I believe this bug was raised in the community list before, and fixed by Kishan. Kishan, please comment.
-Alena. From: Marcus Sorensen <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Tuesday, November 26, 2013 8:28 AM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: HELP with CLOUDSTACK-5145 security issue Is there anyone who can help with CLOUDSTACK-5145? There's a security issue with 4.2+ due to the new ACL design. Anyone listing ACLs sees ALL ACLs in the system, and if a network has no ACLs then filtering by network also lists ALL ACLs. As you can imagine, this causes a lot of problems. I could hack together some joins to link network_acl, network_acl_item, and vpc tables to get the account owning the acls, but I also see this ''_accountMgr.buildACLSearchBuilder" which seems to be commented out of the list code. I'm wondering if there's a more elegant way to do it.
