public class DomainChecker extends AdapterBase implements SecurityChecker { } return false; } + + @Override + public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType, String action) + throws PermissionDeniedException { + return checkAccess(caller, entity, accessType); + } }