[GitHub] [cloudstack] anuragaw commented on a change in pull request #3241: [WIP DO NOT MERGE] Allow users to share templates with Accounts or Projects through the

Sun, 23 Jun 2019 22:37:03 -0700 

anuragaw commented on a change in pull request #3241: [WIP DO NOT MERGE] Allow 
users to share templates with Accounts or Projects through the
URL: https://github.com/apache/cloudstack/pull/3241#discussion_r296557632
 
 

 ##########
 File path: server/src/main/java/com/cloud/template/TemplateManagerImpl.java
 ##########
 @@ -1541,14 +1539,23 @@ public boolean 
updateTemplateOrIsoPermissions(BaseUpdateTemplateOrIsoPermissions
         //Derive the domain id from the template owner as 
updateTemplatePermissions is not cross domain operation
         Account owner = _accountMgr.getAccount(ownerId);
         final Domain domain = _domainDao.findById(owner.getDomainId());
+        final boolean isCallerRootAdmin = 
_accountMgr.isRootAdmin(caller.getAccountId());
         if ("add".equalsIgnoreCase(operation)) {
             final List<String> accountNamesFinal = accountNames;
             final List<Long> accountIds = new ArrayList<Long>();
             Transaction.execute(new TransactionCallbackNoReturn() {
                 @Override
                 public void doInTransactionWithoutResult(TransactionStatus 
status) {
                     for (String accountName : accountNamesFinal) {
-                        Account permittedAccount = 
_accountDao.findActiveAccount(accountName, domain.getId());
+                        Account permittedAccount = null;
+                        if (isCallerRootAdmin) {
+                            List<AccountVO> accountsWthName = 
_accountDao.findAccountsLike(accountName);
+                            if (accountsWthName.size() > 0) {
+                                permittedAccount = accountsWthName.get(0);
 
 Review comment:
   @rhtyd - good call. I looked at the implementation in more depth on Friday 
and observed the following -
   1. Update template permissions uses account names (NOT uuids) to update 
permissions.
   2. This means that the above API call is meant for domain specific sharing 
and hence implies a cross domain sharing restriction.
   3. Double checked and confirmed that sharing templates VIA UI should also 
have same restrictions as updateTemplatePermissions API.
   
   Hence I've reverted some changes and updated UI code to reflect these 
restrictions.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


With regards,
Apache Git Services

Reply via email to