You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by nv...@apache.org on 2022/04/06 03:51:02 UTC

[cloudstack] branch main updated: api: Update account type when updating account role (#6156)

This is an automated email from the ASF dual-hosted git repository.

nvazquez pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/cloudstack.git


The following commit(s) were added to refs/heads/main by this push:
     new 9cc8da2a30 api: Update account type when updating account role (#6156)
9cc8da2a30 is described below

commit 9cc8da2a30246bdf452d10d9b5396be186176f41
Author: Pearl Dsilva <pe...@gmail.com>
AuthorDate: Wed Apr 6 09:20:56 2022 +0530

    api: Update account type when updating account role (#6156)
    
    * api: Update account type when updating account role
    
    * extract code to validate role change
---
 .../src/main/java/com/cloud/user/AccountManagerImpl.java  | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/server/src/main/java/com/cloud/user/AccountManagerImpl.java b/server/src/main/java/com/cloud/user/AccountManagerImpl.java
index 9f760e655e..031ba9e22c 100644
--- a/server/src/main/java/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/main/java/com/cloud/user/AccountManagerImpl.java
@@ -1181,6 +1181,18 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
         return _userAccountDao.findById(userId);
     }
 
+    private boolean isValidRoleChange(Account account, Role role) {
+        Long currentAccRoleId = account.getRoleId();
+        Role currentRole = roleService.findRole(currentAccRoleId);
+
+        if (role.getRoleType().ordinal() < currentRole.getRoleType().ordinal() && ((account.getType() == Account.Type.NORMAL && role.getRoleType().getAccountType().ordinal() > Account.Type.NORMAL.ordinal()) ||
+                account.getType().ordinal() > Account.Type.NORMAL.ordinal() && role.getRoleType().getAccountType().ordinal() < account.getType().ordinal() && role.getRoleType().getAccountType().ordinal() > 0)) {
+            throw new PermissionDeniedException(String.format("Unable to update account role to %s as you are " +
+                    "attempting to escalate the account %s to account type %s which has higher privileges", role.getName(), account.getAccountName(), role.getRoleType().getAccountType().name()));
+        }
+        return true;
+    }
+
     /**
      * if there is any permission under the requested role that is not permitted for the caller, refuse
      */
@@ -1897,7 +1909,10 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
                         "in the domain '" + domainId + "'.");
             }
 
+            Role role = roleService.findRole(roleId);
+            isValidRoleChange(account, role);
             acctForUpdate.setRoleId(roleId);
+            acctForUpdate.setType(role.getRoleType().getAccountType());
             checkRoleEscalation(getCurrentCallingAccount(), acctForUpdate);
         }