DaanHoogland commented on a change in pull request #5879:
URL: https://github.com/apache/cloudstack/pull/5879#discussion_r792431321
##########
File path: server/src/main/java/com/cloud/user/AccountManagerImpl.java
##########
@@ -1110,6 +1183,39 @@ public UserAccount createUserAccount(final String
userName, final String passwor
return _userAccountDao.findById(userId);
}
+ /**
+ * if there is any permission under the requested role that is not
permitted for the caller, refuse
+ */
+ private void checkRoleEscalation(Account caller, Account requested) {
+ Long requestedRoleId = requested.getRoleId();
+ List<RolePermission> requestedPermissions =
roleService.findAllPermissionsBy(requestedRoleId);
+ for (String command : apiNameList) {
Review comment:
that would not be taking into account dynamic roles. We want the caller
not to be able to create an account with a role that has any permission that
they don't have themselves, independent of the RoleType.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
