bug 7002: adding a check to ensure the account specific vlan added, is within the domain tree of the zone for which the vlan is being added for (whether it is a child domain or not)

status 7002: resolved fixed

server/src/com/cloud/configuration/ConfigurationManagerImpl.java

@@ -73,6 +73,7 @@ import com.cloud.exception.ConcurrentOperationException;
 import com.cloud.exception.InsufficientAddressCapacityException;
 import com.cloud.exception.InsufficientCapacityException;
 import com.cloud.exception.InvalidParameterValueException;
+import com.cloud.exception.PermissionDeniedException;
 import com.cloud.hypervisor.Hypervisor.HypervisorType;
 import com.cloud.network.NetworkManager;
 import com.cloud.network.dao.IPAddressDao;
@@ -1388,6 +1389,12 @@ public class ConfigurationManagerImpl implements ConfigurationManager {
     	if (zoneId == null || ((zone = _zoneDao.findById(zoneId)) == null)) {
 			throw new InvalidParameterValueException("Please specify a valid zone.");
 		}
+    	
+    	//check if the account's domain is a child of the zone's domain, for adding vlan ip ranges
+		if(domainId != null && !_domainDao.isChildDomain(zone.getDomainId(), domainId)){
+			//this is for account specific case, as domainId != null
+			throw new PermissionDeniedException("The account associated with specific domain id:"+domainId+" doesn't have permissions to add vlan ip ranges for the zone:"+zone.getId());
+		}
 
     	boolean associateIpRangeToAccount = false;
     	if (vlanType.equals(VlanType.VirtualNetwork)) {