(cloudstack) branch main updated: Fixed User type accounts being able to change resource limits of their own domain and account (#12046)

[dahn]

This is an automated email from the ASF dual-hosted git repository.

dahn pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/cloudstack.git


The following commit(s) were added to refs/heads/main by this push:
     new 2358632253a Fixed User type accounts being able to change resource 
limits of their own domain and account (#12046)
2358632253a is described below

commit 2358632253a0a0da74b81028e6c63aeb49df7e84
Author: Erik Böck <89930804+erikbo...@users.noreply.github.com>
AuthorDate: Mon Jan 12 04:20:31 2026 -0300

    Fixed User type accounts being able to change resource limits of their own 
domain and account (#12046)
    
    Co-authored-by: Lucas Martins 
<56271185+lucas-a-mart...@users.noreply.github.com>
---
 .../main/java/com/cloud/resourcelimit/ResourceLimitManagerImpl.java  | 5 +++++
 .../java/com/cloud/resourcelimit/ResourceLimitManagerImplTest.java   | 1 +
 2 files changed, 6 insertions(+)

diff --git 
a/server/src/main/java/com/cloud/resourcelimit/ResourceLimitManagerImpl.java 
b/server/src/main/java/com/cloud/resourcelimit/ResourceLimitManagerImpl.java
index 9a6c8a85f18..648abf0d938 100644
--- a/server/src/main/java/com/cloud/resourcelimit/ResourceLimitManagerImpl.java
+++ b/server/src/main/java/com/cloud/resourcelimit/ResourceLimitManagerImpl.java
@@ -903,6 +903,11 @@ public class ResourceLimitManagerImpl extends ManagerBase 
implements ResourceLim
     public ResourceLimitVO updateResourceLimit(Long accountId, Long domainId, 
Integer typeId, Long max, String tag) {
         Account caller = CallContext.current().getCallingAccount();
 
+        if (caller.getType().equals(Account.Type.NORMAL)) {
+            logger.info("Throwing exception because only root admins and 
domain admins are allowed to update resource limits.");
+            throw new PermissionDeniedException("Your account does not have 
the permission to update resource limits.");
+        }
+
         if (max == null) {
             max = (long)Resource.RESOURCE_UNLIMITED;
         } else if (max < Resource.RESOURCE_UNLIMITED) {
diff --git 
a/server/src/test/java/com/cloud/resourcelimit/ResourceLimitManagerImplTest.java
 
b/server/src/test/java/com/cloud/resourcelimit/ResourceLimitManagerImplTest.java
index a968a2da0b7..0b0b8c5e43f 100644
--- 
a/server/src/test/java/com/cloud/resourcelimit/ResourceLimitManagerImplTest.java
+++ 
b/server/src/test/java/com/cloud/resourcelimit/ResourceLimitManagerImplTest.java
@@ -147,6 +147,7 @@ public class ResourceLimitManagerImplTest {
         
overrideDefaultConfigValue(ResourceLimitService.ResourceLimitStorageTags, 
"_defaultValue", StringUtils.join(storageTags, ","));
 
         Account account = mock(Account.class);
+        when(account.getType()).thenReturn(Account.Type.ADMIN);
         User user = mock(User.class);
         CallContext.register(user, account);
     }