From 63205f1f02081763b029633d5752d092016cf6f8 Mon Sep 17 00:00:00 2001
From: Nitin <nitin@cloud.com>
Date: Thu, 28 Jul 2011 17:01:26 +0530
Subject: [PATCH] bug 10868: CheckAccess - If the domainId = -1 and the
 accountId is still valid then try and calculate the domainId. This case will
 be hit for all the entities which do not have domain id column in the DB
 table. What was happenning due to this was that we were not checking the
 domain hierarchy in such case which was leading to security leaks. Example -
 templates.

---
 server/src/com/cloud/user/AccountManagerImpl.java | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java
index 4189bbd2e2f..fe3a55696a7 100755
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@@ -37,6 +37,7 @@ import org.apache.log4j.Logger;
 
 import com.cloud.acl.ControlledEntity;
 import com.cloud.acl.SecurityChecker;
+import com.cloud.api.ApiDBUtils;
 import com.cloud.api.commands.CreateAccountCmd;
 import com.cloud.api.commands.CreateUserCmd;
 import com.cloud.api.commands.DeleteAccountCmd;
@@ -899,11 +900,16 @@ public class AccountManagerImpl implements AccountManager, AccountService, Manag
         HashMap<Long, List<ControlledEntity>> domains = new HashMap<Long, List<ControlledEntity>>();
 
         for (ControlledEntity entity : entities) {
-            if (entity.getAccountId() != -1 && entity.getDomainId() != -1) {
+        	long domainId = entity.getDomainId();
+        	if (entity.getAccountId() != -1 && domainId == -1){ // If account exists domainId should too so calculate it. This condition might be hit for templates or entities which miss domainId in their tables           
+        		Account account = ApiDBUtils.findAccountById(entity.getAccountId());
+        		domainId = account != null ? account.getDomainId() : -1 ;
+        	}
+        	if (entity.getAccountId() != -1 && domainId != -1) {
                 List<ControlledEntity> toBeChecked = domains.get(entity.getDomainId());
                 if (toBeChecked == null) {
                     toBeChecked = new ArrayList<ControlledEntity>();
-                    domains.put(entity.getDomainId(), toBeChecked);
+                    domains.put(domainId, toBeChecked);
                 }
                 toBeChecked.add(entity);
             }