Fixed security problem in listAccounts call (regular user could see other accounts' info when domainId was passed in to listAccounts call)
Project: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/commit/51041e4f Tree: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/tree/51041e4f Diff: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/diff/51041e4f Branch: refs/heads/junit-tests Commit: 51041e4f77d857cc0211ab9bac57cf071d30c266 Parents: 5c4cf11 Author: Alena Prokharchyk <[email protected]> Authored: Tue Sep 25 10:38:04 2012 -0700 Committer: Alena Prokharchyk <[email protected]> Committed: Tue Sep 25 10:44:22 2012 -0700 ---------------------------------------------------------------------- server/src/com/cloud/user/AccountManagerImpl.java | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/51041e4f/server/src/com/cloud/user/AccountManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java index fa9fafb..a79251b 100755 --- a/server/src/com/cloud/user/AccountManagerImpl.java +++ b/server/src/com/cloud/user/AccountManagerImpl.java @@ -2007,7 +2007,7 @@ public class AccountManagerImpl implements AccountManager, AccountService, Manag if (domainId == null) { domainId = caller.getDomainId(); } - } else if (domainId != null) { + } else if (isAdmin(caller.getType()) && domainId != null) { listForDomain = true; } else { accountId = caller.getAccountId();
