Fix access to template/ISO list for domain/resource admins

nvazquez · bernardodemarco · Pearl1594 · commit 64d83ce9d127 · 2025-05-27T20:03:13.000+05:30
In Apache CloudStack, while using the listTemplates and listIsos APIs, Domain Admins and Resource Admins can retrieve templates and ISOs outside their intended scope.

Co-authored-by: bernardodemarco &lt;bernardomg2004@gmail.com&gt;
Co-authored-by: nvazquez &lt;nicovazquez90@gmail.com&gt;
diff --git a/server/src/main/java/com/cloud/api/query/QueryManagerImpl.java b/server/src/main/java/com/cloud/api/query/QueryManagerImpl.java
@@ -4660,7 +4660,7 @@ else if (!template.isPublicTemplate() && caller.getType() != Account.Type.ADMIN)
             if (!permittedAccounts.isEmpty()) {
                 domain = _domainDao.findById(permittedAccounts.get(0).getDomainId());
             } else {
-                domain = _domainDao.findById(Domain.ROOT_DOMAIN);
+                domain = _domainDao.findById(caller.getDomainId());
             }
 
             setIdsListToSearchCriteria(sc, ids);

Original file line number	Diff line number	Diff line change
`@@ -4660,7 +4660,7 @@ else if (!template.isPublicTemplate() && caller.getType() != Account.Type.ADMIN)`
`4660`	`4660`	`if (!permittedAccounts.isEmpty()) {`
`4661`	`4661`	`domain = _domainDao.findById(permittedAccounts.get(0).getDomainId());`
`4662`	`4662`	`} else {`
`4663`		`- domain = _domainDao.findById(Domain.ROOT_DOMAIN);`
	`4663`	`+ domain = _domainDao.findById(caller.getDomainId());`
`4664`	`4664`	`}`
`4665`	`4665`
`4666`	`4666`	`setIdsListToSearchCriteria(sc, ids);`