Updated Branches: refs/heads/rbac 5bfc75cac -> 8072e5084
Fixed a bug for listTemplates with TemplateFilter=shared. Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/8072e508 Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/8072e508 Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/8072e508 Branch: refs/heads/rbac Commit: 8072e50845a8eb33c08076f1f649faba8fa7d4d5 Parents: 5bfc75c Author: Min Chen <[email protected]> Authored: Thu Feb 13 16:47:41 2014 -0800 Committer: Min Chen <[email protected]> Committed: Thu Feb 13 16:47:41 2014 -0800 ---------------------------------------------------------------------- .../user/template/UpdateTemplatePermissionsCmd.java | 3 ++- server/src/com/cloud/api/query/QueryManagerImpl.java | 7 +++++++ server/src/com/cloud/template/TemplateManagerImpl.java | 3 ++- server/src/com/cloud/user/AccountManagerImpl.java | 11 +++-------- 4 files changed, 14 insertions(+), 10 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cloudstack/blob/8072e508/api/src/org/apache/cloudstack/api/command/user/template/UpdateTemplatePermissionsCmd.java ---------------------------------------------------------------------- diff --git a/api/src/org/apache/cloudstack/api/command/user/template/UpdateTemplatePermissionsCmd.java b/api/src/org/apache/cloudstack/api/command/user/template/UpdateTemplatePermissionsCmd.java index 96d1f55..6b5c835 100644 --- a/api/src/org/apache/cloudstack/api/command/user/template/UpdateTemplatePermissionsCmd.java +++ b/api/src/org/apache/cloudstack/api/command/user/template/UpdateTemplatePermissionsCmd.java @@ -18,6 +18,7 @@ package org.apache.cloudstack.api.command.user.template; import org.apache.log4j.Logger; +import org.apache.cloudstack.acl.AclEntityType; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.BaseUpdateTemplateOrIsoPermissionsCmd; import org.apache.cloudstack.api.response.SuccessResponse; @@ -27,7 +28,7 @@ import com.cloud.user.Account; @APICommand(name = "updateTemplatePermissions", responseObject = SuccessResponse.class, description = "Updates a template visibility permissions. " + "A public template is visible to all accounts within the same domain. " + "A private template is visible only to the owner of the template. " - + "A priviledged template is a private template with account permissions added. " + "Only accounts specified under the template permissions are visible to them.") + + "A priviledged template is a private template with account permissions added. " + "Only accounts specified under the template permissions are visible to them.", entityType = {AclEntityType.VirtualMachineTemplate}) public class UpdateTemplatePermissionsCmd extends BaseUpdateTemplateOrIsoPermissionsCmd { @Override protected String getResponseName() { http://git-wip-us.apache.org/repos/asf/cloudstack/blob/8072e508/server/src/com/cloud/api/query/QueryManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/api/query/QueryManagerImpl.java b/server/src/com/cloud/api/query/QueryManagerImpl.java index e2055c7..e46e0f4 100644 --- a/server/src/com/cloud/api/query/QueryManagerImpl.java +++ b/server/src/com/cloud/api/query/QueryManagerImpl.java @@ -2902,6 +2902,13 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { // exclude the caller, only include those granted and not owned by self permittedDomains.remove(caller.getDomainId()); permittedAccounts.remove(caller.getAccountId()); + for (Long tid : permittedResources) { + // remove it if it is owned by the caller + VMTemplateVO tmpl = _templateDao.findById(tid); + if (tmpl != null && tmpl.getAccountId() == caller.getAccountId()) { + permittedResources.remove(tid); + } + } // building ACL search criteria SearchCriteria<TemplateJoinVO> aclSc = _templateJoinDao.createSearchCriteria(); _accountMgr.buildACLViewSearchCriteria(sc, aclSc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/8072e508/server/src/com/cloud/template/TemplateManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/template/TemplateManagerImpl.java b/server/src/com/cloud/template/TemplateManagerImpl.java index dde18b9..b500ed5 100755 --- a/server/src/com/cloud/template/TemplateManagerImpl.java +++ b/server/src/com/cloud/template/TemplateManagerImpl.java @@ -1174,7 +1174,8 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager, } } - _accountMgr.checkAccess(caller, AccessType.ModifyEntry, true, template); + //_accountMgr.checkAccess(caller, AccessType.ModifyEntry, true, template); + _accountMgr.checkAccess(caller, AccessType.OperateEntry, true, template); //TODO: should we replace all ModifyEntry as OperateEntry? // If the template is removed throw an error. if (template.getRemoved() != null) { http://git-wip-us.apache.org/repos/asf/cloudstack/blob/8072e508/server/src/com/cloud/user/AccountManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java index 2771859..8509114 100755 --- a/server/src/com/cloud/user/AccountManagerImpl.java +++ b/server/src/com/cloud/user/AccountManagerImpl.java @@ -38,6 +38,9 @@ import javax.ejb.Local; import javax.inject.Inject; import javax.naming.ConfigurationException; +import org.apache.commons.codec.binary.Base64; +import org.apache.log4j.Logger; + import org.apache.cloudstack.acl.ControlledEntity; import org.apache.cloudstack.acl.QuerySelector; import org.apache.cloudstack.acl.RoleType; @@ -57,8 +60,6 @@ import org.apache.cloudstack.framework.messagebus.MessageBus; import org.apache.cloudstack.framework.messagebus.PublishScope; import org.apache.cloudstack.managed.context.ManagedContextRunnable; import org.apache.cloudstack.region.gslb.GlobalLoadBalancerRuleDao; -import org.apache.commons.codec.binary.Base64; -import org.apache.log4j.Logger; import com.cloud.api.ApiDBUtils; import com.cloud.configuration.Config; @@ -2228,12 +2229,6 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M checkAccess(caller, domain); } - if (id != null) { - // look for an individual entity, no other permission criteria are needed - permittedResources.add(id); - return; - } - if (accountName != null) { if (projectId != null) { throw new InvalidParameterValueException("Account and projectId can't be specified together");
