[Engine-patches] Change in ovirt-engine[master]: engine : User who can't manipulate users, can add user if h...

Thu, 01 Aug 2013 12:16:14 -0700 

Ravi Nori has uploaded a new change for review.

Change subject: engine :  User who can't manipulate users, can add user if he 
has manipulate_permission action group.
......................................................................

engine :  User who can't manipulate users, can add user if he has 
manipulate_permission action group.

When user has manipulate_permission action group,
and doesn't have manipulate_users action group the user
should not be able to add new users to the system

Change-Id: Ib62e1c051bc78b8a9ec0f32e6ba4eb9484242591
Bug-Url: https://bugzilla.redhat.com/923100
Signed-off-by: Ravi Nori <rn...@redhat.com>
---
M 
backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddPermissionCommand.java
1 file changed, 13 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/93/17593/1

diff --git 
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddPermissionCommand.java
 
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddPermissionCommand.java
index 6dce992..e89ec8e 100644
--- 
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddPermissionCommand.java
+++ 
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddPermissionCommand.java
@@ -1,12 +1,13 @@
 package org.ovirt.engine.core.bll;
 
-import java.util.Collections;
+import java.util.ArrayList;
 import java.util.List;
 
 import org.ovirt.engine.core.common.AuditLogType;
 import org.ovirt.engine.core.bll.utils.PermissionSubject;
 import org.ovirt.engine.core.common.VdcObjectType;
 import org.ovirt.engine.core.common.action.PermissionsOperationsParametes;
+import org.ovirt.engine.core.common.action.VdcActionType;
 import org.ovirt.engine.core.common.businessentities.RoleType;
 import org.ovirt.engine.core.common.businessentities.VM;
 import org.ovirt.engine.core.common.businessentities.permissions;
@@ -142,8 +143,18 @@
     @Override
     public List<PermissionSubject> getPermissionCheckSubjects() {
         permissions permission = getParameters().getPermission();
-        return Collections.singletonList(new 
PermissionSubject(permission.getObjectId(),
+        List<PermissionSubject> permissionsSubject = new ArrayList<>();
+        permissionsSubject.add(new PermissionSubject(permission.getObjectId(),
                 permission.getObjectType(),
                 getActionType().getActionGroup()));
+        initUserAndGroupData();
+        // if the user does not exist in the database we need to
+        // check if the user has permissions to add a user
+        if (getParameters().getVdcUser() != null && _dbUser == null) {
+            permissionsSubject.add(new 
PermissionSubject(MultiLevelAdministrationHandler.SYSTEM_OBJECT_ID,
+                VdcObjectType.System,
+                VdcActionType.AddUser.getActionGroup()));
+        }
+        return permissionsSubject;
     }
 }


-- 
To view, visit http://gerrit.ovirt.org/17593
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ib62e1c051bc78b8a9ec0f32e6ba4eb9484242591
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Ravi Nori <rn...@redhat.com>
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches

Reply via email to