From fc0bb46f10ddcff3579e9f73a96d8ed1e8b4df5c Mon Sep 17 00:00:00 2001 From: alena Date: Fri, 6 May 2011 11:19:15 -0700 Subject: [PATCH] bug 9760: added missing permission check to listTemplates api (didn't work when id parameter was specified in the request) status 9760: resolved fixed --- server/src/com/cloud/server/ManagementServerImpl.java | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/server/src/com/cloud/server/ManagementServerImpl.java b/server/src/com/cloud/server/ManagementServerImpl.java index 46d6cae39c9..d701d8c1a09 100755 --- a/server/src/com/cloud/server/ManagementServerImpl.java +++ b/server/src/com/cloud/server/ManagementServerImpl.java @@ -1637,6 +1637,8 @@ public class ManagementServerImpl implements ManagementServer { private Set> listTemplates(Long templateId, String name, String keyword, TemplateFilter templateFilter, boolean isIso, Boolean bootable, Long accountId, Long pageSize, Long startIndex, Long zoneId, HypervisorType hyperType, boolean isAccountSpecific, boolean showDomr) { + + Account caller = UserContext.current().getCaller(); VMTemplateVO template = null; if (templateId != null) { template = _templateDao.findById(templateId); @@ -1671,6 +1673,11 @@ public class ManagementServerImpl implements ManagementServer { if (template == null) { templateZonePairSet = _templateDao.searchTemplates(name, keyword, templateFilter, isIso, bootable, account, domain, pageSize, startIndex, zoneId, hyperType, onlyReady, showDomr); } else { + //if template is not public, perform permission check here + if (!template.isPublicTemplate() && caller.getType() != Account.ACCOUNT_TYPE_ADMIN) { + Account owner = _accountMgr.getAccount(template.getAccountId()); + _accountMgr.checkAccess(caller, owner); + } templateZonePairSet.add(new Pair(template.getId(), zoneId)); }