DaanHoogland commented on code in PR #7153: URL: https://github.com/apache/cloudstack/pull/7153#discussion_r1180042689
########## server/src/main/java/com/cloud/api/ApiResponseHelper.java: ########## @@ -2534,7 +2534,12 @@ public NetworkResponse createNetworkResponse(ResponseView view, Network network) if (network.getVpcId() != null) { Vpc vpc = ApiDBUtils.findVpcById(network.getVpcId()); if (vpc != null) { - response.setVpcId(vpc.getUuid()); + try { + _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, false, vpc); + response.setVpcId(vpc.getUuid()); + } catch (PermissionDeniedException e){ + s_logger.debug("Not setting the vpcId to the response because the caller does not have access to the VPC"); + } Review Comment: Can you extract this as a separate method? ########## server/src/main/java/com/cloud/network/IpAddressManagerImpl.java: ########## @@ -1476,7 +1476,8 @@ public IPAddressVO associateIPToGuestNetwork(long ipId, long networkId, boolean // - if shared network in Advanced zone // - and it belongs to the system if (network.getAccountId() != owner.getId()) { - if (zone.getNetworkType() != NetworkType.Basic && !(zone.getNetworkType() == NetworkType.Advanced && network.getGuestType() == Network.GuestType.Shared)) { + if (zone.getNetworkType() != NetworkType.Basic && + !(zone.getNetworkType() == NetworkType.Advanced && network.getGuestType() == Network.GuestType.Shared || network.getVpcId().equals(ipToAssoc.getVpcId()))) { Review Comment: So if `network.getVpcId().equals(ipToAssoc.getVpcId())` we should throw an exception! Can you explain? ########## server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java: ########## @@ -1764,9 +1764,14 @@ public void doInTransactionWithoutResult(final TransactionStatus status) { } } - // 4) vpc and network should belong to the same owner - if (vpc.getAccountId() != networkOwner.getId()) { - throw new InvalidParameterValueException("Vpc " + vpc + " owner is different from the network owner " + networkOwner); + // 4) Vpc's account should be able to access network owner's account + Account vpcaccount = _accountMgr.getAccount(vpc.getAccountId()); + try { + _accountMgr.checkAccess(vpcaccount, null, false, networkOwner); + } + catch (PermissionDeniedException e) { + s_logger.error(e.getMessage()); + throw new InvalidParameterValueException(String.format("VPC owner does not have access to account [%s].", networkOwner.getAccountName())); Review Comment: can you extract this as a method? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@cloudstack.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org