[GitHub] [cloudstack] DaanHoogland commented on a diff in pull request #6412: Improve login time

Thu, 02 Jun 2022 22:43:10 -0700 


DaanHoogland commented on code in PR #6412:
URL: https://github.com/apache/cloudstack/pull/6412#discussion_r888627582


##########
plugins/acl/project-role-based/src/main/java/org/apache/cloudstack/acl/ProjectRoleBasedApiAccessChecker.java:
##########
@@ -60,59 +60,95 @@ private void denyApiAccess(final String commandName) throws 
PermissionDeniedExce
 
     @Override
     public boolean isEnabled() {
+        if (!roleService.isEnabled()) {
+            LOGGER.debug("RoleService is disabled. We will not use 
ProjectRoleBasedApiAccessChecker.");
+        }
         return roleService.isEnabled();
     }
 
-    public boolean isDisabled() {
-        return !isEnabled();
+    @Override
+    public List<String> getApisAllowedToUser(Role role, User user, 
List<String> apiNames) throws PermissionDeniedException {
+        if (!isEnabled()) {
+            return apiNames;
+        }
+
+        Project project = CallContext.current().getProject();
+        if (project == null) {
+            LOGGER.warn(String.format("Project is null, 
ProjectRoleBasedApiAccessChecker only applies to projects, returning APIs [%s] 
for user [%s] as allowed.", apiNames, user));
+            return apiNames;
+        }
+
+        long accountID = user.getAccountId();
+        ProjectAccount projectUser = 
projectAccountDao.findByProjectIdUserId(project.getId(), accountID, 
user.getId());
+        if (projectUser != null) {
+            if (projectUser.getAccountRole() != ProjectAccount.Role.Admin) {
+                apiNames.removeIf(apiName -> !isPermitted(project, 
projectUser, apiName));
+            }
+            LOGGER.trace(String.format("Returning APIs [%s] as allowed for 
user [%s].", apiNames, user));
+            return apiNames;
+        }
+
+        ProjectAccount projectAccount = 
projectAccountDao.findByProjectIdAccountId(project.getId(), accountID);
+        if (projectAccount == null) {
+            throw new PermissionDeniedException(String.format("The user [%s] 
does not belong to the project [%s].", user, project));
+        }
+
+        if (projectAccount.getAccountRole() != ProjectAccount.Role.Admin) {
+            apiNames.removeIf(apiName -> !isPermitted(project, projectAccount, 
apiName));
+        }
+        LOGGER.trace(String.format("Returning APIs [%s] as allowed for user 
[%s].", apiNames, user));

Review Comment:
   same answer ;)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to