DaanHoogland commented on issue #11420: URL: https://github.com/apache/cloudstack/issues/11420#issuecomment-3187889707
> [@DaanHoogland](https://github.com/DaanHoogland) If a `Domain Admin `creates a template (e.g., using `createTemplate` API with a `volumeid`) or updates it via `updateTemplatePermissions` API, they can set `isfeatured` successfully. And this template will be available even for another domain. This way, even Domain Admins can set this value, but through another endpoint. The only limitation is with `registerTemplate` AP I — when registering a template from a URL, the `isfeatured` flag is ignored unless a Root Admin makes the request. Yes @Yuliia7-1 , but one might argue that the fact that the flag can be set after the fact is the bug, and not that it is ignored in the first place. Would you consider it good functionality if a domain admin can feature a template outside of their own domain? With some social engineering involved, it kind of sounds like a security issue waiting to happen to me. I have no preference, but what use-case is there that nudge you to want to allow it? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
