soreana commented on a change in pull request #4774:
URL: https://github.com/apache/cloudstack/pull/4774#discussion_r826121575
##########
File path: server/src/main/java/com/cloud/acl/DomainChecker.java
##########
@@ -167,6 +168,16 @@ public boolean checkAccess(Account caller,
ControlledEntity entity, AccessType a
throw new PermissionDeniedException("Domain Admin
and regular users can modify only their own Public templates");
}
}
+ } else if
(QueryService.SharePublicTemplatesWithOtherDomains.valueIn(owner.getDomainId())
&& caller.getType() != Account.ACCOUNT_TYPE_ADMIN) { // public template can be
used by other accounts in the same domain or in sub-domains, and domain admin
of parent domains
+ if (caller.getDomainId() != owner.getDomainId() &&
!_domainDao.isChildDomain(owner.getDomainId(), caller.getDomainId())) {
+ if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL ||
caller.getType() == Account.ACCOUNT_TYPE_PROJECT) {
+ throw new PermissionDeniedException(caller + "is
not allowed to access the template " + template);
+ } else if (caller.getType() ==
Account.ACCOUNT_TYPE_DOMAIN_ADMIN || caller.getType() ==
Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) {
+ if
(!_domainDao.isChildDomain(caller.getDomainId(), owner.getDomainId())) {
+ throw new PermissionDeniedException(caller +
"is not allowed to access the template " + template);
+ }
+ }
+ }
Review comment:
Updated the code.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
