Ravi Nori has uploaded a new change for review. Change subject: restapi : Non admin user have access to /hosts url (#909692) ......................................................................
restapi : Non admin user have access to /hosts url (#909692) Non admin users should not be able to see hosts using /api/hosts Change-Id: I496a9560d462156944c3aa23b61d2b6d587d1700 Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=909692 Signed-off-by: Ravi Nori <[email protected]> --- M backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/queries/VdcQueryType.java M backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/resource/BackendHostsResource.java 2 files changed, 6 insertions(+), 1 deletion(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/33/11933/1 diff --git a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/queries/VdcQueryType.java b/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/queries/VdcQueryType.java index 261dea5..2b9c16f 100644 --- a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/queries/VdcQueryType.java +++ b/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/queries/VdcQueryType.java @@ -34,7 +34,7 @@ GetVlanParent, GetVdsHooksById, GetVdsHooksById2, - GetAllHosts(VdcQueryAuthType.User), + GetAllHosts, GetHostsByClusterId(VdcQueryAuthType.User), IsDisplayAddressConsistentInCluster, GetAllVdsByStoragePool(VdcQueryAuthType.User), diff --git a/backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/resource/BackendHostsResource.java b/backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/resource/BackendHostsResource.java index a0ae993..4c38a05 100644 --- a/backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/resource/BackendHostsResource.java +++ b/backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/resource/BackendHostsResource.java @@ -2,6 +2,7 @@ import java.util.List; +import javax.ws.rs.WebApplicationException; import javax.ws.rs.core.HttpHeaders; import javax.ws.rs.core.Response; import javax.ws.rs.core.UriInfo; @@ -42,6 +43,10 @@ @Override public Hosts list() { + // Filtered users are not allowed to view hosts + if (isFiltered()) { + throw new WebApplicationException(Response.Status.FORBIDDEN); + } ApplicationMode appMode = getCurrent().get(ApplicationMode.class); if (appMode == ApplicationMode.GlusterOnly) { -- To view, visit http://gerrit.ovirt.org/11933 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I496a9560d462156944c3aa23b61d2b6d587d1700 Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Ravi Nori <[email protected]> _______________________________________________ Engine-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-patches
