From 6d35b520d3e6307d930d9ad7542a7fc40cf3535c Mon Sep 17 00:00:00 2001
From: Wei Zhou <weizhou@apache.org>
Date: Fri, 7 Jan 2022 08:43:48 +0100
Subject: [PATCH] server: fix vm can be recovered by other accounts (#5822)

---
 .../apache/cloudstack/api/command/admin/vm/RecoverVMCmd.java   | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/api/src/main/java/org/apache/cloudstack/api/command/admin/vm/RecoverVMCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/admin/vm/RecoverVMCmd.java
index 4ad09171540..1a123ecfcdb 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/admin/vm/RecoverVMCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/admin/vm/RecoverVMCmd.java
@@ -18,6 +18,8 @@ package org.apache.cloudstack.api.command.admin.vm;
 
 import org.apache.log4j.Logger;
 
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+import org.apache.cloudstack.api.ACL;
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.ApiErrorCode;
@@ -43,6 +45,7 @@ public class RecoverVMCmd extends BaseCmd {
     //////////////// API parameters /////////////////////
     /////////////////////////////////////////////////////
 
+    @ACL(accessType = AccessType.OperateEntry)
     @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = UserVmResponse.class, required = true, description = "The ID of the virtual machine")
     private Long id;