From 2e5b5291574417e31b4e81a6cc170e77a0cd7f65 Mon Sep 17 00:00:00 2001
From: Prachi Damle <prachi@cloud.com>
Date: Thu, 1 May 2014 15:40:23 -0700
Subject: [PATCH] CLOUDSTACK-6560: IAM - Admin user is denied permission to
 create Egress rule for a user's network

Changes:
- CS 4.3 handled Network entity in two ways:
a) Specified "UseNetwork" access and did a strict check w.r.t who can use this network. Regular users and Domain Admin went through the strict check. Root admin got access always.
b) Specified "null" access and that meant admins can access this network for the calling API that passes null access.

- Fixing CS 4.4 IAM to handle this behavior:
a) "UseNetwork" is mapped to "UseEntry" and IAM check will be done only for domain admin and regular users when this access is specified. Root Admin is grated access.
b) If "null" access is specified, root and domain admin both are granted access. Regular users still go through IAM.
---
 server/src/com/cloud/template/TemplateManagerImpl.java | 2 +-
 server/src/com/cloud/user/AccountManagerImpl.java      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/src/com/cloud/template/TemplateManagerImpl.java b/server/src/com/cloud/template/TemplateManagerImpl.java
index ea51af18962..294748ff1a6 100755
--- a/server/src/com/cloud/template/TemplateManagerImpl.java
+++ b/server/src/com/cloud/template/TemplateManagerImpl.java
@@ -1133,7 +1133,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
         }
 
         if (!template.isPublicTemplate()) {
-            _accountMgr.checkAccess(caller, null, template);
+            _accountMgr.checkAccess(caller, AccessType.ListEntry, template);
         }
 
         List<String> accountNames = new ArrayList<String>();
diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java
index 301dde4fe63..4b781413cc6 100755
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@@ -497,7 +497,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
                 && (accessType == null || accessType == AccessType.UseEntry)) {
 
             for (ControlledEntity entity : entities) {
-                if (entity instanceof VirtualMachineTemplate || entity instanceof Network
+                if (entity instanceof VirtualMachineTemplate || (entity instanceof Network && accessType != null && (isDomainAdmin || isResourceDomainAdmin))
                         || entity instanceof AffinityGroup || entity instanceof SecurityGroup) {
                     // Go through IAM (SecurityCheckers)
                     for (SecurityChecker checker : _securityCheckers) {