[
https://issues.apache.org/jira/browse/CLOUDSTACK-1054?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13562703#comment-13562703
]
Wido den Hollander commented on CLOUDSTACK-1054:
------------------------------------------------
Since I'm not 100% positive about this change I've posted it to reviewboard:
https://reviews.apache.org/r/9111/
If I was certain I would have committed it :)
> ListDomains does not list all domains when the name is specified
> ----------------------------------------------------------------
>
> Key: CLOUDSTACK-1054
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-1054
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: API
> Affects Versions: 4.0.0, 4.0.1, 4.1.0
> Reporter: Wido den Hollander
> Priority: Minor
> Fix For: Future
>
>
> The documentation for listDomains says that you can list all domains by
> specifying the 'name'.
> id: List domain by domain ID.
> name: List domain by domain name.
> When doing this however you don't get the expected result.
> I turned on MySQL debugging and it showed me this query:
> SELECT domain.id, domain.parent, domain.name, domain.owner, domain.path,
> domain.level, domain.removed, domain.child_count, domain.next_child_seq,
> domain.state, domain.network_domain, domain.uuid FROM domain WHERE domain.id
> = 1 AND domain.name LIKE _binary'%pcextreme%' AND domain.state = 'Active'
> AND domain.removed IS NULL ORDER BY domain.id ASC LIMIT 0, 500
> What I noticed is 'domain.id = 1'.
> I haven't specified an ID and still it is set?
> Going into the code (DomainManagerImpl) I found:
> Long domainId = cmd.getId();
> boolean listAll = cmd.listAll();
> boolean isRecursive = false;
> if (domainId != null) {
> Domain domain = getDomain(domainId);
> if (domain == null) {
> throw new InvalidParameterValueException("Domain id=" +
> domainId + " doesn't exist");
> }
> _accountMgr.checkAccess(caller, domain);
> } else {
> domainId = caller.getDomainId();
> if (listAll) {
> isRecursive = true;
> }
> }
> So if domainId is not specified it is automatically set to the ID of the
> domain I'm in? Since I'm admin my ID is set to 1.
> This is odd behaviour since I want the domain specified by the name, not by
> my ID.
> I understand that this is a security flaw if every user can query for every
> domain, but it is kind of weird.
> The description for the 'name' argument isn't clear either.
> The code does: name LIKE '%<name>%' so it is actually a wildcard search which
> the documentation does not say.
> I'm thinking about checking if the user is an admin and if that is the case
> not setting the domainId to the domain where the user is in.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
