mirror of
https://github.com/apache/cloudstack.git
synced 2025-11-02 11:52:28 +01:00
server: do not return inaccessible entity details to normal users (#5827)
Fixes #5534 As pre 3.x APIs allow using internal DB IDs, even normal users can use internal IDs. This fix removes additional information in error message when the caller doesn't have access to the resource. Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>
This commit is contained in:
Abhishek Kumar
GitHub
parent
f071873d84
commit
51f69f7134
@ -178,19 +178,20 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
|
||||
} else {
|
||||
if (_accountService.isNormalUser(caller.getId())) {
|
||||
Account account = _accountDao.findById(entity.getAccountId());
|
||||
String errorMessage = String.format("%s does not have permission to operate with resource", caller);
|
||||
if (account != null && account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
|
||||
//only project owner can delete/modify the project
|
||||
if (accessType != null && accessType == AccessType.ModifyProject) {
|
||||
if (!_projectMgr.canModifyProjectAccount(caller, account.getId())) {
|
||||
throw new PermissionDeniedException(caller + " does not have permission to operate with resource " + entity);
|
||||
throw new PermissionDeniedException(errorMessage);
|
||||
}
|
||||
} else if (!_projectMgr.canAccessProjectAccount(caller, account.getId())) {
|
||||
throw new PermissionDeniedException(caller + " does not have permission to operate with resource " + entity);
|
||||
throw new PermissionDeniedException(errorMessage);
|
||||
}
|
||||
checkOperationPermitted(caller, entity);
|
||||
} else {
|
||||
if (caller.getId() != entity.getAccountId()) {
|
||||
throw new PermissionDeniedException(caller + " does not have permission to operate with resource " + entity);
|
||||
throw new PermissionDeniedException(errorMessage);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user