CLOUDSTACK-287: don't allow API call against system account (adding users to
system account is prohibited; can't delete/update System account)
Conflicts:
server/src/com/cloud/user/AccountManagerImpl.java
Project: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo
Commit:
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/commit/c9aa9a55
Tree: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/tree/c9aa9a55
Diff: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/diff/c9aa9a55
Branch: refs/heads/master
Commit: c9aa9a5557a3b71dc132c2611c6739b2fea052b9
Parents: ffa5276
Author: Alena Prokharchyk <[email protected]>
Authored: Mon Oct 8 10:31:24 2012 -0700
Committer: Alena Prokharchyk <[email protected]>
Committed: Tue Oct 9 09:37:27 2012 -0700
----------------------------------------------------------------------
server/src/com/cloud/user/AccountManagerImpl.java | 20 ++++++++++-----
1 files changed, 13 insertions(+), 7 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/c9aa9a55/server/src/com/cloud/user/AccountManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/user/AccountManagerImpl.java
b/server/src/com/cloud/user/AccountManagerImpl.java
index 385bb5a..dcca74e 100755
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@@ -834,6 +834,10 @@ public class AccountManagerImpl implements AccountManager,
AccountService, Manag
if (account == null || account.getType() ==
Account.ACCOUNT_TYPE_PROJECT) {
throw new InvalidParameterValueException("Unable to find account "
+ accountName + " in domain id=" + domainId + " to create user");
}
+
+ if (account.getId() == Account.ACCOUNT_ID_SYSTEM) {
+ throw new PermissionDeniedException("Account id : " +
account.getId() + " is a system account, can't add a user to it");
+ }
if (!_userAccountDao.validateUsernameInDomain(userName, domainId)) {
throw new CloudRuntimeException("The user " + userName + " already
exists in domain " + domainId);
@@ -1155,9 +1159,8 @@ public class AccountManagerImpl implements
AccountManager, AccountService, Manag
throw new InvalidParameterValueException("Unable to find account
by accountId: " + accountId + " OR by name: " + accountName + " in domain " +
domainId);
}
- // Don't allow to modify system account
if (account.getId() == Account.ACCOUNT_ID_SYSTEM) {
- throw new InvalidParameterValueException("Can not modify system
account");
+ throw new PermissionDeniedException("Account id : " + accountId +
" is a system account, enable is not allowed");
}
// Check if user performing the action is allowed to modify this
account
@@ -1187,14 +1190,13 @@ public class AccountManagerImpl implements
AccountManager, AccountService, Manag
if (account == null || account.getType() ==
Account.ACCOUNT_TYPE_PROJECT) {
throw new InvalidParameterValueException("Unable to find active
account by accountId: " + accountId + " OR by name: " + accountName + " in
domain " + domainId);
}
-
- checkAccess(caller, null, true, account);
-
- // don't allow modify system account
+
if (account.getId() == Account.ACCOUNT_ID_SYSTEM) {
- throw new InvalidParameterValueException("can not lock system
account");
+ throw new PermissionDeniedException("Account id : " + accountId +
" is a system account, lock is not allowed");
}
+ checkAccess(caller, null, true, account);
+
if (lockAccount(account.getId())) {
return _accountDao.findById(account.getId());
} else {
@@ -1217,6 +1219,10 @@ public class AccountManagerImpl implements
AccountManager, AccountService, Manag
if (account == null || account.getType() ==
Account.ACCOUNT_TYPE_PROJECT) {
throw new InvalidParameterValueException("Unable to find account
by accountId: " + accountId + " OR by name: " + accountName + " in domain " +
domainId);
}
+
+ if (account.getId() == Account.ACCOUNT_ID_SYSTEM) {
+ throw new PermissionDeniedException("Account id : " + accountId +
" is a system account, disable is not allowed");
+ }
checkAccess(caller, null, true, account);
