etan39
/
cloudstack
mirror of https://github.com/apache/cloudstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

bug 9760: added missing permission check to listTemplates api (didn't work when id parameter was specified in the request) 

status 9760: resolved fixed
This commit is contained in:
alena 2011-05-06 11:09:04 -07:00
parent eff2f4254e
commit 95c5f0f831
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
server/src/com/cloud/server/ManagementServerImpl.java
View File

@ -1690,6 +1690,7 @@ public class ManagementServerImpl implements ManagementServer {
private Set<Pair<Long, Long>> listTemplates(Long templateId, String name, String keyword, TemplateFilter templateFilter, boolean isIso, Boolean bootable, Long accountId, Long pageSize,
Long startIndex, Long zoneId, HypervisorType hyperType, boolean isAccountSpecific, boolean showDomr) throws InvalidParameterValueException {
Account caller = UserContext.current().getCaller();
VMTemplateVO template = null;
if (templateId != null) {
template = _templateDao.findById(templateId);
@ -1724,6 +1725,12 @@ public class ManagementServerImpl implements ManagementServer {
if (template == null) {
templateZonePairSet = _templateDao.searchTemplates(name, keyword, templateFilter, isIso, bootable, account, domain, pageSize, startIndex, zoneId, hyperType, onlyReady, showDomr);
} else {
//if template is not public, perform permission check here
if (!template.isPublicTemplate() && caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
Account owner = _accountMgr.getAccount(template.getAccountId());
_accountMgr.checkAccess(caller, owner);
}
templateZonePairSet.add(new Pair<Long, Long>(template.getId(), zoneId));
}