You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by nv...@apache.org on 2022/04/06 03:51:02 UTC
[cloudstack] branch main updated: api: Update account type when updating account role (#6156)
This is an automated email from the ASF dual-hosted git repository.
nvazquez pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/cloudstack.git
The following commit(s) were added to refs/heads/main by this push:
new 9cc8da2a30 api: Update account type when updating account role (#6156)
9cc8da2a30 is described below
commit 9cc8da2a30246bdf452d10d9b5396be186176f41
Author: Pearl Dsilva <pe...@gmail.com>
AuthorDate: Wed Apr 6 09:20:56 2022 +0530
api: Update account type when updating account role (#6156)
* api: Update account type when updating account role
* extract code to validate role change
---
.../src/main/java/com/cloud/user/AccountManagerImpl.java | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/server/src/main/java/com/cloud/user/AccountManagerImpl.java b/server/src/main/java/com/cloud/user/AccountManagerImpl.java
index 9f760e655e..031ba9e22c 100644
--- a/server/src/main/java/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/main/java/com/cloud/user/AccountManagerImpl.java
@@ -1181,6 +1181,18 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
return _userAccountDao.findById(userId);
}
+ private boolean isValidRoleChange(Account account, Role role) {
+ Long currentAccRoleId = account.getRoleId();
+ Role currentRole = roleService.findRole(currentAccRoleId);
+
+ if (role.getRoleType().ordinal() < currentRole.getRoleType().ordinal() && ((account.getType() == Account.Type.NORMAL && role.getRoleType().getAccountType().ordinal() > Account.Type.NORMAL.ordinal()) ||
+ account.getType().ordinal() > Account.Type.NORMAL.ordinal() && role.getRoleType().getAccountType().ordinal() < account.getType().ordinal() && role.getRoleType().getAccountType().ordinal() > 0)) {
+ throw new PermissionDeniedException(String.format("Unable to update account role to %s as you are " +
+ "attempting to escalate the account %s to account type %s which has higher privileges", role.getName(), account.getAccountName(), role.getRoleType().getAccountType().name()));
+ }
+ return true;
+ }
+
/**
* if there is any permission under the requested role that is not permitted for the caller, refuse
*/
@@ -1897,7 +1909,10 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
"in the domain '" + domainId + "'.");
}
+ Role role = roleService.findRole(roleId);
+ isValidRoleChange(account, role);
acctForUpdate.setRoleId(roleId);
+ acctForUpdate.setType(role.getRoleType().getAccountType());
checkRoleEscalation(getCurrentCallingAccount(), acctForUpdate);
}