bug 9973: listReourceLimits A domain-admin of domain X can view Resource Limits from other domain

adding additional checks, and moving old code to access checkers status 9973: resolved fixed
2011-05-31 13:57:20 +05:30 · 2011-05-31 13:57:20 +05:30 · 6de2bef7cd
parent b5aeb6fa0e
commit 6de2bef7cd
1 changed files with 19 additions and 8 deletions
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@ -511,23 +511,34 @@ public class AccountManagerImpl implements AccountManager, AccountService, Manag
                    throw new InvalidParameterValueException("Failed to list limits for account " + accountName + " no domain id specified.");
                }

-                Account userAccount = _accountDao.findActiveAccount(accountName, domainId);
+                DomainVO domain = _domainDao.findById(domainId);
+                if (domain == null) {
+                    throw new InvalidParameterValueException("Unable to find domain by id " + domainId);
+                }

+                Account userAccount = _accountDao.findActiveAccount(accountName, domainId);
                if (userAccount == null) {
                    throw new InvalidParameterValueException("Unable to find account " + accountName + " in domain " + domainId);
-                } else if (account != null
-                        && (account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN || account.getType() == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN || account.getType() == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN)) {
-                    // If this is a non-root admin, make sure that the admin and the user account belong in the same domain or
-                    // that the user account's domain is a child domain of the parent
-                    if (account.getDomainId() != userAccount.getDomainId() && !_domainDao.isChildDomain(account.getDomainId(), userAccount.getDomainId())) {
-                        throw new PermissionDeniedException("You do not have permission to access limits for this account: " + accountName);
-                    }
+                }
+
+                if (account != null) {
+                    checkAccess(account, domain);
                }

                accountId = userAccount.getId();
                domainId = null;
            } else if (domainId != null) {
                // Look up limits for the specified domain
+
+                DomainVO domain = _domainDao.findById(domainId);
+                if (domain == null) {
+                    throw new InvalidParameterValueException("Unable to find domain by id " + domainId);
+                }
+
+                if (account != null) {
+                    checkAccess(account, domain);
+                }
+
                accountId = null;
            } else if (account == null) {
                // Look up limits for the ROOT domain