(cloudstack) branch 4.22 updated: Move checkRoleEscalation outside DB transaction in createAccount (#13044)

Tue, 19 May 2026 13:23:50 -0700 

This is an automated email from the ASF dual-hosted git repository.

winterhazel pushed a commit to branch 4.22
in repository https://gitbox.apache.org/repos/asf/cloudstack.git


The following commit(s) were added to refs/heads/4.22 by this push:
     new ca4645320e2 Move checkRoleEscalation outside DB transaction in 
createAccount (#13044)
ca4645320e2 is described below

commit ca4645320e2b40ebc541b4818b2f8f9a044f3fc2
Author: Nicolas Vazquez <[email protected]>
AuthorDate: Tue May 19 17:23:27 2026 -0300

    Move checkRoleEscalation outside DB transaction in createAccount (#13044)
    
    Co-authored-by: Aaron Chung <[email protected]>
---
 .../main/java/com/cloud/user/AccountManagerImpl.java    | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/server/src/main/java/com/cloud/user/AccountManagerImpl.java 
b/server/src/main/java/com/cloud/user/AccountManagerImpl.java
index e01137cffbc..c485aae87ec 100644
--- a/server/src/main/java/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/main/java/com/cloud/user/AccountManagerImpl.java
@@ -1341,20 +1341,19 @@ public class AccountManagerImpl extends ManagerBase 
implements AccountManager, M
 
         final String accountNameFinal = accountName;
         final Long domainIdFinal = domainId;
-        final String accountUUIDFinal = accountUUID;
+        final String resolvedAccountUUID = accountUUID != null ? accountUUID : 
UUID.randomUUID().toString();
+
+        // Check role escalation before the transaction — this is a read-only 
check
+        // that iterates all API commands and doesn't need a write transaction 
open.
+        AccountVO requestedAccount = new AccountVO(accountNameFinal, 
domainIdFinal, networkDomain, accountType, roleId, resolvedAccountUUID);
+        checkRoleEscalation(getCurrentCallingAccount(), requestedAccount);
+
         Pair<Long, Account> pair = Transaction.execute(new 
TransactionCallback<>() {
             @Override
             public Pair<Long, Account> doInTransaction(TransactionStatus 
status) {
-                // create account
-                String accountUUID = accountUUIDFinal;
-                if (accountUUID == null) {
-                    accountUUID = UUID.randomUUID().toString();
-                }
-                AccountVO account = createAccount(accountNameFinal, 
accountType, roleId, domainIdFinal, networkDomain, details, accountUUID);
+                AccountVO account = createAccount(accountNameFinal, 
accountType, roleId, domainIdFinal, networkDomain, details, 
resolvedAccountUUID);
                 long accountId = account.getId();
 
-                checkRoleEscalation(getCurrentCallingAccount(), account);
-
                 // create the first user for the account
                 UserVO user = createUser(accountId, userName, password, 
firstName, lastName, email, timezone, userUUID, source);

Reply via email to