[GitHub] [cloudstack] sureshanaparti commented on a change in pull request #4717: Added recursive fetch of child domains for listUsageRecords API call

Fri, 19 Mar 2021 03:02:24 -0700 


sureshanaparti commented on a change in pull request #4717:
URL: https://github.com/apache/cloudstack/pull/4717#discussion_r597546783



##########
File path: server/src/main/java/com/cloud/usage/UsageServiceImpl.java
##########
@@ -200,22 +201,41 @@ public boolean 
generateUsageRecords(GenerateUsageRecordsCmd cmd) {
             }
         }
 
-        boolean isAdmin = false;
-        boolean isDomainAdmin = false;
+        boolean ignoreAccountId = false;
+        boolean isDomainAdmin = _accountService.isDomainAdmin(caller.getId());
+        boolean isNormalUser = _accountService.isNormalUser(caller.getId());
 
         //If accountId couldn't be found using accountName and domainId, get 
it from userContext
         if (accountId == null) {
             accountId = caller.getId();
             //List records for all the accounts if the caller account is of 
type admin.
             //If account_id or account_name is explicitly mentioned, list 
records for the specified account only even if the caller is of type admin
-            if (_accountService.isRootAdmin(caller.getId())) {
-                isAdmin = true;
-            } else if (_accountService.isDomainAdmin(caller.getId())) {
-                isDomainAdmin = true;
-            }
+            ignoreAccountId = _accountService.isRootAdmin(caller.getId());
             s_logger.debug("Account details not available. Using userContext 
accountId: " + accountId);
         }
 
+        // Check if a domain admin is allowed to access the requested domain id
+        if (isDomainAdmin) {
+            if (domainId != null) {
+                Account callerAccount = 
_accountService.getAccount(caller.getId());
+                Domain domain = _domainDao.findById(domainId);
+                _accountService.checkAccess(callerAccount, domain);
+            } else {
+                // Domain admins can only access their own domain's usage 
records.
+                // Set the domain if not specified.
+                domainId = caller.getDomainId();
+            }
+
+            if (cmd.getAccountId() != null) {
+                // Check if a domain admin is allowed to access the requested 
account info.
+                checkDomainAdminAccountAccess(accountId, domainId);
+            }
+        }
+
+        // By default users do not have access to this API.
+        // Adding checks here in case someone changes the default access.
+        checkUserAccess(cmd, accountId, caller, isNormalUser);

Review comment:
       @Spaceman1984 is this method call required for domain admin ?




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to