The bug was raised (CLOUDSTACK-5145), but not closed, so I assumed it was still open.
On Tue, Nov 26, 2013 at 1:46 PM, Alena Prokharchyk <[email protected]> wrote: > I believe this bug was raised in the community list before, and fixed by > Kishan. Kishan, please comment. > > -Alena. > From: Marcus Sorensen <[email protected]<mailto:[email protected]>> > Reply-To: "[email protected]<mailto:[email protected]>" > <[email protected]<mailto:[email protected]>> > Date: Tuesday, November 26, 2013 8:28 AM > To: "[email protected]<mailto:[email protected]>" > <[email protected]<mailto:[email protected]>> > Subject: HELP with CLOUDSTACK-5145 security issue > > Is there anyone who can help with CLOUDSTACK-5145? There's a security > issue with 4.2+ due to the new ACL design. Anyone listing ACLs sees > ALL ACLs in the system, and if a network has no ACLs then filtering by > network also lists ALL ACLs. As you can imagine, this causes a lot of > problems. I could hack together some joins to link network_acl, > network_acl_item, and vpc tables to get the account owning the acls, > but I also see this ''_accountMgr.buildACLSearchBuilder" which seems > to be commented out of the list code. I'm wondering if there's a more > elegant way to do it. >
