From 95c5f0f831b7fd5a4cfd22de4e985c41059f60ed Mon Sep 17 00:00:00 2001 From: alena Date: Fri, 6 May 2011 11:09:04 -0700 Subject: [PATCH] bug 9760: added missing permission check to listTemplates api (didn't work when id parameter was specified in the request) status 9760: resolved fixed --- server/src/com/cloud/server/ManagementServerImpl.java | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/server/src/com/cloud/server/ManagementServerImpl.java b/server/src/com/cloud/server/ManagementServerImpl.java index 00bc904fc2d..e2d41bbc428 100755 --- a/server/src/com/cloud/server/ManagementServerImpl.java +++ b/server/src/com/cloud/server/ManagementServerImpl.java @@ -1690,6 +1690,7 @@ public class ManagementServerImpl implements ManagementServer { private Set> listTemplates(Long templateId, String name, String keyword, TemplateFilter templateFilter, boolean isIso, Boolean bootable, Long accountId, Long pageSize, Long startIndex, Long zoneId, HypervisorType hyperType, boolean isAccountSpecific, boolean showDomr) throws InvalidParameterValueException { + Account caller = UserContext.current().getCaller(); VMTemplateVO template = null; if (templateId != null) { template = _templateDao.findById(templateId); @@ -1724,6 +1725,12 @@ public class ManagementServerImpl implements ManagementServer { if (template == null) { templateZonePairSet = _templateDao.searchTemplates(name, keyword, templateFilter, isIso, bootable, account, domain, pageSize, startIndex, zoneId, hyperType, onlyReady, showDomr); } else { + //if template is not public, perform permission check here + if (!template.isPublicTemplate() && caller.getType() != Account.ACCOUNT_TYPE_ADMIN) { + Account owner = _accountMgr.getAccount(template.getAccountId()); + _accountMgr.checkAccess(caller, owner); + } + templateZonePairSet.add(new Pair(template.getId(), zoneId)); }