diff --git a/server/src/com/cloud/api/query/QueryManagerImpl.java b/server/src/com/cloud/api/query/QueryManagerImpl.java index 95f260d53c2..f61d6736e92 100644 --- a/server/src/com/cloud/api/query/QueryManagerImpl.java +++ b/server/src/com/cloud/api/query/QueryManagerImpl.java @@ -3070,9 +3070,9 @@ public class QueryManagerImpl extends MutualExclusiveIdsManagerBase implements Q boolean listAll = false; if (templateFilter != null && templateFilter == TemplateFilter.all) { - if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) { + if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) { throw new InvalidParameterValueException("Filter " + TemplateFilter.all - + " can be specified by root admin only"); + + " can be specified by admin only"); } listAll = true; } @@ -3255,6 +3255,19 @@ public class QueryManagerImpl extends MutualExclusiveIdsManagerBase implements Q scc.addOr("accountId", SearchCriteria.Op.IN, permittedAccountIds.toArray()); } sc.addAnd("publicTemplate", SearchCriteria.Op.SC, scc); + }else if (templateFilter == TemplateFilter.all && caller.getType() != Account.ACCOUNT_TYPE_ADMIN ){ + SearchCriteria scc = _templateJoinDao.createSearchCriteria(); + scc.addOr("publicTemplate", SearchCriteria.Op.EQ, true); + + if (listProjectResourcesCriteria == ListProjectResourcesCriteria.SkipProjectResources) { + scc.addOr("domainPath", SearchCriteria.Op.LIKE, _domainDao.findById(caller.getDomainId()).getPath() + "%"); + } else { + if (!permittedAccounts.isEmpty()) { + scc.addOr("accountId", SearchCriteria.Op.IN, permittedAccountIds.toArray()); + scc.addOr("sharedAccountId", SearchCriteria.Op.IN, permittedAccountIds.toArray()); + } + } + sc.addAnd("publicTemplate", SearchCriteria.Op.SC, scc); } // add tags criteria diff --git a/test/integration/component/test_escalation_listTemplateDomainAdmin.py b/test/integration/component/test_escalation_listTemplateDomainAdmin.py index 5c52c062c15..087e45b8924 100644 --- a/test/integration/component/test_escalation_listTemplateDomainAdmin.py +++ b/test/integration/component/test_escalation_listTemplateDomainAdmin.py @@ -126,7 +126,7 @@ class TestlistTemplatesDomainAdmin(cloudstackTestCase): hypervisor=self.hypervisor, account=self.account2.name, domainid=self.account2.domainid, - templatefilter=self.testdata["templatefilter"] + templatefilter="all" ) diff --git a/test/integration/component/test_templates.py b/test/integration/component/test_templates.py index c8384d97c89..fb56011bed3 100644 --- a/test/integration/component/test_templates.py +++ b/test/integration/component/test_templates.py @@ -675,6 +675,5 @@ class TestListTemplate(cloudstackTestCase): DomainName=self.newdomain_account.domain) try: list_template_response = Template.list(self.domain_user_api_client, templatefilter='all') - self.fail("Domain admin is able to use templatefilter='all' in listTemplates API call") except Exception as e: - self.debug("ListTemplates API with templatefilter='all' is not permitted for domain admin user") + self.fail("Domain admin should be able to use templatefilter='all' in listTemplates API call")