Return-Path: 
 <cloudstack-commits-return-13756-apmail-incubator-cloudstack-commits-archive=incubator.apache.org@incubator.apache.org>
X-Original-To: apmail-incubator-cloudstack-commits-archive@minotaur.apache.org
Delivered-To: apmail-incubator-cloudstack-commits-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 3C111DBE2
	for <apmail-incubator-cloudstack-commits-archive@minotaur.apache.org>;
 Thu, 14 Mar 2013 22:35:19 +0000 (UTC)
Received: (qmail 53655 invoked by uid 500); 14 Mar 2013 22:35:17 -0000
Delivered-To: apmail-incubator-cloudstack-commits-archive@incubator.apache.org
Received: (qmail 53492 invoked by uid 500); 14 Mar 2013 22:35:17 -0000
Mailing-List: contact cloudstack-commits-help@incubator.apache.org;
 run by ezmlm
Precedence: bulk
List-Help: <mailto:cloudstack-commits-help@incubator.apache.org>
List-Unsubscribe: <mailto:cloudstack-commits-unsubscribe@incubator.apache.org>
List-Post: <mailto:cloudstack-commits@incubator.apache.org>
List-Id: <cloudstack-commits.incubator.apache.org>
Reply-To: cloudstack-dev@incubator.apache.org
Delivered-To: mailing list cloudstack-commits@incubator.apache.org
Received: (qmail 53320 invoked by uid 99); 14 Mar 2013 22:35:17 -0000
Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org)
 (140.211.11.114)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 14 Mar 2013 22:35:17 +0000
Received: by tyr.zones.apache.org (Postfix, from userid 65534)
	id 232B01833A; Thu, 14 Mar 2013 22:35:17 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: prachidamle@apache.org
To: cloudstack-commits@incubator.apache.org
X-Mailer: ASF-Git Admin Mailer
Subject: [46/50] [abbrv] git commit: refs/heads/affinity_groups -
 CLOUDSTACK-1418- As regular user ,
 we are not allowed to deploy VM on a shared network.
Message-Id: <20130314223517.232B01833A@tyr.zones.apache.org>
Date: Thu, 14 Mar 2013 22:35:17 +0000 (UTC)

CLOUDSTACK-1418- As regular user , we are not allowed to deploy VM on a shared network.

- Added the access type attribute to @acl
- Domainchecker needs the AccessType.UseNetwork value specified to check access to network


Project: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/commit/3060c6f6
Tree: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/tree/3060c6f6
Diff: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/diff/3060c6f6

Branch: refs/heads/affinity_groups
Commit: 3060c6f60ef48c28abd7aa3e99d60ed98f0376e5
Parents: 670b50a
Author: Prachi Damle <prachi@cloud.com>
Authored: Wed Feb 27 16:56:14 2013 -0800
Committer: Prachi Damle <prachi@cloud.com>
Committed: Thu Mar 14 15:14:08 2013 -0700

----------------------------------------------------------------------
 api/src/org/apache/cloudstack/api/ACL.java         |    4 +++
 .../api/command/user/vm/DeployVMCmd.java           |    4 +-
 server/src/com/cloud/api/ApiDispatcher.java        |   20 ++++++++------
 3 files changed, 17 insertions(+), 11 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/3060c6f6/api/src/org/apache/cloudstack/api/ACL.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/ACL.java b/api/src/org/apache/cloudstack/api/ACL.java
index 3623d1a..ce93b6a 100644
--- a/api/src/org/apache/cloudstack/api/ACL.java
+++ b/api/src/org/apache/cloudstack/api/ACL.java
@@ -22,10 +22,14 @@ import java.lang.annotation.Retention;
 import java.lang.annotation.RetentionPolicy;
 import java.lang.annotation.Target;
 
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+
 @Retention(RetentionPolicy.RUNTIME)
 @Target({ FIELD })
 public @interface ACL {
 
+    AccessType accessType() default AccessType.ListEntry;
+
     boolean checkKeyAccess() default false;
     boolean checkValueAccess() default false;
 }

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/3060c6f6/api/src/org/apache/cloudstack/api/command/user/vm/DeployVMCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/vm/DeployVMCmd.java b/api/src/org/apache/cloudstack/api/command/user/vm/DeployVMCmd.java
index 0ac6476..21a45f8 100755
--- a/api/src/org/apache/cloudstack/api/command/user/vm/DeployVMCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/vm/DeployVMCmd.java
@@ -24,6 +24,7 @@ import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
 
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
 import org.apache.cloudstack.api.ACL;
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiConstants;
@@ -53,7 +54,6 @@ import com.cloud.exception.InvalidParameterValueException;
 import com.cloud.exception.ResourceAllocationException;
 import com.cloud.exception.ResourceUnavailableException;
 import com.cloud.hypervisor.Hypervisor.HypervisorType;
-import com.cloud.network.IpAddress;
 import com.cloud.network.Network;
 import com.cloud.network.Network.IpAddresses;
 import com.cloud.offering.DiskOffering;
@@ -103,7 +103,7 @@ public class DeployVMCmd extends BaseAsyncCreateCmd {
     private Long domainId;
 
     //Network information
-    @ACL
+    @ACL(accessType = AccessType.UseNetwork)
     @Parameter(name=ApiConstants.NETWORK_IDS, type=CommandType.LIST, collectionType=CommandType.UUID, entityType=NetworkResponse.class,
             description="list of network ids used by virtual machine. Can't be specified with ipToNetworkList parameter")
     private List<Long> networkIds;

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/3060c6f6/server/src/com/cloud/api/ApiDispatcher.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/ApiDispatcher.java b/server/src/com/cloud/api/ApiDispatcher.java
index 8e3c5e0..cf86afc 100755
--- a/server/src/com/cloud/api/ApiDispatcher.java
+++ b/server/src/com/cloud/api/ApiDispatcher.java
@@ -24,6 +24,7 @@ import java.text.ParseException;
 import java.util.ArrayList;
 import java.util.Calendar;
 import java.util.Date;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -35,6 +36,7 @@ import javax.inject.Inject;
 
 import org.apache.cloudstack.acl.ControlledEntity;
 import org.apache.cloudstack.acl.InfrastructureEntity;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
 import org.apache.cloudstack.api.ACL;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.ApiErrorCode;
@@ -87,7 +89,7 @@ public class ApiDispatcher {
 
     public ApiDispatcher() {
     }
-    
+
     @PostConstruct
     void init() {
     	s_instance = this;
@@ -106,7 +108,7 @@ public class ApiDispatcher {
 
     }
 
-    private void doAccessChecks(BaseCmd cmd, List<Object> entitiesToAccess) {
+    private void doAccessChecks(BaseCmd cmd, Map<Object, AccessType> entitiesToAccess) {
         Account caller = UserContext.current().getCaller();
         Account owner = _accountMgr.getActiveAccountById(cmd.getEntityOwnerId());
 
@@ -118,9 +120,9 @@ public class ApiDispatcher {
         if(!entitiesToAccess.isEmpty()){
             //check that caller can access the owner account.
             _accountMgr.checkAccess(caller, null, true, owner);
-            for(Object entity : entitiesToAccess) {
+            for (Object entity : entitiesToAccess.keySet()) {
                 if (entity instanceof ControlledEntity) {
-                    _accountMgr.checkAccess(caller, null, true, (ControlledEntity) entity);
+                    _accountMgr.checkAccess(caller, entitiesToAccess.get(entity), true, (ControlledEntity) entity);
                 }
                 else if (entity instanceof InfrastructureEntity) {
                     //FIXME: Move this code in adapter, remove code from Account manager
@@ -162,11 +164,11 @@ public class ApiDispatcher {
 
     @SuppressWarnings({ "unchecked", "rawtypes" })
     public static void processParameters(BaseCmd cmd, Map<String, String> params) {
-        List<Object> entitiesToAccess = new ArrayList<Object>();
+        Map<Object, AccessType> entitiesToAccess = new HashMap<Object, AccessType>();
         Map<String, Object> unpackedParams = cmd.unpackParams(params);
-      
+
         cmd = ComponentContext.getTargetObject(cmd);
-        
+
         if (cmd instanceof BaseListCmd) {
             Object pageSizeObj = unpackedParams.get(ApiConstants.PAGE_SIZE);
             Long pageSize = null;
@@ -258,7 +260,7 @@ public class ApiDispatcher {
                                     List<Long> listParam = (List<Long>) field.get(cmd);
                                     for (Long entityId : listParam) {
                                         Object entityObj = s_instance._entityMgr.findById(entity, entityId);
-                                        entitiesToAccess.add(entityObj);
+                                        entitiesToAccess.put(entityObj, checkAccess.accessType());
                                     }
                                     break;
                                     /*
@@ -279,7 +281,7 @@ public class ApiDispatcher {
                             case LONG:
                             case UUID:
                                 Object entityObj = s_instance._entityMgr.findById(entity, (Long) field.get(cmd));
-                                entitiesToAccess.add(entityObj);
+                                entitiesToAccess.put(entityObj, checkAccess.accessType());
                                 break;
                             default:
                                 break;