After merge, fix isRootAdmin() calls to use accountId instead of type

api/src/com/cloud/user/AccountService.java

@@ -88,9 +88,9 @@ public interface AccountService {
 
     User getUserIncludingRemoved(long userId);
 
-    boolean isRootAdmin(long accountId);
+    boolean isRootAdmin(Long accountId);
 
-    boolean isDomainAdmin(long accountId);
+    boolean isDomainAdmin(Long accountId);
 
     boolean isNormalUser(long accountId);
 

server/src/com/cloud/api/query/QueryManagerImpl.java

@@ -520,7 +520,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
         _accountMgr.buildACLViewSearchCriteria(sc, aclSc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
 
         // For end users display only enabled events
-        if(!_accountMgr.isRootAdmin(caller.getType())){
+        if (!_accountMgr.isRootAdmin(caller.getId())) {
             sc.setParameters("displayEvent", true);
         }
 

server/src/com/cloud/deploy/DeploymentPlanningManagerImpl.java

@@ -508,7 +508,7 @@ public class DeploymentPlanningManagerImpl extends ManagerBase implements Deploy
 
         // check if zone is dedicated. if yes check if vm owner has acess to it.
         DedicatedResourceVO dedicatedZone = _dedicatedDao.findByZoneId(dc.getId());
-        if (dedicatedZone != null && !_accountMgr.isRootAdmin(vmProfile.getOwner().getType())) {
+        if (dedicatedZone != null && !_accountMgr.isRootAdmin(vmProfile.getOwner().getId())) {
             long accountDomainId = vmProfile.getOwner().getDomainId();
             long accountId = vmProfile.getOwner().getAccountId();
 

server/src/com/cloud/network/NetworkServiceImpl.java

@@ -1805,7 +1805,7 @@ public class NetworkServiceImpl extends ManagerBase implements  NetworkService {
         // Perform permission check
         _accountMgr.checkAccess(caller, null, true, network);
 
-        if (forced && !_accountMgr.isRootAdmin(caller.getType())) {
+        if (forced && !_accountMgr.isRootAdmin(caller.getId())) {
             throw new InvalidParameterValueException("Delete network with 'forced' option can only be called by root admins");
         }
 

server/src/com/cloud/storage/VolumeApiServiceImpl.java

@@ -386,7 +386,7 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
         if (displayVolume == null) {
             displayVolume = true;
         } else {
-            if (!_accountMgr.isRootAdmin(caller.getType())) {
+            if (!_accountMgr.isRootAdmin(caller.getId())) {
                 throw new PermissionDeniedException("Cannot update parameter displayvolume, only admin permitted ");
             }
         }

server/src/com/cloud/user/AccountManagerImpl.java

@@ -366,37 +366,40 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
     }
 
     @Override
-    public boolean isRootAdmin(long accountId) {
-        AccountVO acct = _accountDao.findById(accountId);
-        for (SecurityChecker checker : _securityCheckers) {
-            try {
-                if (checker.checkAccess(acct, null, null, "SystemCapability")) {
-                    if (s_logger.isDebugEnabled()) {
-                        s_logger.debug("Root Access granted to " + acct + " by " + checker.getName());
+    public boolean isRootAdmin(Long accountId) {
+        if (accountId != null) {
+            AccountVO acct = _accountDao.findById(accountId);
+            for (SecurityChecker checker : _securityCheckers) {
+                try {
+                    if (checker.checkAccess(acct, null, null, "SystemCapability")) {
+                        if (s_logger.isDebugEnabled()) {
+                            s_logger.debug("Root Access granted to " + acct + " by " + checker.getName());
+                        }
+                        return true;
                     }
-                    return true;
+                } catch (PermissionDeniedException ex) {
+                    return false;
                 }
-            } catch (PermissionDeniedException ex) {
-                return false;
             }
         }
-
         return false;
     }
 
     @Override
-    public boolean isDomainAdmin(long accountId) {
-        AccountVO acct = _accountDao.findById(accountId);
-        for (SecurityChecker checker : _securityCheckers) {
-            try {
-                if (checker.checkAccess(acct, null, null, "DomainCapability")) {
-                    if (s_logger.isDebugEnabled()) {
-                        s_logger.debug("Root Access granted to " + acct + " by " + checker.getName());
+    public boolean isDomainAdmin(Long accountId) {
+        if (accountId != null) {
+            AccountVO acct = _accountDao.findById(accountId);
+            for (SecurityChecker checker : _securityCheckers) {
+                try {
+                    if (checker.checkAccess(acct, null, null, "DomainCapability")) {
+                        if (s_logger.isDebugEnabled()) {
+                            s_logger.debug("Root Access granted to " + acct + " by " + checker.getName());
+                        }
+                        return true;
                     }
-                    return true;
+                } catch (PermissionDeniedException ex) {
+                    return false;
                 }
-            } catch (PermissionDeniedException ex) {
-                return false;
             }
         }
         return false;

server/src/com/cloud/uuididentity/UUIDManagerImpl.java

@@ -50,7 +50,7 @@ public class UUIDManagerImpl implements UUIDManager {
         Account caller = CallContext.current().getCallingAccount();
 
         // Only admin and system allowed to do this
-        if (!(caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getType()))) {
+        if (!(caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getId()))) {
             throw new PermissionDeniedException("Please check your permissions, you are not allowed to create/update custom id");
         }
 

server/test/com/cloud/user/MockAccountManagerImpl.java

@@ -162,7 +162,7 @@ public class MockAccountManagerImpl extends ManagerBase implements Manager, Acco
     }
 
     @Override
-    public boolean isRootAdmin(long accountId) {
+    public boolean isRootAdmin(Long accountId) {
         // TODO Auto-generated method stub
         return false;
     }
@@ -298,7 +298,7 @@ public class MockAccountManagerImpl extends ManagerBase implements Manager, Acco
     }
 
     @Override
-    public boolean isDomainAdmin(long accountId) {
+    public boolean isDomainAdmin(Long accountId) {
         // TODO Auto-generated method stub
         return false;
     }
@@ -356,4 +356,5 @@ public class MockAccountManagerImpl extends ManagerBase implements Manager, Acco
         return null;
     }
 
+
 }

services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java

@@ -63,6 +63,9 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
     public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType, String action)
             throws PermissionDeniedException {
 
+        if (caller == null) {
+            throw new InvalidParameterValueException("Caller cannot be passed as NULL to IAM!");
+        }
         if (entity == null && action != null) {
             // check if caller can do this action
             List<IAMPolicy> policies = _iamSrv.listIAMPolicies(caller.getAccountId());