From a18740360c50d169807464581156241ec235a156 Mon Sep 17 00:00:00 2001 From: Daan Hoogland Date: Mon, 10 Jun 2024 11:25:10 +0200 Subject: [PATCH 1/5] remove Project Template Permissions inhibition From 72e31c107f5844c98df7c893d466021fcc237d21 Mon Sep 17 00:00:00 2001 From: Daan Hoogland Date: Tue, 11 Jun 2024 15:46:22 +0200 Subject: [PATCH 2/5] exception-message --- .../com/cloud/template/TemplateManagerImpl.java | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/server/src/main/java/com/cloud/template/TemplateManagerImpl.java b/server/src/main/java/com/cloud/template/TemplateManagerImpl.java index 2ed420870208..66176295db8e 100755 --- a/server/src/main/java/com/cloud/template/TemplateManagerImpl.java +++ b/server/src/main/java/com/cloud/template/TemplateManagerImpl.java @@ -34,6 +34,7 @@ import javax.inject.Inject; import javax.naming.ConfigurationException; +import com.cloud.user.*; import org.apache.cloudstack.acl.SecurityChecker.AccessType; import org.apache.cloudstack.api.ApiConstants; import org.apache.cloudstack.api.BaseCmd; @@ -184,12 +185,6 @@ import com.cloud.storage.dao.VolumeDao; import com.cloud.template.TemplateAdapter.TemplateAdapterType; import com.cloud.template.VirtualMachineTemplate.BootloaderType; -import com.cloud.user.Account; -import com.cloud.user.AccountManager; -import com.cloud.user.AccountService; -import com.cloud.user.AccountVO; -import com.cloud.user.ResourceLimitService; -import com.cloud.user.UserData; import com.cloud.user.dao.AccountDao; import com.cloud.uservm.UserVm; import com.cloud.utils.DateUtil; @@ -1448,6 +1443,7 @@ public boolean updateTemplateOrIsoPermissions(BaseUpdateTemplateOrIsoPermissions // Input validation final Long id = cmd.getId(); final Account caller = CallContext.current().getCallingAccount(); + final User user = CallContext.current().getCallingUser(); List accountNames = cmd.getAccountNames(); List projectIds = cmd.getProjectIds(); Boolean isFeatured = cmd.isFeatured(); @@ -1517,9 +1513,9 @@ public boolean updateTemplateOrIsoPermissions(BaseUpdateTemplateOrIsoPermissions } if (owner.getType() == Account.Type.PROJECT) { - // Currently project owned templates cannot be shared outside project but is available to all users within project by default. - throw new InvalidParameterValueException("Update template permissions is an invalid operation on template " + template.getName() + - ". Project owned templates cannot be shared outside template."); + _accountMgr.checkAccess(user, template); +// throw new InvalidParameterValueException("Update template permissions is an invalid operation on template " + template.getName() + +// ". Project owned templates cannot be shared outside the project."); } // check configuration parameter(allow.public.user.templates) value for From f202a9bfb3bfa71c4dd136714b705035e9b4aaad Mon Sep 17 00:00:00 2001 From: Daan Hoogland Date: Fri, 14 Jun 2024 08:08:55 +0200 Subject: [PATCH 3/5] imports --- .../main/java/com/cloud/template/TemplateManagerImpl.java | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/server/src/main/java/com/cloud/template/TemplateManagerImpl.java b/server/src/main/java/com/cloud/template/TemplateManagerImpl.java index 66176295db8e..db2bb04793c9 100755 --- a/server/src/main/java/com/cloud/template/TemplateManagerImpl.java +++ b/server/src/main/java/com/cloud/template/TemplateManagerImpl.java @@ -34,7 +34,6 @@ import javax.inject.Inject; import javax.naming.ConfigurationException; -import com.cloud.user.*; import org.apache.cloudstack.acl.SecurityChecker.AccessType; import org.apache.cloudstack.api.ApiConstants; import org.apache.cloudstack.api.BaseCmd; @@ -185,6 +184,13 @@ import com.cloud.storage.dao.VolumeDao; import com.cloud.template.TemplateAdapter.TemplateAdapterType; import com.cloud.template.VirtualMachineTemplate.BootloaderType; +import com.cloud.user.Account; +import com.cloud.user.AccountManager; +import com.cloud.user.AccountService; +import com.cloud.user.AccountVO; +import com.cloud.user.ResourceLimitService; +import com.cloud.user.User; +import com.cloud.user.UserData; import com.cloud.user.dao.AccountDao; import com.cloud.uservm.UserVm; import com.cloud.utils.DateUtil; From 51468146056249aa0e81504fb1c439488171829f Mon Sep 17 00:00:00 2001 From: Daan Hoogland Date: Fri, 14 Jun 2024 08:17:38 +0200 Subject: [PATCH 4/5] comment --- .../src/main/java/com/cloud/template/TemplateManagerImpl.java | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/server/src/main/java/com/cloud/template/TemplateManagerImpl.java b/server/src/main/java/com/cloud/template/TemplateManagerImpl.java index db2bb04793c9..14f54e22f561 100755 --- a/server/src/main/java/com/cloud/template/TemplateManagerImpl.java +++ b/server/src/main/java/com/cloud/template/TemplateManagerImpl.java @@ -1519,9 +1519,8 @@ public boolean updateTemplateOrIsoPermissions(BaseUpdateTemplateOrIsoPermissions } if (owner.getType() == Account.Type.PROJECT) { + // if it is a project owned template/iso, the user must at least have access to be allowed to share it. _accountMgr.checkAccess(user, template); -// throw new InvalidParameterValueException("Update template permissions is an invalid operation on template " + template.getName() + -// ". Project owned templates cannot be shared outside the project."); } // check configuration parameter(allow.public.user.templates) value for From aa4b0fdd8b0a813cf13ee336132eaacbf948c529 Mon Sep 17 00:00:00 2001 From: Daan Hoogland Date: Thu, 20 Jun 2024 14:22:54 +0200 Subject: [PATCH 5/5] allow deploy from shared project templates --- ui/src/views/compute/DeployVM.vue | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ui/src/views/compute/DeployVM.vue b/ui/src/views/compute/DeployVM.vue index 959194616447..0bd68e5e2044 100644 --- a/ui/src/views/compute/DeployVM.vue +++ b/ui/src/views/compute/DeployVM.vue @@ -2276,6 +2276,7 @@ export default { } args.zoneid = _.get(this.zone, 'id') args.templatefilter = templateFilter + args.projectid = -1 args.details = 'all' args.showicon = 'true' args.id = this.templateId @@ -2298,6 +2299,7 @@ export default { } args.zoneid = _.get(this.zone, 'id') args.isoFilter = isoFilter + args.projectid = -1 args.bootable = true args.showicon = 'true' args.id = this.isoId