From 63e42d3c47d1c0d5e885ec4265b20ea2f613d94b Mon Sep 17 00:00:00 2001
From: Min Chen <min.chen@citrix.com>
Date: Fri, 7 Feb 2014 15:56:03 -0800
Subject: [PATCH] Handle scopeId=-1 properly, which indicates current caller
 domain or account.

---
 .../cloudstack/acl/RoleBasedEntityQuerySelector.java | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityQuerySelector.java b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityQuerySelector.java
index 8ff81eda731..7b8715fd992 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityQuerySelector.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityQuerySelector.java
@@ -50,7 +50,11 @@ public class RoleBasedEntityQuerySelector extends AdapterBase implements QuerySe
             if (pp != null) {
                 for (AclPolicyPermission p : pp) {
                     if (p.getScopeId() != null) {
-                        domainIds.add(p.getScopeId());
+                        if (p.getScopeId().longValue() == -1) {
+                            domainIds.add(caller.getDomainId());
+                        } else {
+                            domainIds.add(p.getScopeId());
+                        }
                     }
                 }
             }
@@ -70,7 +74,11 @@ public class RoleBasedEntityQuerySelector extends AdapterBase implements QuerySe
             if (pp != null) {
                 for (AclPolicyPermission p : pp) {
                     if (p.getScopeId() != null) {
-                        accountIds.add(p.getScopeId());
+                        if (p.getScopeId().longValue() == -1) {
+                            accountIds.add(caller.getId());
+                        } else {
+                            accountIds.add(p.getScopeId());
+                        }
                     }
                 }
             }