diff --git a/api/src/com/cloud/api/response/UserResponse.java b/api/src/com/cloud/api/response/UserResponse.java index 920eb598f5a..b1382e98b8a 100644 --- a/api/src/com/cloud/api/response/UserResponse.java +++ b/api/src/com/cloud/api/response/UserResponse.java @@ -69,6 +69,8 @@ public class UserResponse extends BaseResponse { @SerializedName("accountid") @Param(description="the account ID of the user") private IdentityProxy accountId = new IdentityProxy("account"); + @SerializedName("iscallerchilddomain") @Param(description="the boolean value representing if the updating target is in caller's child domain") + private boolean isCallerChildDomain; public Long getId() { return id.getValue(); @@ -188,4 +190,12 @@ public class UserResponse extends BaseResponse { public void setAccountId(Long accountId) { this.accountId.setValue(accountId); } + + public boolean getIsCallerSubdomain() { + return this.isCallerChildDomain; + } + + public void setIsCallerChildDomain(boolean isCallerChildDomain) { + this.isCallerChildDomain = isCallerChildDomain; + } } diff --git a/client/tomcatconf/commands.properties.in b/client/tomcatconf/commands.properties.in index 437c8d458f5..e55017ce5ea 100755 --- a/client/tomcatconf/commands.properties.in +++ b/client/tomcatconf/commands.properties.in @@ -31,7 +31,7 @@ markDefaultZoneForAccount=com.cloud.api.commands.MarkDefaultZoneForAccountCmd;1 #### User commands createUser=com.cloud.api.commands.CreateUserCmd;3 deleteUser=com.cloud.api.commands.DeleteUserCmd;3 -updateUser=com.cloud.api.commands.UpdateUserCmd;3 +updateUser=com.cloud.api.commands.UpdateUserCmd;15 listUsers=com.cloud.api.commands.ListUsersCmd;7 ####lockUser=com.cloud.api.commands.LockUserCmd;7 disableUser=com.cloud.api.commands.DisableUserCmd;7 diff --git a/server/src/com/cloud/api/ApiDBUtils.java b/server/src/com/cloud/api/ApiDBUtils.java index cdd5339665c..012075c2e49 100755 --- a/server/src/com/cloud/api/ApiDBUtils.java +++ b/server/src/com/cloud/api/ApiDBUtils.java @@ -469,6 +469,10 @@ public class ApiDBUtils { public static DomainVO findDomainByIdIncludingRemoved(Long domainId) { return _domainDao.findByIdIncludingRemoved(domainId); } + + public static boolean isChildDomain(long parentId, long childId) { + return _domainDao.isChildDomain(parentId, childId); + } public static DomainRouterVO findDomainRouterById(Long routerId) { return _domainRouterDao.findByIdIncludingRemoved(routerId); diff --git a/server/src/com/cloud/api/ApiResponseHelper.java b/server/src/com/cloud/api/ApiResponseHelper.java index a5747101215..8f9837f54a5 100755 --- a/server/src/com/cloud/api/ApiResponseHelper.java +++ b/server/src/com/cloud/api/ApiResponseHelper.java @@ -423,6 +423,7 @@ public class ApiResponseHelper implements ResponseGenerator { @Override public UserResponse createUserResponse(UserAccount user) { + Account account = UserContext.current().getCaller(); UserResponse userResponse = new UserResponse(); userResponse.setAccountName(user.getAccountName()); userResponse.setAccountType(user.getType()); @@ -439,8 +440,8 @@ public class ApiResponseHelper implements ResponseGenerator { userResponse.setApiKey(user.getApiKey()); userResponse.setSecretKey(user.getSecretKey()); userResponse.setAccountId((user.getAccountId())); + userResponse.setIsCallerChildDomain(ApiDBUtils.isChildDomain(account.getDomainId(), user.getDomainId())); userResponse.setObjectName("user"); - return userResponse; } diff --git a/ui/scripts/accounts.js b/ui/scripts/accounts.js index 324c5f56988..ba741a4f063 100644 --- a/ui/scripts/accounts.js +++ b/ui/scripts/accounts.js @@ -1248,22 +1248,20 @@ if (jsonObj.state == 'Destroyed') return []; if(isAdmin()) { - allowedActions.push("edit"); //updating networkdomain is allowed on any account, including system-generated default admin account - if(!(jsonObj.domain == "ROOT" && jsonObj.name == "admin" && jsonObj.accounttype == 1)) { //if not system-generated default admin account - if(jsonObj.state == "enabled") { - allowedActions.push("disable"); - allowedActions.push("lock"); + allowedActions.push("edit"); //updating networkdomain is allowed on any account, including system-generated default admin account + if(!(jsonObj.domain == "ROOT" && jsonObj.name == "admin" && jsonObj.accounttype == 1)) { //if not system-generated default admin account + if(jsonObj.state == "enabled") { + allowedActions.push("disable"); + allowedActions.push("lock"); + } else if(jsonObj.state == "disabled" || jsonObj.state == "locked") { + allowedActions.push("enable"); + } + allowedActions.push("remove"); } - else if(jsonObj.state == "disabled" || jsonObj.state == "locked") { - allowedActions.push("enable"); - } - allowedActions.push("remove"); - } - allowedActions.push("updateResourceCount"); - } - else if(isDomainAdmin()) { - allowedActions.push("updateResourceCount"); - } + allowedActions.push("updateResourceCount"); + } else if(isDomainAdmin()) { + allowedActions.push("updateResourceCount"); + } return allowedActions; } @@ -1281,6 +1279,10 @@ allowedActions.push("enable"); allowedActions.push("remove"); } + } else { + if(isSelfOrChildDomainUser(jsonObj.username, jsonObj.accounttype, jsonObj.domainid, jsonObj.iscallerchilddomain)) { + allowedActions.push("changePassword"); + } } return allowedActions; } diff --git a/ui/scripts/sharedFunctions.js b/ui/scripts/sharedFunctions.js index 961c97387a4..eb78ad15da0 100644 --- a/ui/scripts/sharedFunctions.js +++ b/ui/scripts/sharedFunctions.js @@ -158,6 +158,22 @@ function isUser() { return (g_role == 0); } +function isSelfOrChildDomainUser(username, useraccounttype, userdomainid, iscallerchilddomain) { + if(username == g_username) { //is self + return true; + } else if(isDomainAdmin() + && iscallerchilddomain + && (useraccounttype == 0)) { //domain admin to user + return true; + } else if(isDomainAdmin() + && iscallerchilddomain + && (userdomainid != g_domainid) ) { //domain admin to subdomain admin and user + return true; + } else { + return false; + } +} + // FUNCTION: Handles AJAX error callbacks. You can pass in an optional function to // handle errors that are not already handled by this method. function handleError(XMLHttpResponse, handleErrorCallback) {