Add permission flag to acl_entity_permission

2013-10-07 14:30:15 -07:00 · 2013-10-07 14:30:15 -07:00 · 579806440b
parent 385dfc230f
commit 579806440b
5 changed files with 31 additions and 5 deletions
--- a/api/src/org/apache/cloudstack/acl/AclEntityPermission.java
+++ b/api/src/org/apache/cloudstack/acl/AclEntityPermission.java
@ -12,4 +12,6 @@ public interface AclEntityPermission extends InternalIdentity {
    Long getEntityId();

    AccessType getAccessType();
+
+    boolean isAllowed();
 }
--- a/engine/schema/src/org/apache/cloudstack/acl/AclEntityPermissionVO.java
+++ b/engine/schema/src/org/apache/cloudstack/acl/AclEntityPermissionVO.java
@ -32,7 +32,7 @@ public class AclEntityPermissionVO implements AclEntityPermission {

    @Column(name = "entity_id")
    private long entityId;
-    
+
    @Column(name = "entity_uuid")
    private String entityUuid;

@ -40,6 +40,9 @@ public class AclEntityPermissionVO implements AclEntityPermission {
    @Enumerated(value = EnumType.STRING)
    AccessType accessType;

+    @Column(name = "permission")
+    private boolean permission;
+
    @Column(name = GenericDao.REMOVED_COLUMN)
    private Date removed;

@ -50,14 +53,16 @@ public class AclEntityPermissionVO implements AclEntityPermission {

    }

-    public AclEntityPermissionVO(long groupId, String entityType, long entityId, String entityUuid, AccessType atype) {
+    public AclEntityPermissionVO(long groupId, String entityType, long entityId, String entityUuid, AccessType atype,
+            boolean permission) {
        aclGroupId = groupId;
        this.entityType = entityType;
        this.entityId = entityId;
        this.entityUuid = entityUuid;
        accessType = atype;
+        this.permission = permission;
    }
-    
+
    @Override
    public long getId() {
        return id;
@ -115,4 +120,10 @@ public class AclEntityPermissionVO implements AclEntityPermission {
    public Date getCreated() {
        return created;
    }
+
+    @Override
+    public boolean isAllowed() {
+        return permission;
+    }
+
 }
--- a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java
+++ b/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java
@ -20,11 +20,14 @@ import java.util.List;

 import javax.inject.Inject;

+import org.apache.cloudstack.acl.AclGroupAccountMapVO;
 import org.apache.cloudstack.acl.AclRole;
 import org.apache.cloudstack.acl.AclService;
 import org.apache.cloudstack.acl.ControlledEntity;
 import org.apache.cloudstack.acl.SecurityChecker;
 import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+import org.apache.cloudstack.acl.dao.AclGroupAccountMapDao;
+import org.apache.cloudstack.acl.dao.AclGroupDao;

 import com.cloud.acl.DomainChecker;
 import com.cloud.exception.PermissionDeniedException;
@ -39,10 +42,19 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
    @Inject
    AclService _aclService;

+    @Inject
+    AclGroupAccountMapDao _aclGroupAccountMapDao;
+
    @Override
    public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType)
            throws PermissionDeniedException {

+        // check if explicit allow/deny is present for this entity in
+        // acl_entity_permission
+
+        List<AclGroupAccountMapVO> acctGroups = _aclGroupAccountMapDao.listByAccountId(caller.getId());
+
+
        // Is Caller RootAdmin? Yes, granted true
        if (_accountService.isRootAdmin(caller.getId())) {
            return true;
--- a/server/src/org/apache/cloudstack/acl/AclServiceImpl.java
+++ b/server/src/org/apache/cloudstack/acl/AclServiceImpl.java
@ -259,7 +259,7 @@ public class AclServiceImpl extends ManagerBase implements AclService, Manager {
            if (entity instanceof Identity) {
                entityUuid = ((Identity)entity).getUuid();
            }
-            perm = new AclEntityPermissionVO(aclGroupId, entityType, entityId, entityUuid, accessType);
+            perm = new AclEntityPermissionVO(aclGroupId, entityType, entityId, entityUuid, accessType, true);
            _entityPermissionDao.persist(perm);
        }
        return group;
--- a/setup/db/db/schema-420to430.sql
+++ b/setup/db/db/schema-420to430.sql
@ -362,7 +362,8 @@ CREATE TABLE `cloud`.`acl_entity_permission` (
  `entity_type` varchar(100) NOT NULL,
  `entity_id` bigint unsigned NOT NULL,
  `entity_uuid` varchar(40),  
-  `access_type` varchar(40) NOT NULL,  
+  `access_type` varchar(40) NOT NULL,
+  `permission` int(1) unsigned NOT NULL COMMENT '1 allowed, 0 for denied',
  `removed` datetime COMMENT 'date the permission was revoked',
  `created` datetime COMMENT 'date the permission was granted',   
  PRIMARY KEY  (`id`),