bug 12624: don't allow to delete the account when he is the owner for project(s)

status 12624: resolved fixed

api/src/com/cloud/acl/SecurityChecker.java

@@ -21,7 +21,6 @@
  */
 package com.cloud.acl;
 
-import com.cloud.acl.SecurityChecker.AccessType;
 import com.cloud.dc.DataCenter;
 import com.cloud.domain.Domain;
 import com.cloud.exception.PermissionDeniedException;

server/src/com/cloud/projects/dao/ProjectAccountDao.java

@@ -32,4 +32,6 @@ public interface ProjectAccountDao extends GenericDao<ProjectAccountVO, Long>{
     boolean canModifyProjectAccount(long accountId, long projectAccountId);
     
     List<Long> listPermittedAccountIds(long accountId);
+    
+    List<Long> listAdministratedProjects(long adminAccountId);
 }

server/src/com/cloud/projects/dao/ProjectAccountDaoImpl.java

@@ -17,23 +17,23 @@
  */
 package com.cloud.projects.dao;
 
-import java.util.ArrayList;
 import java.util.List;
 
 import javax.ejb.Local;
 
-import org.apache.log4j.Logger;
-
 import com.cloud.projects.ProjectAccount;
 import com.cloud.projects.ProjectAccountVO;
 import com.cloud.utils.db.GenericDaoBase;
+import com.cloud.utils.db.GenericSearchBuilder;
 import com.cloud.utils.db.SearchBuilder;
 import com.cloud.utils.db.SearchCriteria;
+import com.cloud.utils.db.SearchCriteria.Op;
 
 @Local(value={ProjectAccountDao.class})
 public class ProjectAccountDaoImpl extends GenericDaoBase<ProjectAccountVO, Long> implements ProjectAccountDao {
-    private static final Logger s_logger = Logger.getLogger(ProjectAccountDaoImpl.class);
     protected final SearchBuilder<ProjectAccountVO> AllFieldsSearch;
+    final GenericSearchBuilder<ProjectAccountVO, Long> AdminSearch;
+    final GenericSearchBuilder<ProjectAccountVO, Long> ProjectAccountSearch;
     
     protected ProjectAccountDaoImpl() {
         AllFieldsSearch = createSearchBuilder();
@@ -42,6 +42,17 @@ public class ProjectAccountDaoImpl extends GenericDaoBase<ProjectAccountVO, Long
         AllFieldsSearch.and("accountId", AllFieldsSearch.entity().getAccountId(), SearchCriteria.Op.EQ);
         AllFieldsSearch.and("projectAccountId", AllFieldsSearch.entity().getProjectAccountId(), SearchCriteria.Op.EQ);
         AllFieldsSearch.done();
+        
+        AdminSearch = createSearchBuilder(Long.class);
+        AdminSearch.selectField(AdminSearch.entity().getProjectId());
+        AdminSearch.and("role", AdminSearch.entity().getAccountRole(), Op.EQ);
+        AdminSearch.and("accountId", AdminSearch.entity().getAccountId(), Op.EQ);
+        AdminSearch.done();
+        
+        ProjectAccountSearch = createSearchBuilder(Long.class);
+        ProjectAccountSearch.selectField(ProjectAccountSearch.entity().getProjectAccountId());
+        ProjectAccountSearch.and("accountId", ProjectAccountSearch.entity().getAccountId(), Op.EQ);
+        ProjectAccountSearch.done();
     }
     
     @Override
@@ -99,16 +110,16 @@ public class ProjectAccountDaoImpl extends GenericDaoBase<ProjectAccountVO, Long
     
     @Override
     public List<Long> listPermittedAccountIds(long accountId) {
-        List<Long> permittedAccounts = new ArrayList<Long>();
-        SearchCriteria<ProjectAccountVO> sc = AllFieldsSearch.create();
+        SearchCriteria<Long> sc = ProjectAccountSearch.create();
         sc.setParameters("accountId", accountId);
-        
-        List<ProjectAccountVO> records = listBy(sc);
-        
-        for (ProjectAccountVO record : records) {
-            permittedAccounts.add(record.getProjectAccountId());
-        }
-        
-        return permittedAccounts;
+        return customSearch(sc, null);
+    }
+    
+    @Override
+    public List<Long> listAdministratedProjects(long adminAccountId) {
+        SearchCriteria<Long> sc = AdminSearch.create();
+        sc.setParameters("role", ProjectAccount.Role.Admin);
+        sc.setParameters("accountId", adminAccountId);
+        return customSearch(sc, null);
     }
 }

server/src/com/cloud/user/AccountManagerImpl.java

@@ -83,6 +83,7 @@ import com.cloud.network.security.dao.SecurityGroupDao;
 import com.cloud.network.vpn.RemoteAccessVpnService;
 import com.cloud.projects.Project;
 import com.cloud.projects.ProjectManager;
+import com.cloud.projects.dao.ProjectAccountDao;
 import com.cloud.projects.dao.ProjectDao;
 import com.cloud.server.auth.UserAuthenticator;
 import com.cloud.storage.StorageManager;
@@ -194,6 +195,8 @@ public class AccountManagerImpl implements AccountManager, AccountService, Manag
     private AccountDetailsDao _accountDetailsDao;
     @Inject
     private DomainDao _domainDao;
+    @Inject
+    private ProjectAccountDao _projectAccountDao;
     
     private Adapters<UserAuthenticator> _userAuthenticators;
 
@@ -962,6 +965,17 @@ public class AccountManagerImpl implements AccountManager, AccountService, Manag
             throw new PermissionDeniedException("Account id : " + accountId + " is a system account, delete is not allowed");
         }
         
+        //Account that manages project(s) can't be removed
+        List<Long> managedProjectIds = _projectAccountDao.listAdministratedProjects(accountId);
+        if (!managedProjectIds.isEmpty()) {
+        	StringBuilder projectIds = new StringBuilder();
+        	for (Long projectId : managedProjectIds) {
+        		projectIds.append(projectId + ", ");
+        	}
+        	
+        	throw new InvalidParameterValueException("The account id=" + accountId + " manages project(s) with ids " + projectIds + "and can't be removed");
+        }
+        
         return deleteAccount(account, callerUserId, caller);
     }