You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by al...@apache.org on 2012/10/08 20:03:23 UTC

[1/2] git commit: CLOUDSTACK-287: don't allow API call against system account (adding users to system account is prohibited; can't delete/update System account)

Updated Branches:
  refs/heads/4.0 098a78a17 -> 29e6dae86


CLOUDSTACK-287: don't allow API call against system account (adding users to system account is prohibited; can't delete/update System account)

Conflicts:

	server/src/com/cloud/user/AccountManagerImpl.java


Project: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/commit/29e6dae8
Tree: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/tree/29e6dae8
Diff: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/diff/29e6dae8

Branch: refs/heads/4.0
Commit: 29e6dae86de9482d6f2e85fe47fceeab45ecba9c
Parents: cfd2091
Author: Alena Prokharchyk <al...@citrix.com>
Authored: Mon Oct 8 10:31:24 2012 -0700
Committer: Alena Prokharchyk <al...@citrix.com>
Committed: Mon Oct 8 11:00:46 2012 -0700

----------------------------------------------------------------------
 server/src/com/cloud/user/AccountManagerImpl.java |   20 ++++++++++-----
 1 files changed, 13 insertions(+), 7 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/29e6dae8/server/src/com/cloud/user/AccountManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java
index 0df6ada..61a3e1a 100755
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@@ -834,6 +834,10 @@ public class AccountManagerImpl implements AccountManager, AccountService, Manag
         if (account == null || account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
             throw new InvalidParameterValueException("Unable to find account " + accountName + " in domain id=" + domainId + " to create user");
         }
+        
+        if (account.getId() == Account.ACCOUNT_ID_SYSTEM) {
+            throw new PermissionDeniedException("Account id : " + account.getId() + " is a system account, can't add a user to it");
+        }
 
         if (!_userAccountDao.validateUsernameInDomain(userName, domainId)) {
             throw new CloudRuntimeException("The user " + userName + " already exists in domain " + domainId);
@@ -1155,9 +1159,8 @@ public class AccountManagerImpl implements AccountManager, AccountService, Manag
             throw new InvalidParameterValueException("Unable to find account by accountId: " + accountId + " OR by name: " + accountName + " in domain " + domainId);
         }
 
-        // Don't allow to modify system account
         if (account.getId() == Account.ACCOUNT_ID_SYSTEM) {
-            throw new InvalidParameterValueException("Can not modify system account");
+            throw new PermissionDeniedException("Account id : " + accountId + " is a system account, enable is not allowed");
         }
 
         // Check if user performing the action is allowed to modify this account
@@ -1187,14 +1190,13 @@ public class AccountManagerImpl implements AccountManager, AccountService, Manag
         if (account == null || account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
             throw new InvalidParameterValueException("Unable to find active account by accountId: " + accountId + " OR by name: " + accountName + " in domain " + domainId);
         }
-
-        checkAccess(caller, null, true, account);
-
-        // don't allow modify system account
+        
         if (account.getId() == Account.ACCOUNT_ID_SYSTEM) {
-            throw new InvalidParameterValueException("can not lock system account");
+            throw new PermissionDeniedException("Account id : " + accountId + " is a system account, lock is not allowed");
         }
 
+        checkAccess(caller, null, true, account);
+
         if (lockAccount(account.getId())) {
             return _accountDao.findById(account.getId());
         } else {
@@ -1217,6 +1219,10 @@ public class AccountManagerImpl implements AccountManager, AccountService, Manag
         if (account == null || account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
             throw new InvalidParameterValueException("Unable to find account by accountId: " + accountId + " OR by name: " + accountName + " in domain " + domainId);
         }
+        
+        if (account.getId() == Account.ACCOUNT_ID_SYSTEM) {
+            throw new PermissionDeniedException("Account id : " + accountId + " is a system account, disable is not allowed");
+        }
 
         checkAccess(caller, null, true, account);