From 8c1d9bfe86a44039d61cf08c43b6bcb867ee4731 Mon Sep 17 00:00:00 2001 From: Remi Bergsma Date: Tue, 26 Jun 2018 19:44:30 +0200 Subject: [PATCH 1/2] Only allow projectId -1 to Root Admin --- .../api/BaseListProjectAndAccountResourcesCmd.java | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/cosmic-core/api/src/main/java/com/cloud/api/BaseListProjectAndAccountResourcesCmd.java b/cosmic-core/api/src/main/java/com/cloud/api/BaseListProjectAndAccountResourcesCmd.java index 1ba603ef01..a93cba6134 100644 --- a/cosmic-core/api/src/main/java/com/cloud/api/BaseListProjectAndAccountResourcesCmd.java +++ b/cosmic-core/api/src/main/java/com/cloud/api/BaseListProjectAndAccountResourcesCmd.java @@ -1,6 +1,9 @@ package com.cloud.api; import com.cloud.api.response.ProjectResponse; +import com.cloud.context.CallContext; +import com.cloud.legacymodel.exceptions.PermissionDeniedException; +import com.cloud.legacymodel.user.Account; public abstract class BaseListProjectAndAccountResourcesCmd extends BaseListAccountResourcesCmd implements IBaseListProjectAndAccountResourcesCmd { @@ -9,6 +12,13 @@ public abstract class BaseListProjectAndAccountResourcesCmd extends BaseListAcco @Override public Long getProjectId() { + // Only allow root admin to see all project resources + final Account caller = CallContext.current().getCallingAccount(); + if (projectId != null) { + if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN && projectId == -1L) { + throw new PermissionDeniedException("Not allowed to access this project"); + } + } return projectId; } } From bb9e6b26cfca269fadeb84172d6c571437804d2a Mon Sep 17 00:00:00 2001 From: Alexander Verhaar Date: Thu, 28 Jun 2018 19:35:54 +0200 Subject: [PATCH 2/2] Only list project VM's if user has admin rights --- .../src/main/webapp/scripts/instances.js | 76 +++++++++---------- 1 file changed, 34 insertions(+), 42 deletions(-) diff --git a/cosmic-client/src/main/webapp/scripts/instances.js b/cosmic-client/src/main/webapp/scripts/instances.js index ebe757e1ac..14f6b89ac4 100644 --- a/cosmic-client/src/main/webapp/scripts/instances.js +++ b/cosmic-client/src/main/webapp/scripts/instances.js @@ -355,51 +355,43 @@ }); } - $.when( - $.ajax({ - url: createURL('listVirtualMachines'), - async: true, - data: data, - error: function (XMLHttpResponse) { - cloudStack.dialog.notice({ - message: parseXMLHttpResponse(XMLHttpResponse) - }); - args.response.error(); - } - }), - $.ajax({ - url: createURL('listVirtualMachines&projectid=-1'), - async: true, - data: data, - error: function (XMLHttpResponse) { - cloudStack.dialog.notice({ - message: parseXMLHttpResponse(XMLHttpResponse) + $.ajax({ + url: createURL('listVirtualMachines'), + async: true, + data: data, + error: function (XMLHttpResponse) { + cloudStack.dialog.notice({ + message: parseXMLHttpResponse(XMLHttpResponse) + }); + args.response.error(); + }, + success: function (json) { + var items = json.listvirtualmachinesresponse.virtualmachine; + if (args.context.projects == null && isAdmin()) { + $.ajax({ + url: createURL('listVirtualMachines&projectid=-1'), + async: true, + data: data, + error: function (XMLHttpResponse) { + cloudStack.dialog.notice({ + message: parseXMLHttpResponse(XMLHttpResponse) + }); + args.response.error(); + }, + success: function (json) { + var pitems = json.listvirtualmachinesresponse.virtualmachine; + if (pitems) { + args.response.success({ + data: pitems + }); + } + } }); - args.response.error(); } - })).done(function (jsonvm, jsonvmp) { - var items = jsonvm[0].listvirtualmachinesresponse.virtualmachine; - if (args.context.projects == null && isAdmin()) { - var pitems = jsonvmp[0].listvirtualmachinesresponse.virtualmachine; - if (pitems) { - if (items) { - items.push(pitems[0]); - } else { - items = pitems; - } - } - } - if (items) { - $.each(items, function (idx, vm) { - if (vm.nic && vm.nic.length > 0 && vm.nic[0].ipaddress) { - items[idx].ipaddress = vm.nic[0].ipaddress; - } + args.response.success({ + data: items }); - } - args.response.success({ - data: items - }); - }); + }}); }, detailView: {