rhtyd commented on a change in pull request #4717:
URL: https://github.com/apache/cloudstack/pull/4717#discussion_r586328615
##########
File path: server/src/main/java/com/cloud/usage/UsageServiceImpl.java
##########
@@ -210,12 +212,62 @@ public boolean
generateUsageRecords(GenerateUsageRecordsCmd cmd) {
//If account_id or account_name is explicitly mentioned, list
records for the specified account only even if the caller is of type admin
if (_accountService.isRootAdmin(caller.getId())) {
isAdmin = true;
- } else if (_accountService.isDomainAdmin(caller.getId())) {
- isDomainAdmin = true;
}
s_logger.debug("Account details not available. Using userContext
accountId: " + accountId);
}
+ // Check if a domain admin is allowed to access the requested domain id
+ if (isDomainAdmin) {
+ if (domainId != null) {
+ Account callerAccount =
_accountService.getAccount(caller.getId());
+ Domain domain = _domainDao.findById(domainId);
+ _accountService.checkAccess(callerAccount, domain);
+ } else {
+ // Domain admins can only access their own domain's usage
records.
+ // Set the domain if not specified.
+ domainId = caller.getDomainId();
+ }
+
+ // Check if a domain admin is allowed to access the requested
account info.
+ Account account = _accountService.getAccount(accountId);
+ boolean matchFound = false;
+
+ if (account.getDomainId() == domainId) {
+ matchFound = true;
+ } else {
+
+ // Check if the account is in a child domain of this domain
admin.
+ List<DomainVO> childDomains =
_domainDao.findAllChildren(_domainDao.findById(domainId).getPath(), domainId);
+
+ for (DomainVO domainVO : childDomains) {
+ if (account.getDomainId() == domainVO.getId()) {
+ matchFound = true;
+ break;
+ }
+ }
+ }
+ if (!matchFound) {
+ throw new PermissionDeniedException("Domain admins may
only retrieve usage records for accounts in their own domain and child
domains.");
+ }
+ }
+
+ // By default users do not have access to this API.
+ // Adding checks here in case someone changes the default access.
+ if (isNormalUser) {
+ // A user can only access their own account records
+ if (caller.getId() != accountId) {
Review comment:
caller.getAccountId() (in case getAccountId is not same as getId)
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
