winterhazel commented on PR #12683: URL: https://github.com/apache/cloudstack/pull/12683#issuecomment-4194561621
> > @sudo87 is this change related to a specific issue/situation? This flag is just used to ensure that all the controlled entities provided to `checkAccess` are owned by the same account. As only a single template is provided, changing it should not affect anything. > > Hi @winterhazel, this change is based on how checkAccess is used here. Right now we pass sameOwner = false, which effectively relaxes the ownership check. For a non-public template accessed by a non-admin, we should be enforcing that it belongs to the caller’s account. Setting sameOwner = true makes that explicit and aligns with the intended access control. > > Please let me know if change makes sense. @sudo87 have a look at what `sameOwner` is used for in the implementation of `com.cloud.user.AccountManagerImpl#checkAccess(com.cloud.user.Account, org.apache.cloudstack.acl.SecurityChecker.AccessType, boolean, org.apache.cloudstack.acl.ControlledEntity...)`. It does not ensure that the controlled entity (the template) belongs to the calling account. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
