From 9cc8da2a30246bdf452d10d9b5396be186176f41 Mon Sep 17 00:00:00 2001
From: Pearl Dsilva <pearl1594@gmail.com>
Date: Wed, 6 Apr 2022 09:20:56 +0530
Subject: [PATCH] api: Update account type when updating account role (#6156)

* api: Update account type when updating account role

* extract code to validate role change
---
 .../java/com/cloud/user/AccountManagerImpl.java   | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/server/src/main/java/com/cloud/user/AccountManagerImpl.java b/server/src/main/java/com/cloud/user/AccountManagerImpl.java
index 9f760e655e5..031ba9e22c4 100644
--- a/server/src/main/java/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/main/java/com/cloud/user/AccountManagerImpl.java
@@ -1181,6 +1181,18 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
         return _userAccountDao.findById(userId);
     }
 
+    private boolean isValidRoleChange(Account account, Role role) {
+        Long currentAccRoleId = account.getRoleId();
+        Role currentRole = roleService.findRole(currentAccRoleId);
+
+        if (role.getRoleType().ordinal() < currentRole.getRoleType().ordinal() && ((account.getType() == Account.Type.NORMAL && role.getRoleType().getAccountType().ordinal() > Account.Type.NORMAL.ordinal()) ||
+                account.getType().ordinal() > Account.Type.NORMAL.ordinal() && role.getRoleType().getAccountType().ordinal() < account.getType().ordinal() && role.getRoleType().getAccountType().ordinal() > 0)) {
+            throw new PermissionDeniedException(String.format("Unable to update account role to %s as you are " +
+                    "attempting to escalate the account %s to account type %s which has higher privileges", role.getName(), account.getAccountName(), role.getRoleType().getAccountType().name()));
+        }
+        return true;
+    }
+
     /**
      * if there is any permission under the requested role that is not permitted for the caller, refuse
      */
@@ -1897,7 +1909,10 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
                         "in the domain '" + domainId + "'.");
             }
 
+            Role role = roleService.findRole(roleId);
+            isValidRoleChange(account, role);
             acctForUpdate.setRoleId(roleId);
+            acctForUpdate.setType(role.getRoleType().getAccountType());
             checkRoleEscalation(getCurrentCallingAccount(), acctForUpdate);
         }