You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by mc...@apache.org on 2014/02/14 01:50:21 UTC

git commit: updated refs/heads/rbac to 8072e50

Updated Branches:
  refs/heads/rbac 5bfc75cac -> 8072e5084


Fixed a bug for listTemplates with TemplateFilter=shared.

Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/8072e508
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/8072e508
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/8072e508

Branch: refs/heads/rbac
Commit: 8072e50845a8eb33c08076f1f649faba8fa7d4d5
Parents: 5bfc75c
Author: Min Chen <mi...@citrix.com>
Authored: Thu Feb 13 16:47:41 2014 -0800
Committer: Min Chen <mi...@citrix.com>
Committed: Thu Feb 13 16:47:41 2014 -0800

----------------------------------------------------------------------
 .../user/template/UpdateTemplatePermissionsCmd.java      |  3 ++-
 server/src/com/cloud/api/query/QueryManagerImpl.java     |  7 +++++++
 server/src/com/cloud/template/TemplateManagerImpl.java   |  3 ++-
 server/src/com/cloud/user/AccountManagerImpl.java        | 11 +++--------
 4 files changed, 14 insertions(+), 10 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/8072e508/api/src/org/apache/cloudstack/api/command/user/template/UpdateTemplatePermissionsCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/template/UpdateTemplatePermissionsCmd.java b/api/src/org/apache/cloudstack/api/command/user/template/UpdateTemplatePermissionsCmd.java
index 96d1f55..6b5c835 100644
--- a/api/src/org/apache/cloudstack/api/command/user/template/UpdateTemplatePermissionsCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/template/UpdateTemplatePermissionsCmd.java
@@ -18,6 +18,7 @@ package org.apache.cloudstack.api.command.user.template;
 
 import org.apache.log4j.Logger;
 
+import org.apache.cloudstack.acl.AclEntityType;
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.BaseUpdateTemplateOrIsoPermissionsCmd;
 import org.apache.cloudstack.api.response.SuccessResponse;
@@ -27,7 +28,7 @@ import com.cloud.user.Account;
 
 @APICommand(name = "updateTemplatePermissions", responseObject = SuccessResponse.class, description = "Updates a template visibility permissions. "
     + "A public template is visible to all accounts within the same domain. " + "A private template is visible only to the owner of the template. "
-    + "A priviledged template is a private template with account permissions added. " + "Only accounts specified under the template permissions are visible to them.")
+        + "A priviledged template is a private template with account permissions added. " + "Only accounts specified under the template permissions are visible to them.", entityType = {AclEntityType.VirtualMachineTemplate})
 public class UpdateTemplatePermissionsCmd extends BaseUpdateTemplateOrIsoPermissionsCmd {
     @Override
     protected String getResponseName() {

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/8072e508/server/src/com/cloud/api/query/QueryManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/query/QueryManagerImpl.java b/server/src/com/cloud/api/query/QueryManagerImpl.java
index e2055c7..e46e0f4 100644
--- a/server/src/com/cloud/api/query/QueryManagerImpl.java
+++ b/server/src/com/cloud/api/query/QueryManagerImpl.java
@@ -2902,6 +2902,13 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
                 // exclude the caller, only include those granted and not owned by self
                 permittedDomains.remove(caller.getDomainId());
                 permittedAccounts.remove(caller.getAccountId());
+                for (Long tid : permittedResources) {
+                    // remove it if it is owned by the caller
+                    VMTemplateVO tmpl = _templateDao.findById(tid);
+                    if (tmpl != null && tmpl.getAccountId() == caller.getAccountId()) {
+                        permittedResources.remove(tid);
+                    }
+                }
                 // building ACL search criteria
                 SearchCriteria<TemplateJoinVO> aclSc = _templateJoinDao.createSearchCriteria();
                 _accountMgr.buildACLViewSearchCriteria(sc, aclSc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/8072e508/server/src/com/cloud/template/TemplateManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/template/TemplateManagerImpl.java b/server/src/com/cloud/template/TemplateManagerImpl.java
index dde18b9..b500ed5 100755
--- a/server/src/com/cloud/template/TemplateManagerImpl.java
+++ b/server/src/com/cloud/template/TemplateManagerImpl.java
@@ -1174,7 +1174,8 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
             }
         }
 
-        _accountMgr.checkAccess(caller, AccessType.ModifyEntry, true, template);
+        //_accountMgr.checkAccess(caller, AccessType.ModifyEntry, true, template);
+        _accountMgr.checkAccess(caller, AccessType.OperateEntry, true, template); //TODO: should we replace all ModifyEntry as OperateEntry?
 
         // If the template is removed throw an error.
         if (template.getRemoved() != null) {

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/8072e508/server/src/com/cloud/user/AccountManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java
index 2771859..8509114 100755
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@@ -38,6 +38,9 @@ import javax.ejb.Local;
 import javax.inject.Inject;
 import javax.naming.ConfigurationException;
 
+import org.apache.commons.codec.binary.Base64;
+import org.apache.log4j.Logger;
+
 import org.apache.cloudstack.acl.ControlledEntity;
 import org.apache.cloudstack.acl.QuerySelector;
 import org.apache.cloudstack.acl.RoleType;
@@ -57,8 +60,6 @@ import org.apache.cloudstack.framework.messagebus.MessageBus;
 import org.apache.cloudstack.framework.messagebus.PublishScope;
 import org.apache.cloudstack.managed.context.ManagedContextRunnable;
 import org.apache.cloudstack.region.gslb.GlobalLoadBalancerRuleDao;
-import org.apache.commons.codec.binary.Base64;
-import org.apache.log4j.Logger;
 
 import com.cloud.api.ApiDBUtils;
 import com.cloud.configuration.Config;
@@ -2228,12 +2229,6 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
             checkAccess(caller, domain);
         }
 
-        if (id != null) {
-            // look for an individual entity, no other permission criteria are needed
-            permittedResources.add(id);
-            return;
-        }
-
         if (accountName != null) {
             if (projectId != null) {
                 throw new InvalidParameterValueException("Account and projectId can't be specified together");