CLOUDSTACK-3447. CLOUDSTACK-3448.

Correct the access check on networks in APIs addNicToVM and removeNicFromVM
2025-11-02 20:02:29 +01:00 · 2013-07-11 13:46:25 +05:30 · 2013-07-11 13:46:25 +05:30 · 47de56d665
commit 47de56d665
parent 33376f1459
1 changed files with 2 additions and 14 deletions
--- a/server/src/com/cloud/vm/UserVmManagerImpl.java
+++ b/server/src/com/cloud/vm/UserVmManagerImpl.java
@ -863,13 +863,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Use
        }

        // Perform account permission check on network
-        if (network.getGuestType() != Network.GuestType.Shared) {
-            // Check account permissions
-            List<NetworkVO> networkMap = _networkDao.listBy(caller.getId(), network.getId());
-            if ((networkMap == null || networkMap.isEmpty() ) && caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
-                throw new PermissionDeniedException("Unable to modify a vm using network with id " + network.getId() + ", permission denied");
-            }
-        }
+        _accountMgr.checkAccess(caller, AccessType.UseNetwork, false, network);

        //ensure network belongs in zone
        if (network.getDataCenterId() != vmInstance.getDataCenterId()) {
@ -940,13 +934,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Use
        }

        // Perform account permission check on network
-        if (network.getGuestType() != Network.GuestType.Shared) {
-            // Check account permissions
-            List<NetworkVO> networkMap = _networkDao.listBy(caller.getId(), network.getId());
-            if ((networkMap == null || networkMap.isEmpty() ) && caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
-                throw new PermissionDeniedException("Unable to modify a vm using network with id " + network.getId() + ", permission denied");
-            }
-        }
+        _accountMgr.checkAccess(caller, AccessType.UseNetwork, false, network);

        boolean nicremoved = false;