From 2bba381a631347cc53a3ce106dfd10a2eb137519 Mon Sep 17 00:00:00 2001
From: Min Chen <min.chen@citrix.com>
Date: Thu, 24 Apr 2014 18:13:59 -0700
Subject: [PATCH] CLOUDSTACK-6501:IAM - DomainAdmin - When listVirtualMachines
 is used with listall=true and account and domainId , Vms owned by the account
 account is not listed.

---
 server/src/com/cloud/user/AccountManagerImpl.java           | 6 +++++-
 .../apache/cloudstack/iam/RoleBasedEntityQuerySelector.java | 4 ++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java
index 37e4b437231..227c61187b8 100755
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@@ -2283,7 +2283,11 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
 
                 if (accountId != null) {
                     // specific account filter is specified
-                    if (grantedAccounts.contains(accountId)) {
+                    if (grantedDomains.contains(domainId)) {
+                        // the account domain is granted to the caller
+                        permittedAccounts.add(accountId);
+                    }
+                    else if (grantedAccounts.contains(accountId)) {
                         permittedAccounts.add(accountId);
                     } else {
                         //TODO: we should also filter granted resources based on accountId passed.
diff --git a/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityQuerySelector.java b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityQuerySelector.java
index 40c8549c304..b7c3d352773 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityQuerySelector.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityQuerySelector.java
@@ -73,8 +73,8 @@ public class RoleBasedEntityQuerySelector extends AdapterBase implements QuerySe
                             domainId = p.getScopeId();
                             //domainIds.add(p.getScopeId());
                         }
-                        domainIds.add(domainId);
-                        // add all the domain children from this domain. Like RoleBasedEntityAccessChecker, we made an assumption, if DOMAIN scope is granted, it means that
+                        //domainIds.add(domainId);
+                        // add all the domain children from this domain (including this domain itself). Like RoleBasedEntityAccessChecker, we made an assumption, if DOMAIN scope is granted, it means that
                         // the whole domain tree is granted access.
                         DomainVO domain = _domainDao.findById(domainId);
                         List<Long> childDomains = _domainDao.getDomainChildrenIds(domain.getPath());