From a13231226c467db0a1412f59f75fbde6c9295a90 Mon Sep 17 00:00:00 2001 From: Sudhansu Date: Fri, 11 Nov 2016 17:20:24 +0530 Subject: [PATCH 1/2] CLOUDSTACK-9594: API "list templates templatefilter=all" reveals all templates of all domains Bug has been fixed considering below points 1. templatefilter=all or isofilter=all is applicable only to admin and domain admin. 2. With templatefilter=all or isofilter=all below are the visiblity of templates in system. a. admin should be able to see all templates/iso in system. b. domain admin should be able to see all public template and templates under its domain tree (including sub domain). c. domain admin in a project context should be able to see all public templates and templates registered as project account and templates which are shared(using updateTemplatePermission api) with project account. Modified "test/integration/component/test_escalation_listTemplateDomainAdmin.py" This marvin test is written for this scenario but for the second account "templatefilter=all" is not used. --- .../src/com/cloud/api/query/QueryManagerImpl.java | 13 +++++++++++++ .../test_escalation_listTemplateDomainAdmin.py | 2 +- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/server/src/com/cloud/api/query/QueryManagerImpl.java b/server/src/com/cloud/api/query/QueryManagerImpl.java index 0e3f3f2a897..a0e12e6a7c8 100644 --- a/server/src/com/cloud/api/query/QueryManagerImpl.java +++ b/server/src/com/cloud/api/query/QueryManagerImpl.java @@ -3233,6 +3233,19 @@ public class QueryManagerImpl extends ManagerBase implements QueryService, Confi scc.addOr("accountId", SearchCriteria.Op.IN, permittedAccountIds.toArray()); } sc.addAnd("publicTemplate", SearchCriteria.Op.SC, scc); + }else if (templateFilter == TemplateFilter.all && caller.getType() != Account.ACCOUNT_TYPE_ADMIN ){ + SearchCriteria scc = _templateJoinDao.createSearchCriteria(); + scc.addOr("publicTemplate", SearchCriteria.Op.EQ, true); + + if (listProjectResourcesCriteria == ListProjectResourcesCriteria.SkipProjectResources) { + scc.addOr("domainPath", SearchCriteria.Op.LIKE, _domainDao.findById(caller.getDomainId()).getPath() + "%"); + } else { + if (!permittedAccounts.isEmpty()) { + scc.addOr("accountId", SearchCriteria.Op.IN, permittedAccountIds.toArray()); + scc.addOr("sharedAccountId", SearchCriteria.Op.IN, permittedAccountIds.toArray()); + } + } + sc.addAnd("publicTemplate", SearchCriteria.Op.SC, scc); } // add tags criteria diff --git a/test/integration/component/test_escalation_listTemplateDomainAdmin.py b/test/integration/component/test_escalation_listTemplateDomainAdmin.py index 5c52c062c15..087e45b8924 100644 --- a/test/integration/component/test_escalation_listTemplateDomainAdmin.py +++ b/test/integration/component/test_escalation_listTemplateDomainAdmin.py @@ -126,7 +126,7 @@ class TestlistTemplatesDomainAdmin(cloudstackTestCase): hypervisor=self.hypervisor, account=self.account2.name, domainid=self.account2.domainid, - templatefilter=self.testdata["templatefilter"] + templatefilter="all" ) From 7059f9e12d4320d1a5b768e8ce586430e5785a8e Mon Sep 17 00:00:00 2001 From: Sudhansu Date: Tue, 6 Dec 2016 23:17:37 +0530 Subject: [PATCH 2/2] CLOUDSTACK-9594: reverted changes introduced in CLOUDSTACK-9376 --- server/src/com/cloud/api/query/QueryManagerImpl.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/server/src/com/cloud/api/query/QueryManagerImpl.java b/server/src/com/cloud/api/query/QueryManagerImpl.java index a0e12e6a7c8..17c5855694e 100644 --- a/server/src/com/cloud/api/query/QueryManagerImpl.java +++ b/server/src/com/cloud/api/query/QueryManagerImpl.java @@ -3054,9 +3054,9 @@ public class QueryManagerImpl extends ManagerBase implements QueryService, Confi boolean listAll = false; if (templateFilter != null && templateFilter == TemplateFilter.all) { - if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) { + if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) { throw new InvalidParameterValueException("Filter " + TemplateFilter.all - + " can be specified by root admin only"); + + " can be specified by admin only"); } listAll = true; }