Mailing-List: contact issues-help@cloudstack.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@cloudstack.apache.org
Date: Thu, 15 Aug 2013 09:14:47 +0000 (UTC)
From: "Wido den Hollander (JIRA)" <jira@apache.org>
To: cloudstack-issues@incubator.apache.org
Message-ID: <JIRA.12629085.1359040282834.71385.1376558087654@arcas>
In-Reply-To: <JIRA.12629085.1359040282834@arcas>
References: <JIRA.12629085.1359040282834@arcas>
Subject: [jira] [Closed] (CLOUDSTACK-1054) ListDomains does not list all
 domains when the name is specified
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit


     [ https://issues.apache.org/jira/browse/CLOUDSTACK-1054?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Wido den Hollander closed CLOUDSTACK-1054.
------------------------------------------

    
> ListDomains does not list all domains when the name is specified
> ----------------------------------------------------------------
>
>                 Key: CLOUDSTACK-1054
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-1054
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: API
>    Affects Versions: 4.0.0, 4.0.1, 4.1.0
>            Reporter: Wido den Hollander
>            Assignee: Wido den Hollander
>            Priority: Minor
>             Fix For: Future
>
>
> The documentation for listDomains says that you can list all domains by specifying the 'name'.
> id: List domain by domain ID.
> name: List domain by domain name.
> When doing this however you don't get the expected result.
> I turned on MySQL debugging and it showed me this query:
> SELECT domain.id, domain.parent, domain.name, domain.owner, domain.path, domain.level, domain.removed, domain.child_count, domain.next_child_seq, domain.state, domain.network_domain, domain.uuid FROM domain WHERE domain.id = 1  AND domain.name LIKE _binary'%pcextreme%'  AND domain.state = 'Active'  AND domain.removed IS NULL  ORDER BY domain.id ASC  LIMIT 0, 500
> What I noticed is 'domain.id = 1'.
> I haven't specified an ID and still it is set?
> Going into the code (DomainManagerImpl) I found:
>         Long domainId = cmd.getId();
>         boolean listAll = cmd.listAll();
>         boolean isRecursive = false;
>         if (domainId != null) {
>             Domain domain = getDomain(domainId);
>             if (domain == null) {
>                 throw new InvalidParameterValueException("Domain id=" + domainId + " doesn't exist");
>             }
>             _accountMgr.checkAccess(caller, domain);
>         } else {
>             domainId = caller.getDomainId();
>             if (listAll) {
>                 isRecursive = true;
>             }
>         }
> So if domainId is not specified it is automatically set to the ID of the domain I'm in? Since I'm admin my ID is set to 1.
> This is odd behaviour since I want the domain specified by the name, not by my ID.
> I understand that this is a security flaw if every user can query for every domain, but it is kind of weird.
> The description for the 'name' argument isn't clear either.
> The code does: name LIKE '%<name>%' so it is actually a wildcard search which the documentation does not say.
> I'm thinking about checking if the user is an admin and if that is the case not setting the domainId to the domain where the user is in.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira