From 5b339673109400ff949b91c1c74c709b72f91178 Mon Sep 17 00:00:00 2001 From: sato03 Date: Fri, 18 Aug 2023 04:33:05 -0300 Subject: [PATCH] Fix role escalation prevention (#7853) Co-authored-by: Henrique Sato --- .../acl/StaticRoleBasedAPIAccessChecker.java | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/plugins/acl/static-role-based/src/main/java/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java b/plugins/acl/static-role-based/src/main/java/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java index 27f8305f579..7d12178f0f3 100644 --- a/plugins/acl/static-role-based/src/main/java/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java +++ b/plugins/acl/static-role-based/src/main/java/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java @@ -76,12 +76,12 @@ public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements APIA if (roleService.isEnabled()) { LOGGER.debug("RoleService is enabled. We will use it instead of StaticRoleBasedAPIAccessChecker."); } - return roleService.isEnabled(); + return !roleService.isEnabled(); } @Override public List getApisAllowedToUser(Role role, User user, List apiNames) throws PermissionDeniedException { - if (isEnabled()) { + if (!isEnabled()) { return apiNames; } @@ -93,7 +93,7 @@ public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements APIA @Override public boolean checkAccess(User user, String commandName) throws PermissionDeniedException { - if (isEnabled()) { + if (!isEnabled()) { return true; } @@ -107,6 +107,10 @@ public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements APIA @Override public boolean checkAccess(Account account, String commandName) { + if (!isEnabled()) { + return true; + } + RoleType roleType = accountService.getRoleType(account); if (isApiAllowed(commandName, roleType)) { return true;