From 5396cb7e2c808bd0a37ebbafe979530311c57a55 Mon Sep 17 00:00:00 2001
From: alena <alena@cloud.com>
Date: Tue, 10 May 2011 11:40:35 -0700
Subject: [PATCH] bug 9819: fixed listTemplates by id to do permission check
 for private templates

---
 .../cloud/server/ManagementServerImpl.java    | 26 ++++++++++++-------
 1 file changed, 16 insertions(+), 10 deletions(-)

diff --git a/server/src/com/cloud/server/ManagementServerImpl.java b/server/src/com/cloud/server/ManagementServerImpl.java
index fc8586d4d35..2f192d1d898 100755
--- a/server/src/com/cloud/server/ManagementServerImpl.java
+++ b/server/src/com/cloud/server/ManagementServerImpl.java
@@ -4186,6 +4186,16 @@ public class ManagementServerImpl implements ManagementServer {
 
     @Override
     public List<VMTemplateVO> listTemplates(Long templateId, String name, String keyword, TemplateFilter templateFilter, boolean isIso, Boolean bootable, Long accountId, Integer pageSize, Long startIndex, Long zoneId) throws InvalidParameterValueException {
+        Account account = null;
+        DomainVO domain = null;
+        if (accountId != null) {
+            account = _accountDao.findById(accountId);
+            domain = _domainDao.findById(account.getDomainId());
+        } else {
+            domain = _domainDao.findById(DomainVO.ROOT_DOMAIN);
+        }
+        
+        
         VMTemplateVO template = null;
     	if (templateId != null) {
     		template = _templateDao.findById(templateId);
@@ -4193,16 +4203,12 @@ public class ManagementServerImpl implements ManagementServer {
     			throw new InvalidParameterValueException("Please specify a valid template ID.");
     		}
     		//Check permissions here
-    		
-        }
-    	
-    	Account account = null;
-    	DomainVO domain = null;
-        if (accountId != null) {
-        	account = _accountDao.findById(accountId);
-        	domain = _domainDao.findById(account.getDomainId());
-        } else {
-        	domain = _domainDao.findById(DomainVO.ROOT_DOMAIN);
+    		if (!template.isPublicTemplate()) {
+    		    Account templateOwner = getAccount(template.getAccountId());
+    		    if (!isChildDomain(domain.getId(), templateOwner.getDomainId())) {
+                    throw new InvalidParameterValueException("User is not authorized to see template id=" + template.getId());
+                }
+    		}
         }
         
         List<VMTemplateVO> templates = new ArrayList<VMTemplateVO>();