Spaceman1984 commented on a change in pull request #4717:
URL: https://github.com/apache/cloudstack/pull/4717#discussion_r581744653
##########
File path: server/src/main/java/com/cloud/usage/UsageServiceImpl.java
##########
@@ -216,6 +216,31 @@ public boolean
generateUsageRecords(GenerateUsageRecordsCmd cmd) {
s_logger.debug("Account details not available. Using userContext
accountId: " + accountId);
}
+ // Check if a domain admin is allowed to access the requested account
info.
+ if (_accountService.isDomainAdmin(caller.getId()) && accountId !=
null){
+ long accountDomainId =
_accountDao.getDomainIdForGivenAccountId(accountId);
+ long callerDomainId = caller.getDomainId();
+ boolean matchFound = false;
+
+ if (callerDomainId == accountDomainId) {
+ matchFound = true;
+ } else {
+ // Check if the account is in a child domain of this domain
admin.
+ List<DomainVO> childDomains =
_domainDao.findAllChildren(_domainDao.findById(caller.getDomainId()).getPath(),
caller.getDomainId());
+
+ for (DomainVO domainVO: childDomains) {
+ if (accountDomainId == domainVO.getId()) {
Review comment:
The _accountMgr.buildACLSearchParameter method needs a seaarchBuilder
and not searchCriteria. I believe you intended it for fetching usage records,
but I'm I am simply doing authorization here.
If a Root admin does the call with a domain id, that is handled on line 276.
If a domain admin does the call, authorization will happen first. Users cannot
call this API.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
