Tested ACL for StartVmCmd using the new RoleBasedEntityAccessChecker

api/src/org/apache/cloudstack/acl/AclRolePermission.java

@@ -30,4 +30,6 @@ public interface AclRolePermission extends InternalIdentity {
     PermissionScope getScope();
 
     boolean isAllowed();
+
+    PermissionScope getScope();
 }

api/src/org/apache/cloudstack/api/command/user/vm/StartVMCmd.java

@@ -16,6 +16,8 @@
 // under the License.
 package org.apache.cloudstack.api.command.user.vm;
 
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+import org.apache.cloudstack.api.ACL;
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiCommandJobType;
 import org.apache.cloudstack.api.ApiConstants;
@@ -50,6 +52,7 @@ public class StartVMCmd extends BaseAsyncCmd {
     // ////////////// API parameters /////////////////////
     // ///////////////////////////////////////////////////
 
+    @ACL(accessType = AccessType.OperateEntry)
     @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType=UserVmResponse.class,
             required = true, description = "The ID of the virtual machine")
     private Long id;

client/pom.xml

@@ -34,6 +34,11 @@
       <artifactId>cloud-plugin-acl-static-role-based</artifactId>
       <version>${project.version}</version>
     </dependency>
+    <dependency>
+      <groupId>org.apache.cloudstack</groupId>
+      <artifactId>cloud-plugin-acl-role-based-access-checkers</artifactId>
+      <version>${project.version}</version>
+    </dependency>
     <dependency>
       <groupId>org.apache.cloudstack</groupId>
       <artifactId>cloud-plugin-dedicated-resources</artifactId>

client/tomcatconf/applicationContext.xml.in

@@ -389,6 +389,7 @@
   <bean id="databaseIntegrityChecker" class="com.cloud.upgrade.DatabaseIntegrityChecker" />
   <bean id="domainChecker" class="com.cloud.acl.DomainChecker" />
   <bean id="affinityGroupAccessChecker" class="com.cloud.acl.AffinityGroupAccessChecker" />
+  <bean id="roleBasedEntityAccessChecker" class="org.apache.cloudstack.acl.entity.RoleBasedEntityAccessChecker" />
   
   <!--
     Authenticators

client/tomcatconf/componentContext.xml.in

@@ -146,6 +146,7 @@
   <bean id="securityCheckers" class="com.cloud.utils.component.AdapterList">
     <property name="Adapters">
       <list>
+      	  <ref bean="roleBasedEntityAccessChecker"/>
 		  <ref bean="affinityGroupAccessChecker"/>
           <ref bean="domainChecker"/>
       </list>

client/tomcatconf/nonossComponentContext.xml.in

@@ -243,6 +243,7 @@
   <bean id="securityCheckers" class="com.cloud.utils.component.AdapterList">
     <property name="Adapters">
       <list>
+	      <ref bean="roleBasedEntityAccessChecker"/>
 	      <ref bean="affinityGroupAccessChecker"/>
           <ref bean="domainChecker"/>
       </list>

client/tomcatconf/simulatorComponentContext.xml.in

@@ -93,6 +93,7 @@
   <bean id="securityCheckers" class="com.cloud.utils.component.AdapterList">
     <property name="Adapters">
       <list>
+        <ref bean="roleBasedEntityAccessChecker"/>
 	    <ref bean="affinityGroupAccessChecker"/>
         <ref bean="domainChecker"/>
       </list>

engine/schema/src/org/apache/cloudstack/acl/AclRolePermissionVO.java

@@ -53,6 +53,7 @@ public class AclRolePermissionVO implements AclRolePermission {
     @Column(name = "permission")
     private boolean allowed;
 
+
     public AclRolePermissionVO() {
 
     }
@@ -114,4 +115,12 @@ public class AclRolePermissionVO implements AclRolePermission {
         this.allowed = allowed;
     }
 
+    @Override
+    public PermissionScope getScope() {
+        return scope;
+    }
+
+    public void setScope(PermissionScope scope) {
+        this.scope = scope;
+    }
 }

plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java

@@ -28,6 +28,7 @@ import org.apache.cloudstack.acl.AclRole;
 import org.apache.cloudstack.acl.AclRolePermissionVO;
 import org.apache.cloudstack.acl.AclService;
 import org.apache.cloudstack.acl.ControlledEntity;
+import org.apache.cloudstack.acl.PermissionScope;
 import org.apache.cloudstack.acl.SecurityChecker;
 import org.apache.cloudstack.acl.SecurityChecker.AccessType;
 import org.apache.cloudstack.acl.dao.AclEntityPermissionDao;
@@ -39,6 +40,7 @@ import org.apache.log4j.Logger;
 
 import com.cloud.acl.DomainChecker;
 import com.cloud.api.ApiDispatcher;
+import com.cloud.domain.dao.DomainDao;
 import com.cloud.exception.PermissionDeniedException;
 import com.cloud.template.VirtualMachineTemplate;
 import com.cloud.user.Account;
@@ -53,6 +55,8 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
     AccountService _accountService;
     @Inject
     AclService _aclService;
+    
+    @Inject DomainDao _domainDao;
 
     @Inject
     AclGroupAccountMapDao _aclGroupAccountMapDao;
@@ -70,6 +74,10 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
 
             String entityType = AclEntityType.VM.toString();
 
+            if (accessType == null) {
+                accessType = AccessType.ListEntry;
+            }
+
             // check if explicit allow/deny is present for this entity in
             // acl_entity_permission
 
@@ -105,11 +113,13 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
                 List<AclRolePermissionVO> permissions = _rolePermissionDao.listByRoleAndEntity(role.getId(),
                         entityType, accessType);
                 for (AclRolePermissionVO permission : permissions) {
-                    if (permission.getEntityType().equals(entityType)) {
-                        rolePermissionMap.put(role, permission.isAllowed());
-                        break;
-                    } else if (permission.getEntityType().equals("*")) {
-                        rolePermissionMap.put(role, permission.isAllowed());
+                    if (checkPermissionScope(caller, permission.getScope(), entity)) {
+                        if (permission.getEntityType().equals(entityType)) {
+                            rolePermissionMap.put(role, permission.isAllowed());
+                            break;
+                        } else if (permission.getEntityType().equals("*")) {
+                            rolePermissionMap.put(role, permission.isAllowed());
+                        }
                     }
                 }
                 if (rolePermissionMap.containsKey(role) && rolePermissionMap.get(role)) {
@@ -129,4 +139,19 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
 
         return false;
     }
+
+    private boolean checkPermissionScope(Account caller, PermissionScope scope, ControlledEntity entity) {
+        
+        if(scope.equals(PermissionScope.ACCOUNT)){
+            if(caller.getAccountId() == entity.getAccountId()){
+                return true;
+            }
+        }else if(scope.equals(PermissionScope.DOMAIN)){
+            if (_domainDao.isChildDomain(caller.getDomainId(), entity.getDomainId())) {
+                return true;
+            }
+        }
+        
+        return false;
+    }
 }