harikrishna-patnala commented on code in PR #7870:
URL: https://github.com/apache/cloudstack/pull/7870#discussion_r1295592071
##########
server/src/main/java/com/cloud/user/AccountManagerImpl.java:
##########
@@ -3349,16 +3349,13 @@ protected UserTwoFactorAuthenticationSetupResponse
disableTwoFactorAuthenticatio
return response;
}
- private UserVO validateUser(Long userId, Long domainId) {
+ private UserVO validateUser(Long userId) {
UserVO user = null;
if (userId != null) {
user = _userDao.findById(userId);
if (user == null) {
throw new InvalidParameterValueException("Invalid user ID
provided");
}
- if (_accountDao.findById(user.getAccountId()).getDomainId() !=
domainId) {
Review Comment:
@winterhazel I agree with you that this is an issue. But instead of
completely taking out the domain check, we need to check if the user domain is
part of the caller domain ? Otherwise, any root admin under any domain could
disable 2FA of any user. what do you say?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
