From 7c7237eec185c92dcb27ee3da2df4dbb8c52bf01 Mon Sep 17 00:00:00 2001
From: Abhishek Kumar <abhishek.kumar@shapeblue.com>
Date: Mon, 22 Apr 2019 15:50:40 +0530
Subject: [PATCH] server: create network owner check access fix

Signed-off-by: Abhishek Kumar <abhishek.kumar@shapeblue.com>
---
 .../com/cloud/network/NetworkServiceImpl.java  | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/server/src/main/java/com/cloud/network/NetworkServiceImpl.java b/server/src/main/java/com/cloud/network/NetworkServiceImpl.java
index 5e243764c3b..1f2e9264dec 100644
--- a/server/src/main/java/com/cloud/network/NetworkServiceImpl.java
+++ b/server/src/main/java/com/cloud/network/NetworkServiceImpl.java
@@ -1058,7 +1058,13 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
             }
             throw ex;
         }
-        _accountMgr.checkAccess(caller, ntwkOff, _dcDao.findById(zoneId));
+
+        Account owner = null;
+        if ((cmd.getAccountName() != null && domainId != null) || cmd.getProjectId() != null) {
+            owner = _accountMgr.finalizeOwner(caller, cmd.getAccountName(), domainId, cmd.getProjectId());
+        } else {
+            owner = caller;
+        }
 
         // validate physical network and zone
         // Check if physical network exists
@@ -1083,6 +1089,8 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
             throw new InvalidParameterValueException("Specified zone id was not found");
         }
 
+        _accountMgr.checkAccess(owner, ntwkOff, zone);
+
         if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getId())) {
             // See DataCenterVO.java
             PermissionDeniedException ex = new PermissionDeniedException("Cannot perform this operation since specified Zone is currently disabled");
@@ -1151,12 +1159,6 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
         } else if (subdomainAccess != null) {
             throw new InvalidParameterValueException("Parameter subDomainAccess can be specified only with aclType=Domain");
         }
-        Account owner = null;
-        if ((cmd.getAccountName() != null && domainId != null) || cmd.getProjectId() != null) {
-            owner = _accountMgr.finalizeOwner(caller, cmd.getAccountName(), domainId, cmd.getProjectId());
-        } else {
-            owner = caller;
-        }
 
         boolean ipv4 = true, ipv6 = false;
         if (startIP != null) {
@@ -2017,7 +2019,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
         }
 
         _accountMgr.checkAccess(callerAccount, null, true, network);
-        _accountMgr.checkAccess(callerAccount, offering, _dcDao.findById(network.getDataCenterId()));
+        _accountMgr.checkAccess(_accountMgr.getActiveAccountById(network.getAccountId()), offering, _dcDao.findById(network.getDataCenterId()));
 
         if (name != null) {
             network.setName(name);