weizhouapache commented on pull request #4339: URL: https://github.com/apache/cloudstack/pull/4339#issuecomment-924179939
manually tested ok. @davidjumani @nvazquez I have two concerns (1) I've checked the existing domain-level configurations, it is ok they are visible and editable for domain admin. however, some account settings (for example use.system.public.ips, use.system.guest.vlans) should not be editable by domain admin (2) If admin create a role from "User", and grant it the permission to list and update configurations, the accouts create from the role might be able to list/update global configurations and also zone/storage settings. it is not caused by this PR, but sounds like a critical security issue. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
