CLOUDSTACK-6569: IAM - Regular user is able to listNetworks of another

user in the same domain , by passing account and domainId.

api/src/com/cloud/user/AccountService.java

@@ -24,7 +24,6 @@ import org.apache.cloudstack.acl.SecurityChecker.AccessType;
 import org.apache.cloudstack.api.command.admin.user.RegisterCmd;
 
 import com.cloud.domain.Domain;
-import com.cloud.domain.PartOf;
 import com.cloud.exception.PermissionDeniedException;
 
 public interface AccountService {
@@ -110,9 +109,6 @@ public interface AccountService {
 
     void checkAccess(Account caller, AccessType accessType, String apiName, ControlledEntity... entities) throws PermissionDeniedException;
 
-    //TO be implemented, to check accessibility for an entity owned by domain
-    void checkAccess(Account caller, AccessType accessType, boolean sameOwner, PartOf... entities) throws PermissionDeniedException;
-
     Long finalyzeAccountId(String accountName, Long domainId, Long projectId, boolean enabledOnly);
 
     /**

plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java

@@ -37,7 +37,6 @@ import org.apache.cloudstack.context.CallContext;
 import com.cloud.configuration.ResourceLimit;
 import com.cloud.configuration.dao.ResourceCountDao;
 import com.cloud.domain.Domain;
-import com.cloud.domain.PartOf;
 import com.cloud.exception.ConcurrentOperationException;
 import com.cloud.exception.PermissionDeniedException;
 import com.cloud.exception.ResourceUnavailableException;
@@ -194,12 +193,6 @@ public class MockAccountManager extends ManagerBase implements AccountManager {
         return false;
     }
 
-    @Override
-    public void checkAccess(Account account, AccessType accessType, boolean sameOwner, PartOf... entities) throws PermissionDeniedException {
-        // TODO Auto-generated method stub
-
-    }
-
 
     @Override
     public void buildACLSearchParameters(Account caller, Long id, String accountName, Long projectId, List<Long> permittedDomains, List<Long> permittedAccounts,

server/src/com/cloud/api/query/QueryManagerImpl.java

@@ -3111,7 +3111,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
             }
 
             if (userAccount != null) {
-                _accountMgr.checkAccess(caller, null, false, userAccount);
+                _accountMgr.checkAccess(caller, null, userAccount);
                 // check permissions
                 permittedAccounts.add(userAccount.getId());
             } else {
@@ -3251,7 +3251,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
             // if template is not public, perform permission check here
             if (!template.isPublicTemplate() && caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
                 Account owner = _accountMgr.getAccount(template.getAccountId());
-                _accountMgr.checkAccess(caller, null, true, owner);
+                _accountMgr.checkAccess(caller, null, owner);
             }
 
             // if templateId is specified, then we will just use the id to
@@ -3576,7 +3576,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
                 throw new InvalidParameterValueException("Unable to list affinity groups for virtual machine instance "
                         + vmId + "; instance not found.");
             }
-            _accountMgr.checkAccess(caller, null, true, userVM);
+            _accountMgr.checkAccess(caller, null, userVM);
             return listAffinityGroupsByVM(vmId.longValue(), startIndex, pageSize);
         }
 

server/src/com/cloud/network/NetworkServiceImpl.java

@@ -1432,7 +1432,7 @@ public class NetworkServiceImpl extends ManagerBase implements  NetworkService {
                     throw new InvalidParameterValueException("Unable to find account " + accountName + " in specified domain");
                 }
 
-                _accountMgr.checkAccess(caller, null, true, owner);
+                _accountMgr.checkAccess(caller, null, owner);
                 permittedAccounts.add(owner.getId());
             }
         }

server/src/com/cloud/user/AccountManagerImpl.java

@@ -74,7 +74,6 @@ import com.cloud.dc.dao.DataCenterVnetDao;
 import com.cloud.dc.dao.DedicatedResourceDao;
 import com.cloud.domain.Domain;
 import com.cloud.domain.DomainVO;
-import com.cloud.domain.PartOf;
 import com.cloud.domain.dao.DomainDao;
 import com.cloud.event.ActionEvent;
 import com.cloud.event.ActionEventUtils;
@@ -457,13 +456,6 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
         throw new PermissionDeniedException("There's no way to confirm " + caller + " has access to " + domain);
     }
 
-    @Override
-    public void checkAccess(Account caller, AccessType accessType, boolean sameOwner, PartOf... entities) throws PermissionDeniedException {
-        // TODO Auto-generated method stub
-
-        //TO BE IMPLEMENTED
-
-    }
 
     @Override
     public void checkAccess(Account caller, AccessType accessType, ControlledEntity... entities) throws PermissionDeniedException {

server/test/com/cloud/user/MockAccountManagerImpl.java

@@ -33,7 +33,6 @@ import org.apache.cloudstack.api.command.admin.user.RegisterCmd;
 import org.apache.cloudstack.api.command.admin.user.UpdateUserCmd;
 
 import com.cloud.domain.Domain;
-import com.cloud.domain.PartOf;
 import com.cloud.exception.ConcurrentOperationException;
 import com.cloud.exception.PermissionDeniedException;
 import com.cloud.exception.ResourceUnavailableException;
@@ -220,11 +219,6 @@ public class MockAccountManagerImpl extends ManagerBase implements Manager, Acco
     }
 
 
-    @Override
-    public void checkAccess(Account account, AccessType accessType, boolean sameOwner, PartOf... entities) throws PermissionDeniedException {
-        // TODO Auto-generated method stub
-
-    }
 
     @Override
     public UserAccount getUserAccountById(Long userId) {