rhtyd commented on a change in pull request #4717:
URL: https://github.com/apache/cloudstack/pull/4717#discussion_r581718683
##########
File path: server/src/main/java/com/cloud/usage/UsageServiceImpl.java
##########
@@ -216,6 +216,31 @@ public boolean
generateUsageRecords(GenerateUsageRecordsCmd cmd) {
s_logger.debug("Account details not available. Using userContext
accountId: " + accountId);
}
+ // Check if a domain admin is allowed to access the requested account
info.
+ if (_accountService.isDomainAdmin(caller.getId()) && accountId !=
null){
+ long accountDomainId =
_accountDao.getDomainIdForGivenAccountId(accountId);
+ long callerDomainId = caller.getDomainId();
+ boolean matchFound = false;
+
+ if (callerDomainId == accountDomainId) {
+ matchFound = true;
+ } else {
+ // Check if the account is in a child domain of this domain
admin.
+ List<DomainVO> childDomains =
_domainDao.findAllChildren(_domainDao.findById(caller.getDomainId()).getPath(),
caller.getDomainId());
+
+ for (DomainVO domainVO: childDomains) {
+ if (accountDomainId == domainVO.getId()) {
Review comment:
Why not use the existing `_accountMgr.buildACLSearchParameters`?
And should the be done for all caller types, as: (this is just suggestion,
I've not investigated this)
```
Root admin - allow recursive usage records for all domains
Domain admin - only allow recursive usage records for its own domain
User - don't allow recursive domain ID (it should be only allowed to see
their own usage records)
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
