cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From alena1...@apache.org
Subject [2/2] git commit: CLOUDSTACK-287: don't allow API call against system account (adding users to system account is prohibited; can't delete/update System account)
Date Tue, 09 Oct 2012 16:39:58 GMT
CLOUDSTACK-287: don't allow API call against system account (adding users to system account
is prohibited; can't delete/update System account)

Conflicts:

	server/src/com/cloud/user/AccountManagerImpl.java


Project: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/commit/c9aa9a55
Tree: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/tree/c9aa9a55
Diff: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/diff/c9aa9a55

Branch: refs/heads/master
Commit: c9aa9a5557a3b71dc132c2611c6739b2fea052b9
Parents: ffa5276
Author: Alena Prokharchyk <alena.prokharchyk@citrix.com>
Authored: Mon Oct 8 10:31:24 2012 -0700
Committer: Alena Prokharchyk <alena.prokharchyk@citrix.com>
Committed: Tue Oct 9 09:37:27 2012 -0700

----------------------------------------------------------------------
 server/src/com/cloud/user/AccountManagerImpl.java |   20 ++++++++++-----
 1 files changed, 13 insertions(+), 7 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/c9aa9a55/server/src/com/cloud/user/AccountManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java
index 385bb5a..dcca74e 100755
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@@ -834,6 +834,10 @@ public class AccountManagerImpl implements AccountManager, AccountService,
Manag
         if (account == null || account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
             throw new InvalidParameterValueException("Unable to find account " + accountName
+ " in domain id=" + domainId + " to create user");
         }
+        
+        if (account.getId() == Account.ACCOUNT_ID_SYSTEM) {
+            throw new PermissionDeniedException("Account id : " + account.getId() + " is
a system account, can't add a user to it");
+        }
 
         if (!_userAccountDao.validateUsernameInDomain(userName, domainId)) {
             throw new CloudRuntimeException("The user " + userName + " already exists in
domain " + domainId);
@@ -1155,9 +1159,8 @@ public class AccountManagerImpl implements AccountManager, AccountService,
Manag
             throw new InvalidParameterValueException("Unable to find account by accountId:
" + accountId + " OR by name: " + accountName + " in domain " + domainId);
         }
 
-        // Don't allow to modify system account
         if (account.getId() == Account.ACCOUNT_ID_SYSTEM) {
-            throw new InvalidParameterValueException("Can not modify system account");
+            throw new PermissionDeniedException("Account id : " + accountId + " is a system
account, enable is not allowed");
         }
 
         // Check if user performing the action is allowed to modify this account
@@ -1187,14 +1190,13 @@ public class AccountManagerImpl implements AccountManager, AccountService,
Manag
         if (account == null || account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
             throw new InvalidParameterValueException("Unable to find active account by accountId:
" + accountId + " OR by name: " + accountName + " in domain " + domainId);
         }
-
-        checkAccess(caller, null, true, account);
-
-        // don't allow modify system account
+        
         if (account.getId() == Account.ACCOUNT_ID_SYSTEM) {
-            throw new InvalidParameterValueException("can not lock system account");
+            throw new PermissionDeniedException("Account id : " + accountId + " is a system
account, lock is not allowed");
         }
 
+        checkAccess(caller, null, true, account);
+
         if (lockAccount(account.getId())) {
             return _accountDao.findById(account.getId());
         } else {
@@ -1217,6 +1219,10 @@ public class AccountManagerImpl implements AccountManager, AccountService,
Manag
         if (account == null || account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
             throw new InvalidParameterValueException("Unable to find account by accountId:
" + accountId + " OR by name: " + accountName + " in domain " + domainId);
         }
+        
+        if (account.getId() == Account.ACCOUNT_ID_SYSTEM) {
+            throw new PermissionDeniedException("Account id : " + accountId + " is a system
account, disable is not allowed");
+        }
 
         checkAccess(caller, null, true, account);
 


Mime
View raw message