You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by GitBox <gi...@apache.org> on 2022/03/12 03:21:57 UTC
[GitHub] [cloudstack] nvazquez commented on a change in pull request #4774: Added configuration and Integration test to restrict public template …
nvazquez commented on a change in pull request #4774:
URL: https://github.com/apache/cloudstack/pull/4774#discussion_r825238349
##########
File path: server/src/main/java/com/cloud/acl/DomainChecker.java
##########
@@ -167,6 +168,16 @@ public boolean checkAccess(Account caller, ControlledEntity entity, AccessType a
throw new PermissionDeniedException("Domain Admin and regular users can modify only their own Public templates");
}
}
+ } else if (QueryService.SharePublicTemplatesWithOtherDomains.valueIn(owner.getDomainId()) && caller.getType() != Account.ACCOUNT_TYPE_ADMIN) { // public template can be used by other accounts in the same domain or in sub-domains, and domain admin of parent domains
+ if (caller.getDomainId() != owner.getDomainId() && !_domainDao.isChildDomain(owner.getDomainId(), caller.getDomainId())) {
+ if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL || caller.getType() == Account.ACCOUNT_TYPE_PROJECT) {
+ throw new PermissionDeniedException(caller + "is not allowed to access the template " + template);
+ } else if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN || caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) {
+ if (!_domainDao.isChildDomain(caller.getDomainId(), owner.getDomainId())) {
+ throw new PermissionDeniedException(caller + "is not allowed to access the template " + template);
+ }
+ }
+ }
Review comment:
+1 to this suggestion
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org