From 51f69f7134ba5f8c52714251258dde5700aa411c Mon Sep 17 00:00:00 2001
From: Abhishek Kumar <abhishek.mrt22@gmail.com>
Date: Thu, 6 Jan 2022 16:42:57 +0530
Subject: [PATCH] server: do not return inaccessible entity details to normal
 users (#5827)

Fixes #5534

As pre 3.x APIs allow using internal DB IDs, even normal users can use internal IDs.
This fix removes additional information in error message when the caller doesn't have access to the resource.

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>
---
 server/src/main/java/com/cloud/acl/DomainChecker.java | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/server/src/main/java/com/cloud/acl/DomainChecker.java b/server/src/main/java/com/cloud/acl/DomainChecker.java
index aba0d456bfa..355d34fe814 100644
--- a/server/src/main/java/com/cloud/acl/DomainChecker.java
+++ b/server/src/main/java/com/cloud/acl/DomainChecker.java
@@ -178,19 +178,20 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
         } else {
             if (_accountService.isNormalUser(caller.getId())) {
                 Account account = _accountDao.findById(entity.getAccountId());
+                String errorMessage = String.format("%s does not have permission to operate with resource", caller);
                 if (account != null && account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
                     //only project owner can delete/modify the project
                     if (accessType != null && accessType == AccessType.ModifyProject) {
                         if (!_projectMgr.canModifyProjectAccount(caller, account.getId())) {
-                            throw new PermissionDeniedException(caller + " does not have permission to operate with resource " + entity);
+                            throw new PermissionDeniedException(errorMessage);
                         }
                     } else if (!_projectMgr.canAccessProjectAccount(caller, account.getId())) {
-                        throw new PermissionDeniedException(caller + " does not have permission to operate with resource " + entity);
+                        throw new PermissionDeniedException(errorMessage);
                     }
                     checkOperationPermitted(caller, entity);
                 } else {
                     if (caller.getId() != entity.getAccountId()) {
-                        throw new PermissionDeniedException(caller + " does not have permission to operate with resource " + entity);
+                        throw new PermissionDeniedException(errorMessage);
                     }
                 }
             }