From bc525d2236dd56a56026826f3aa6114da48437da Mon Sep 17 00:00:00 2001
From: Min Chen <min.chen@citrix.com>
Date: Wed, 16 Apr 2014 10:09:49 -0700
Subject: [PATCH] CLOUDSTACK-6428:IAM - Domain Admin - When his sub-domainId is
 passed to the listVirtualMachine command, Vms from all the domains are being
 listed.

---
 .../iam/RoleBasedEntityQuerySelector.java     | 20 +++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityQuerySelector.java b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityQuerySelector.java
index a56940368d1..40c8549c304 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityQuerySelector.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityQuerySelector.java
@@ -31,6 +31,8 @@ import org.apache.cloudstack.iam.api.IAMPolicy;
 import org.apache.cloudstack.iam.api.IAMPolicyPermission;
 import org.apache.cloudstack.iam.api.IAMService;
 
+import com.cloud.domain.DomainVO;
+import com.cloud.domain.dao.DomainDao;
 import com.cloud.user.Account;
 import com.cloud.utils.component.AdapterBase;
 
@@ -40,6 +42,8 @@ public class RoleBasedEntityQuerySelector extends AdapterBase implements QuerySe
 
     @Inject
     IAMService _iamService;
+    @Inject
+    DomainDao _domainDao;
 
     @Override
     public List<Long> getAuthorizedDomains(Account caller, String action, AccessType accessType) {
@@ -61,11 +65,23 @@ public class RoleBasedEntityQuerySelector extends AdapterBase implements QuerySe
             if (pp != null) {
                 for (IAMPolicyPermission p : pp) {
                     if (p.getScopeId() != null) {
+                        Long domainId = null;
                         if (p.getScopeId().longValue() == -1) {
-                            domainIds.add(caller.getDomainId());
+                            domainId = caller.getDomainId();
+                            //domainIds.add(caller.getDomainId());
                         } else {
-                            domainIds.add(p.getScopeId());
+                            domainId = p.getScopeId();
+                            //domainIds.add(p.getScopeId());
                         }
+                        domainIds.add(domainId);
+                        // add all the domain children from this domain. Like RoleBasedEntityAccessChecker, we made an assumption, if DOMAIN scope is granted, it means that
+                        // the whole domain tree is granted access.
+                        DomainVO domain = _domainDao.findById(domainId);
+                        List<Long> childDomains = _domainDao.getDomainChildrenIds(domain.getPath());
+                        if (childDomains != null && childDomains.size() > 0) {
+                            domainIds.addAll(childDomains);
+                        }
+
                     }
                 }
             }