From d28d6894e13d1cc3a5fc6f7e19cd967a4476423b Mon Sep 17 00:00:00 2001
From: abhishek <abhishek@cloud.com>
Date: Wed, 1 Dec 2010 11:32:40 -0800
Subject: [PATCH] adding security checks for list ip forwarding rules command

---
 .../cloud/server/ManagementServerImpl.java    | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/server/src/com/cloud/server/ManagementServerImpl.java b/server/src/com/cloud/server/ManagementServerImpl.java
index 47e5b75ed7f..8b450c5ae02 100755
--- a/server/src/com/cloud/server/ManagementServerImpl.java
+++ b/server/src/com/cloud/server/ManagementServerImpl.java
@@ -2554,6 +2554,30 @@ public class ManagementServerImpl implements ManagementServer {
     @Override
     public List<FirewallRuleVO> searchForIpForwardingRules(ListIpForwardingRulesCmd cmd){
         String ipAddress = cmd.getPublicIpAddress();
+        Account account = UserContext.current().getAccount();
+
+        IPAddressVO ipAddressVO = _publicIpAddressDao.findById(ipAddress);
+        if (ipAddressVO == null) {
+            throw new InvalidParameterValueException("Unable to find IP address " + ipAddress);
+        }
+
+        Account addrOwner = _accountDao.findById(ipAddressVO.getAccountId());
+
+        // if an admin account was passed in, or no account was passed in, make sure we honor the accountName/domainId parameters
+        if ((account != null) && isAdmin(account.getType())) {
+            if (ipAddressVO.getAccountId() != null) {
+                if ((addrOwner != null) && !_domainDao.isChildDomain(account.getDomainId(), addrOwner.getDomainId())) {
+                    throw new PermissionDeniedException("Unable to list ip forwarding rules for address " + ipAddress + ", permission denied for account " + account.getId());
+                }
+            } 
+        } else {
+            if (account != null) {
+                if ((ipAddressVO.getAccountId() == null) || (account.getId() != ipAddressVO.getAccountId().longValue())) {
+                    throw new PermissionDeniedException("Unable to list ip forwarding rules for address " + ipAddress + ", permission denied for account " + account.getId());
+                }
+            }
+        }
+        
         Filter searchFilter = new Filter(FirewallRuleVO.class, "id", true, cmd.getStartIndex(), cmd.getPageSizeVal());
         SearchCriteria<FirewallRuleVO> sc = _firewallRulesDao.createSearchCriteria();