[cloudstack] branch 4.16 updated: server: do not return inaccessible entity details to normal users (#5827)

[sureshanaparti]

This is an automated email from the ASF dual-hosted git repository.

sureshanaparti pushed a commit to branch 4.16
in repository https://gitbox.apache.org/repos/asf/cloudstack.git


The following commit(s) were added to refs/heads/4.16 by this push:
     new 51f69f7  server: do not return inaccessible entity details to normal 
users (#5827)
51f69f7 is described below

commit 51f69f7134ba5f8c52714251258dde5700aa411c
Author: Abhishek Kumar <abhishek.mr...@gmail.com>
AuthorDate: Thu Jan 6 16:42:57 2022 +0530

    server: do not return inaccessible entity details to normal users (#5827)
    
    Fixes #5534
    
    As pre 3.x APIs allow using internal DB IDs, even normal users can use 
internal IDs.
    This fix removes additional information in error message when the caller 
doesn't have access to the resource.
    
    Signed-off-by: Abhishek Kumar <abhishek.mr...@gmail.com>
---
 server/src/main/java/com/cloud/acl/DomainChecker.java | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/server/src/main/java/com/cloud/acl/DomainChecker.java 
b/server/src/main/java/com/cloud/acl/DomainChecker.java
index aba0d45..355d34f 100644
--- a/server/src/main/java/com/cloud/acl/DomainChecker.java
+++ b/server/src/main/java/com/cloud/acl/DomainChecker.java
@@ -178,19 +178,20 @@ public class DomainChecker extends AdapterBase implements 
SecurityChecker {
         } else {
             if (_accountService.isNormalUser(caller.getId())) {
                 Account account = _accountDao.findById(entity.getAccountId());
+                String errorMessage = String.format("%s does not have 
permission to operate with resource", caller);
                 if (account != null && account.getType() == 
Account.ACCOUNT_TYPE_PROJECT) {
                     //only project owner can delete/modify the project
                     if (accessType != null && accessType == 
AccessType.ModifyProject) {
                         if (!_projectMgr.canModifyProjectAccount(caller, 
account.getId())) {
-                            throw new PermissionDeniedException(caller + " 
does not have permission to operate with resource " + entity);
+                            throw new PermissionDeniedException(errorMessage);
                         }
                     } else if (!_projectMgr.canAccessProjectAccount(caller, 
account.getId())) {
-                        throw new PermissionDeniedException(caller + " does 
not have permission to operate with resource " + entity);
+                        throw new PermissionDeniedException(errorMessage);
                     }
                     checkOperationPermitted(caller, entity);
                 } else {
                     if (caller.getId() != entity.getAccountId()) {
-                        throw new PermissionDeniedException(caller + " does 
not have permission to operate with resource " + entity);
+                        throw new PermissionDeniedException(errorMessage);
                     }
                 }
             }