Fix for CloudStack-648

Signed-off-by: Gavin Lee <gavin.lxh@gmail.com>

api/src/com/cloud/api/response/UserResponse.java

@@ -69,6 +69,8 @@ public class UserResponse extends BaseResponse {
     @SerializedName("accountid") @Param(description="the account ID of the user")
     private IdentityProxy accountId = new IdentityProxy("account");
 
+    @SerializedName("iscallerchilddomain") @Param(description="the boolean value representing if the updating target is in caller's child domain")
+    private boolean isCallerChildDomain;
     
     public Long getId() {
         return id.getValue();
@@ -188,4 +190,12 @@ public class UserResponse extends BaseResponse {
     public void setAccountId(Long accountId) {
         this.accountId.setValue(accountId);
     }
+    
+    public boolean getIsCallerSubdomain() {
+    	return this.isCallerChildDomain;
+    }
+    
+    public void setIsCallerChildDomain(boolean isCallerChildDomain) {
+    	this.isCallerChildDomain = isCallerChildDomain;
+    }
 }

client/tomcatconf/commands.properties.in

@@ -31,7 +31,7 @@ markDefaultZoneForAccount=com.cloud.api.commands.MarkDefaultZoneForAccountCmd;1
 #### User commands
 createUser=com.cloud.api.commands.CreateUserCmd;3
 deleteUser=com.cloud.api.commands.DeleteUserCmd;3
-updateUser=com.cloud.api.commands.UpdateUserCmd;3
+updateUser=com.cloud.api.commands.UpdateUserCmd;15
 listUsers=com.cloud.api.commands.ListUsersCmd;7
 ####lockUser=com.cloud.api.commands.LockUserCmd;7
 disableUser=com.cloud.api.commands.DisableUserCmd;7

server/src/com/cloud/api/ApiDBUtils.java

@@ -469,6 +469,10 @@ public class ApiDBUtils {
     public static DomainVO findDomainByIdIncludingRemoved(Long domainId) {
         return _domainDao.findByIdIncludingRemoved(domainId);
     }
+    
+    public static boolean isChildDomain(long parentId, long childId) {
+    	return _domainDao.isChildDomain(parentId, childId);
+    }
 
     public static DomainRouterVO findDomainRouterById(Long routerId) {
         return _domainRouterDao.findByIdIncludingRemoved(routerId);

server/src/com/cloud/api/ApiResponseHelper.java

@@ -423,6 +423,7 @@ public class ApiResponseHelper implements ResponseGenerator {
     
     @Override
     public UserResponse createUserResponse(UserAccount user) {
+    	Account account = UserContext.current().getCaller();
         UserResponse userResponse = new UserResponse();
         userResponse.setAccountName(user.getAccountName());
         userResponse.setAccountType(user.getType());
@@ -439,8 +440,8 @@ public class ApiResponseHelper implements ResponseGenerator {
         userResponse.setApiKey(user.getApiKey());
         userResponse.setSecretKey(user.getSecretKey());
         userResponse.setAccountId((user.getAccountId()));
+        userResponse.setIsCallerChildDomain(ApiDBUtils.isChildDomain(account.getDomainId(), user.getDomainId()));
         userResponse.setObjectName("user");
-
         return userResponse;
     }
 

ui/scripts/accounts.js

@@ -1248,22 +1248,20 @@
     if (jsonObj.state == 'Destroyed') return [];
 
     if(isAdmin()) {
-		  allowedActions.push("edit"); //updating networkdomain is allowed on any account, including system-generated default admin account 
-      if(!(jsonObj.domain == "ROOT" && jsonObj.name == "admin" && jsonObj.accounttype == 1)) { //if not system-generated default admin account    
-        if(jsonObj.state == "enabled") {
-          allowedActions.push("disable");
-          allowedActions.push("lock");
+        allowedActions.push("edit"); //updating networkdomain is allowed on any account, including system-generated default admin account 
+        if(!(jsonObj.domain == "ROOT" && jsonObj.name == "admin" && jsonObj.accounttype == 1)) { //if not system-generated default admin account    
+            if(jsonObj.state == "enabled") {
+                allowedActions.push("disable");
+                allowedActions.push("lock");
+            } else if(jsonObj.state == "disabled" || jsonObj.state == "locked") {
+                allowedActions.push("enable");
+            }
+            allowedActions.push("remove");
         }
-        else if(jsonObj.state == "disabled" || jsonObj.state == "locked") {
-          allowedActions.push("enable");
-        }
-        allowedActions.push("remove");
-      }
-			allowedActions.push("updateResourceCount");
-    }		
-		else if(isDomainAdmin()) {
-      allowedActions.push("updateResourceCount");
-		}	
+        allowedActions.push("updateResourceCount");
+    } else if(isDomainAdmin()) {
+        allowedActions.push("updateResourceCount");
+    }
     return allowedActions;
   }
 
@@ -1281,6 +1279,10 @@
           allowedActions.push("enable");
         allowedActions.push("remove");
       }
+    } else {
+        if(isSelfOrChildDomainUser(jsonObj.username, jsonObj.accounttype, jsonObj.domainid, jsonObj.iscallerchilddomain)) {
+            allowedActions.push("changePassword");
+        }
     }
     return allowedActions;
   }

ui/scripts/sharedFunctions.js

@@ -158,6 +158,22 @@ function isUser() {
   return (g_role == 0);
 }
 
+function isSelfOrChildDomainUser(username, useraccounttype, userdomainid, iscallerchilddomain) {
+	if(username == g_username) { //is self
+        return true;
+    } else if(isDomainAdmin()
+        && iscallerchilddomain
+        && (useraccounttype == 0)) { //domain admin to user
+        return true;
+	} else if(isDomainAdmin()
+        && iscallerchilddomain 
+		&& (userdomainid != g_domainid) ) { //domain admin to subdomain admin and user
+        return true;
+    } else {
+        return false;
+    } 
+}
+
 // FUNCTION: Handles AJAX error callbacks.  You can pass in an optional function to
 // handle errors that are not already handled by this method.
 function handleError(XMLHttpResponse, handleErrorCallback) {