You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by mc...@apache.org on 2014/02/14 01:50:21 UTC
git commit: updated refs/heads/rbac to 8072e50
Updated Branches:
refs/heads/rbac 5bfc75cac -> 8072e5084
Fixed a bug for listTemplates with TemplateFilter=shared.
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/8072e508
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/8072e508
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/8072e508
Branch: refs/heads/rbac
Commit: 8072e50845a8eb33c08076f1f649faba8fa7d4d5
Parents: 5bfc75c
Author: Min Chen <mi...@citrix.com>
Authored: Thu Feb 13 16:47:41 2014 -0800
Committer: Min Chen <mi...@citrix.com>
Committed: Thu Feb 13 16:47:41 2014 -0800
----------------------------------------------------------------------
.../user/template/UpdateTemplatePermissionsCmd.java | 3 ++-
server/src/com/cloud/api/query/QueryManagerImpl.java | 7 +++++++
server/src/com/cloud/template/TemplateManagerImpl.java | 3 ++-
server/src/com/cloud/user/AccountManagerImpl.java | 11 +++--------
4 files changed, 14 insertions(+), 10 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/8072e508/api/src/org/apache/cloudstack/api/command/user/template/UpdateTemplatePermissionsCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/template/UpdateTemplatePermissionsCmd.java b/api/src/org/apache/cloudstack/api/command/user/template/UpdateTemplatePermissionsCmd.java
index 96d1f55..6b5c835 100644
--- a/api/src/org/apache/cloudstack/api/command/user/template/UpdateTemplatePermissionsCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/template/UpdateTemplatePermissionsCmd.java
@@ -18,6 +18,7 @@ package org.apache.cloudstack.api.command.user.template;
import org.apache.log4j.Logger;
+import org.apache.cloudstack.acl.AclEntityType;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.BaseUpdateTemplateOrIsoPermissionsCmd;
import org.apache.cloudstack.api.response.SuccessResponse;
@@ -27,7 +28,7 @@ import com.cloud.user.Account;
@APICommand(name = "updateTemplatePermissions", responseObject = SuccessResponse.class, description = "Updates a template visibility permissions. "
+ "A public template is visible to all accounts within the same domain. " + "A private template is visible only to the owner of the template. "
- + "A priviledged template is a private template with account permissions added. " + "Only accounts specified under the template permissions are visible to them.")
+ + "A priviledged template is a private template with account permissions added. " + "Only accounts specified under the template permissions are visible to them.", entityType = {AclEntityType.VirtualMachineTemplate})
public class UpdateTemplatePermissionsCmd extends BaseUpdateTemplateOrIsoPermissionsCmd {
@Override
protected String getResponseName() {
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/8072e508/server/src/com/cloud/api/query/QueryManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/query/QueryManagerImpl.java b/server/src/com/cloud/api/query/QueryManagerImpl.java
index e2055c7..e46e0f4 100644
--- a/server/src/com/cloud/api/query/QueryManagerImpl.java
+++ b/server/src/com/cloud/api/query/QueryManagerImpl.java
@@ -2902,6 +2902,13 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
// exclude the caller, only include those granted and not owned by self
permittedDomains.remove(caller.getDomainId());
permittedAccounts.remove(caller.getAccountId());
+ for (Long tid : permittedResources) {
+ // remove it if it is owned by the caller
+ VMTemplateVO tmpl = _templateDao.findById(tid);
+ if (tmpl != null && tmpl.getAccountId() == caller.getAccountId()) {
+ permittedResources.remove(tid);
+ }
+ }
// building ACL search criteria
SearchCriteria<TemplateJoinVO> aclSc = _templateJoinDao.createSearchCriteria();
_accountMgr.buildACLViewSearchCriteria(sc, aclSc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/8072e508/server/src/com/cloud/template/TemplateManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/template/TemplateManagerImpl.java b/server/src/com/cloud/template/TemplateManagerImpl.java
index dde18b9..b500ed5 100755
--- a/server/src/com/cloud/template/TemplateManagerImpl.java
+++ b/server/src/com/cloud/template/TemplateManagerImpl.java
@@ -1174,7 +1174,8 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
}
}
- _accountMgr.checkAccess(caller, AccessType.ModifyEntry, true, template);
+ //_accountMgr.checkAccess(caller, AccessType.ModifyEntry, true, template);
+ _accountMgr.checkAccess(caller, AccessType.OperateEntry, true, template); //TODO: should we replace all ModifyEntry as OperateEntry?
// If the template is removed throw an error.
if (template.getRemoved() != null) {
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/8072e508/server/src/com/cloud/user/AccountManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java
index 2771859..8509114 100755
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@@ -38,6 +38,9 @@ import javax.ejb.Local;
import javax.inject.Inject;
import javax.naming.ConfigurationException;
+import org.apache.commons.codec.binary.Base64;
+import org.apache.log4j.Logger;
+
import org.apache.cloudstack.acl.ControlledEntity;
import org.apache.cloudstack.acl.QuerySelector;
import org.apache.cloudstack.acl.RoleType;
@@ -57,8 +60,6 @@ import org.apache.cloudstack.framework.messagebus.MessageBus;
import org.apache.cloudstack.framework.messagebus.PublishScope;
import org.apache.cloudstack.managed.context.ManagedContextRunnable;
import org.apache.cloudstack.region.gslb.GlobalLoadBalancerRuleDao;
-import org.apache.commons.codec.binary.Base64;
-import org.apache.log4j.Logger;
import com.cloud.api.ApiDBUtils;
import com.cloud.configuration.Config;
@@ -2228,12 +2229,6 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
checkAccess(caller, domain);
}
- if (id != null) {
- // look for an individual entity, no other permission criteria are needed
- permittedResources.add(id);
- return;
- }
-
if (accountName != null) {
if (projectId != null) {
throw new InvalidParameterValueException("Account and projectId can't be specified together");