[jira] [Created] (CLOUDSTACK-1054) ListDomains does not list all domains when the name is specified

Thu, 24 Jan 2013 07:13:12 -0800 

Wido den Hollander created CLOUDSTACK-1054:
----------------------------------------------

             Summary: ListDomains does not list all domains when the name is 
specified
                 Key: CLOUDSTACK-1054
                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-1054
             Project: CloudStack
          Issue Type: Bug
      Security Level: Public (Anyone can view this level - this is the default.)
          Components: API
    Affects Versions: 4.0.0, 4.0.1, 4.1.0
            Reporter: Wido den Hollander
            Priority: Minor
             Fix For: Future


The documentation for listDomains says that you can list all domains by 
specifying the 'name'.

id: List domain by domain ID.
name: List domain by domain name.

When doing this however you don't get the expected result.

I turned on MySQL debugging and it showed me this query:

SELECT domain.id, domain.parent, domain.name, domain.owner, domain.path, 
domain.level, domain.removed, domain.child_count, domain.next_child_seq, 
domain.state, domain.network_domain, domain.uuid FROM domain WHERE domain.id = 
1  AND domain.name LIKE _binary'%pcextreme%'  AND domain.state = 'Active'  AND 
domain.removed IS NULL  ORDER BY domain.id ASC  LIMIT 0, 500

What I noticed is 'domain.id = 1'.

I haven't specified an ID and still it is set?

Going into the code (DomainManagerImpl) I found:

        Long domainId = cmd.getId();
        boolean listAll = cmd.listAll();
        boolean isRecursive = false;

        if (domainId != null) {
            Domain domain = getDomain(domainId);
            if (domain == null) {
                throw new InvalidParameterValueException("Domain id=" + 
domainId + " doesn't exist");
            }
            _accountMgr.checkAccess(caller, domain);
        } else {
            domainId = caller.getDomainId();
            if (listAll) {
                isRecursive = true;
            }
        }

So if domainId is not specified it is automatically set to the ID of the domain 
I'm in? Since I'm admin my ID is set to 1.

This is odd behaviour since I want the domain specified by the name, not by my 
ID.

I understand that this is a security flaw if every user can query for every 
domain, but it is kind of weird.

The description for the 'name' argument isn't clear either.

The code does: name LIKE '%<name>%' so it is actually a wildcard search which 
the documentation does not say.

I'm thinking about checking if the user is an admin and if that is the case not 
setting the domainId to the domain where the user is in.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to