etan39
/
cloudstack
mirror of https://github.com/apache/cloudstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

bug 9841: added missing permission checks to the deleteTemplate/deleteIso API 

status 9841: resolved fixed
This commit is contained in:
alena 2011-05-11 10:34:03 -07:00
parent f9a575a657
commit a4f997e56a
1 changed files with 22 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
server/src/com/cloud/template/TemplateManagerImpl.java
View File

@ -1294,7 +1294,7 @@ public class TemplateManagerImpl implements TemplateManager, Manager, TemplateSe
public boolean deleteTemplate(DeleteTemplateCmd cmd) {
Long templateId = cmd.getId();
Long userId = UserContext.current().getCallerUserId();
Account account = UserContext.current().getCaller();
Account caller = UserContext.current().getCaller();
Long zoneId = cmd.getZoneId();
VMTemplateVO template = _tmpltDao.findById(templateId.longValue());
@ -1302,12 +1302,16 @@ public class TemplateManagerImpl implements TemplateManager, Manager, TemplateSe
throw new InvalidParameterValueException("unable to find template with id " + templateId);
}
userId = accountAndUserValidation(account, userId, null, template, "Unable to delete template " );
UserVO user = _userDao.findById(userId);
if (user == null) {
throw new InvalidParameterValueException("Please specify a valid user.");
}
if (template != null) {
Account templateOwner = _accountDao.findById(template.getAccountId());
if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
if (caller.getId() != templateOwner.getId()) {
throw new PermissionDeniedException("Account " + caller + " can't operate with template id=" + template.getId());
}
} else if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
_accountMgr.checkAccess(caller, templateOwner);
}
}
if (template.getFormat() == ImageFormat.ISO) {
throw new InvalidParameterValueException("Please specify a valid template.");
@ -1327,7 +1331,7 @@ public class TemplateManagerImpl implements TemplateManager, Manager, TemplateSe
public boolean deleteIso(DeleteIsoCmd cmd) {
Long templateId = cmd.getId();
Long userId = UserContext.current().getCallerUserId();
Account account = UserContext.current().getCaller();
Account caller = UserContext.current().getCaller();
Long zoneId = cmd.getZoneId();
VMTemplateVO template = _tmpltDao.findById(templateId.longValue());
@ -1335,12 +1339,16 @@ public class TemplateManagerImpl implements TemplateManager, Manager, TemplateSe
throw new InvalidParameterValueException("unable to find iso with id " + templateId);
}
userId = accountAndUserValidation(account, userId, null, template, "Unable to delete iso " );
UserVO user = _userDao.findById(userId);
if (user == null) {
throw new InvalidParameterValueException("Please specify a valid user.");
}
if (template != null) {
Account templateOwner = _accountDao.findById(template.getAccountId());
if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
if (caller.getId() != templateOwner.getId()) {
throw new PermissionDeniedException("Account " + caller + " can't operate with iso id=" + template.getId());
}
} else if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
_accountMgr.checkAccess(caller, templateOwner);
}
}
if (template.getFormat() != ImageFormat.ISO) {
throw new InvalidParameterValueException("Please specify a valid iso.");