From a4f997e56a4137d6369f9b99b85656531db3796e Mon Sep 17 00:00:00 2001 From: alena Date: Wed, 11 May 2011 10:34:03 -0700 Subject: [PATCH] bug 9841: added missing permission checks to the deleteTemplate/deleteIso API status 9841: resolved fixed --- .../cloud/template/TemplateManagerImpl.java | 36 +++++++++++-------- 1 file changed, 22 insertions(+), 14 deletions(-) diff --git a/server/src/com/cloud/template/TemplateManagerImpl.java b/server/src/com/cloud/template/TemplateManagerImpl.java index b681c244b6a..d54131f480c 100755 --- a/server/src/com/cloud/template/TemplateManagerImpl.java +++ b/server/src/com/cloud/template/TemplateManagerImpl.java @@ -1294,7 +1294,7 @@ public class TemplateManagerImpl implements TemplateManager, Manager, TemplateSe public boolean deleteTemplate(DeleteTemplateCmd cmd) { Long templateId = cmd.getId(); Long userId = UserContext.current().getCallerUserId(); - Account account = UserContext.current().getCaller(); + Account caller = UserContext.current().getCaller(); Long zoneId = cmd.getZoneId(); VMTemplateVO template = _tmpltDao.findById(templateId.longValue()); @@ -1302,12 +1302,16 @@ public class TemplateManagerImpl implements TemplateManager, Manager, TemplateSe throw new InvalidParameterValueException("unable to find template with id " + templateId); } - userId = accountAndUserValidation(account, userId, null, template, "Unable to delete template " ); - - UserVO user = _userDao.findById(userId); - if (user == null) { - throw new InvalidParameterValueException("Please specify a valid user."); - } + if (template != null) { + Account templateOwner = _accountDao.findById(template.getAccountId()); + if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) { + if (caller.getId() != templateOwner.getId()) { + throw new PermissionDeniedException("Account " + caller + " can't operate with template id=" + template.getId()); + } + } else if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) { + _accountMgr.checkAccess(caller, templateOwner); + } + } if (template.getFormat() == ImageFormat.ISO) { throw new InvalidParameterValueException("Please specify a valid template."); @@ -1327,7 +1331,7 @@ public class TemplateManagerImpl implements TemplateManager, Manager, TemplateSe public boolean deleteIso(DeleteIsoCmd cmd) { Long templateId = cmd.getId(); Long userId = UserContext.current().getCallerUserId(); - Account account = UserContext.current().getCaller(); + Account caller = UserContext.current().getCaller(); Long zoneId = cmd.getZoneId(); VMTemplateVO template = _tmpltDao.findById(templateId.longValue()); @@ -1335,12 +1339,16 @@ public class TemplateManagerImpl implements TemplateManager, Manager, TemplateSe throw new InvalidParameterValueException("unable to find iso with id " + templateId); } - userId = accountAndUserValidation(account, userId, null, template, "Unable to delete iso " ); - - UserVO user = _userDao.findById(userId); - if (user == null) { - throw new InvalidParameterValueException("Please specify a valid user."); - } + if (template != null) { + Account templateOwner = _accountDao.findById(template.getAccountId()); + if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) { + if (caller.getId() != templateOwner.getId()) { + throw new PermissionDeniedException("Account " + caller + " can't operate with iso id=" + template.getId()); + } + } else if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) { + _accountMgr.checkAccess(caller, templateOwner); + } + } if (template.getFormat() != ImageFormat.ISO) { throw new InvalidParameterValueException("Please specify a valid iso.");