etan39
/
cloudstack
mirror of https://github.com/apache/cloudstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix role escalation prevention (#7853) 

Co-authored-by: Henrique Sato <henrique.sato@scclouds.com.br>
This commit is contained in:
sato03 2023-08-18 04:33:05 -03:00 committed by GitHub
parent 87d6c4fbd5
commit 5b33967310
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
plugins/acl/static-role-based/src/main/java/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
View File

@ -76,12 +76,12 @@ public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements APIA
if (roleService.isEnabled()) {
LOGGER.debug("RoleService is enabled. We will use it instead of StaticRoleBasedAPIAccessChecker.");
}
return roleService.isEnabled();
return !roleService.isEnabled();
}
@Override
public List<String> getApisAllowedToUser(Role role, User user, List<String> apiNames) throws PermissionDeniedException {
if (isEnabled()) {
if (!isEnabled()) {
return apiNames;
}
@ -93,7 +93,7 @@ public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements APIA
@Override
public boolean checkAccess(User user, String commandName) throws PermissionDeniedException {
if (isEnabled()) {
if (!isEnabled()) {
return true;
}
@ -107,6 +107,10 @@ public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements APIA
@Override
public boolean checkAccess(Account account, String commandName) {
if (!isEnabled()) {
return true;
}
RoleType roleType = accountService.getRoleType(account);
if (isApiAllowed(commandName, roleType)) {
return true;