changes

Signed-off-by: Abhishek Kumar <[email protected]>

Author: shwstppr

server/src/main/java/com/cloud/user/AccountManagerImpl.java

@@ -1291,7 +1291,7 @@ public Pair<Long, Account> doInTransaction(TransactionStatus status) {
      Role change should follow the below conditions:
      - Caller should not be of Unknown role type
      - New role's type should not be Unknown
-     - Caller should not be able to escalate or de-escalate an account's role which is of same or higher role type
+     - Caller should not be able to escalate or de-escalate an account's role which is of higher role type
      - New role should not be of type Admin with domain other than ROOT domain
      */
     protected void validateRoleChange(Account account, Role role, Account caller) {
@@ -1305,10 +1305,10 @@ protected void validateRoleChange(Account account, Role role, Account caller) {
             throw new PermissionDeniedException(String.format("%s as the new role privileges are unknown", errorMsg));
         }
         if (!callerRole.getRoleType().equals(RoleType.Admin) &&
-                (role.getRoleType().ordinal() <= callerRole.getRoleType().ordinal() ||
-                        currentRole.getRoleType().ordinal() <= callerRole.getRoleType().ordinal())) { // Same type caller
+                (role.getRoleType().ordinal() < callerRole.getRoleType().ordinal() ||
+                        currentRole.getRoleType().ordinal() < callerRole.getRoleType().ordinal())) {
             throw new PermissionDeniedException(String.format("%s as either current or new role has higher " +
-                    "or same privileges than the caller", errorMsg));
+                    "privileges than the caller", errorMsg));
         }
         if (role.getRoleType().equals(RoleType.Admin) && account.getDomainId() != Domain.ROOT_DOMAIN) {
             throw new PermissionDeniedException(String.format("%s as the user does not belong to the ROOT domain",

server/src/test/java/com/cloud/user/AccountManagerImplTest.java

@@ -1021,10 +1021,13 @@ public void testValidateRoleChangeUnknownNewRole() {
         accountManagerImpl.validateRoleChange(account, newRole, caller);
     }
 
-    @Test(expected = PermissionDeniedException.class)
-    public void testValidateRoleNewRoleSame() {
+    @Test
+    public void testValidateRoleNewRoleSameCaller() {
         Account account = Mockito.mock(Account.class);
         Mockito.when(account.getRoleId()).thenReturn(1L);
+        Role currentRole = Mockito.mock(Role.class);
+        Mockito.when(currentRole.getRoleType()).thenReturn(RoleType.User);
+        Mockito.when(roleService.findRole(1L)).thenReturn(currentRole);
         Role newRole = Mockito.mock(Role.class);
         Mockito.when(newRole.getRoleType()).thenReturn(RoleType.DomainAdmin);
         Role callerRole = Mockito.mock(Role.class);
@@ -1035,8 +1038,8 @@ public void testValidateRoleNewRoleSame() {
         accountManagerImpl.validateRoleChange(account, newRole, caller);
     }
 
-    @Test(expected = PermissionDeniedException.class)
-    public void testValidateRoleCurrentRoleSame() {
+    @Test
+    public void testValidateRoleCurrentRoleSameCaller() {
         Account account = Mockito.mock(Account.class);
         Mockito.when(account.getRoleId()).thenReturn(1L);
         Role accountRole = Mockito.mock(Role.class);
@@ -1053,7 +1056,7 @@ public void testValidateRoleCurrentRoleSame() {
     }
 
     @Test(expected = PermissionDeniedException.class)
-    public void testValidateRoleNewRoleHigher() {
+    public void testValidateRoleNewRoleHigherCaller() {
         Account account = Mockito.mock(Account.class);
         Mockito.when(account.getRoleId()).thenReturn(1L);
         Role newRole = Mockito.mock(Role.class);
@@ -1067,7 +1070,7 @@ public void testValidateRoleNewRoleHigher() {
     }
 
     @Test
-    public void testValidateRoleNewRoleLower() {
+    public void testValidateRoleNewRoleLowerCaller() {
         Account account = Mockito.mock(Account.class);
         Mockito.when(account.getRoleId()).thenReturn(1L);
         Role newRole = Mockito.mock(Role.class);