[GitHub] [cloudstack] GutoVeronezi commented on a diff in pull request #6412: Improve login time

Tue, 21 Jun 2022 12:17:35 -0700 


GutoVeronezi commented on code in PR #6412:
URL: https://github.com/apache/cloudstack/pull/6412#discussion_r902978878


##########
plugins/acl/dynamic-role-based/src/main/java/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessChecker.java:
##########
@@ -57,22 +58,55 @@ protected DynamicRoleBasedAPIAccessChecker() {
         }
     }
 
-    private void denyApiAccess(final String commandName) throws 
PermissionDeniedException {
-        throw new PermissionDeniedException("The API " + commandName + " is 
denied for the account's role.");
+    @Override
+    public List<String> getApisAllowedToUser(Role role, User user, 
List<String> apiNames) throws PermissionDeniedException {
+        if (!isEnabled()) {
+            return apiNames;
+        }
+
+        List<RolePermission> allPermissions = 
roleService.findAllPermissionsBy(role.getId());
+        List<String> allowedApis = new ArrayList<>();
+        for (String api : apiNames) {
+            if (checkApiPermissionByRole(role, api, allPermissions)) {
+                allowedApis.add(api);
+            }
+        }
+        return allowedApis;
     }
 
-    public boolean isDisabled() {
-        return !roleService.isEnabled();
+    /**
+     * Checks if the given Role of an Account has the allowed permission for 
the given API.
+     *
+     * @param role to be used on the verification
+     * @param apiName to be verified
+     * @param allPermissions list of role permissions for the given role
+     * @return if the role has the permission for the API
+     */
+    public boolean checkApiPermissionByRole(Role role, String apiName, 
List<RolePermission> allPermissions) {
+        for (final RolePermission permission : allPermissions) {
+            if (permission.getRule().matches(apiName)) {
+                if (Permission.ALLOW.equals(permission.getPermission())) {
+                    if (LOGGER.isTraceEnabled()) {
+                        LOGGER.trace(String.format("The API [%s] is allowed 
for the role %s by the permission [%s].", apiName, role, 
permission.getRule().toString()));
+                    }
+                    return true;
+                }
+                return false;

Review Comment:
   We could invert this `if` to reduce indentation.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to