Pulling in the relevant parts of the global settings version of this PR: apache#4774 in commit e94c1e2. Had to make a few changes to support 4.11 and cleanup some of the quirks.

Author: nlgordon

api/src/org/apache/cloudstack/query/QueryService.java

@@ -86,6 +86,9 @@ public interface QueryService {
     static final ConfigKey<Boolean> AllowUserViewDestroyedVM = new ConfigKey<Boolean>("Advanced", Boolean.class, "allow.user.view.destroyed.vm", "false",
             "Determines whether users can view their destroyed or expunging vm ", true, ConfigKey.Scope.Account);
 
+    ConfigKey<Boolean> RestrictPublicTemplateAccessToDomain = new ConfigKey<>("Advanced", Boolean.class, "restrict.public.template.access.to.domain", "false",
+            "Prevents a domain from seeing the public templates of another sibling domain. Does not prevent seeing parent or child templates", true, ConfigKey.Scope.Global);
+
     ListResponse<UserResponse> searchForUsers(ListUsersCmd cmd) throws PermissionDeniedException;
 
     ListResponse<EventResponse> searchForEvents(ListEventsCmd cmd);

server/src/com/cloud/acl/DomainChecker.java

@@ -18,6 +18,7 @@
 
 import javax.inject.Inject;
 
+import org.apache.cloudstack.query.QueryService;
 import org.springframework.stereotype.Component;
 
 import org.apache.cloudstack.acl.ControlledEntity;
@@ -128,6 +129,10 @@ public boolean checkAccess(Account caller, ControlledEntity entity, AccessType a
                             throw new PermissionDeniedException("Domain Admin and regular users can modify only their own Public templates");
                         }
                     }
+                } else if (QueryService.RestrictPublicTemplateAccessToDomain.value()) {
+                    if (!_domainDao.isChildDomain(owner.getDomainId(), caller.getDomainId())) {
+                        throw new PermissionDeniedException(caller + " is not allowed to access template " + template);
+                    }
                 }
             }
 

server/src/com/cloud/api/query/QueryManagerImpl.java

@@ -3063,7 +3063,7 @@ private Pair<List<TemplateJoinVO>, Integer> searchForTemplatesInternal(ListTempl
             accountId = userAccount != null ? userAccount.getAccountId() : null;
         }
 
-        boolean showDomr = ((templateFilter != TemplateFilter.selfexecutable) && (templateFilter != TemplateFilter.featured));
+        boolean showDomr = ((templateFilter != TemplateFilter.selfexecutable) && (templateFilter != TemplateFilter.featured) && _accountMgr.isRootAdmin(caller.getId()));
         HypervisorType hypervisorType = HypervisorType.getType(cmd.getHypervisor());
 
         return searchForTemplatesInternal(id, cmd.getTemplateName(), cmd.getKeyword(), templateFilter, false, null, cmd.getPageSizeVal(), cmd.getStartIndex(), cmd.getZoneId(), hypervisorType,
@@ -3130,6 +3130,8 @@ private Pair<List<TemplateJoinVO>, Integer> searchForTemplatesInternal(Long temp
             // if template is not public, perform permission check here
             else if (!template.isPublicTemplate() && caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
                 _accountMgr.checkAccess(caller, null, false, template);
+            } else if (template.isPublicTemplate() && RestrictPublicTemplateAccessToDomain.value()) {
+                _accountMgr.checkAccess(caller, null, false, template);
             }
 
             // if templateId is specified, then we will just use the id to
@@ -3164,36 +3166,58 @@ else if (!template.isPublicTemplate() && caller.getType() != Account.ACCOUNT_TYP
                 sc.addAnd("domainPath", SearchCriteria.Op.LIKE, domain.getPath() + "%");
             }
 
+            boolean publicTemplates = (templateFilter == TemplateFilter.featured || templateFilter == TemplateFilter.community || templateFilter == TemplateFilter.all);
             List<Long> relatedDomainIds = new ArrayList<Long>();
             List<Long> permittedAccountIds = new ArrayList<Long>();
             if (!permittedAccounts.isEmpty()) {
                 for (Account account : permittedAccounts) {
                     permittedAccountIds.add(account.getId());
-                    boolean publicTemplates = (templateFilter == TemplateFilter.featured || templateFilter == TemplateFilter.community);
 
                     // get all parent domain ID's all the way till root domain
                     DomainVO domainTreeNode = null;
                     //if template filter is featured, or community, all child domains should be included in search
-                    if (publicTemplates) {
+                    if (publicTemplates && !RestrictPublicTemplateAccessToDomain.value()) {
                         domainTreeNode = _domainDao.findById(Domain.ROOT_DOMAIN);
 
                     } else {
                         domainTreeNode = _domainDao.findById(account.getDomainId());
                     }
                     relatedDomainIds.add(domainTreeNode.getId());
+
+                    // Only get children of the account domain if we are restricting
+                    if (RestrictPublicTemplateAccessToDomain.value()) {
+                        if (_accountMgr.isAdmin(account.getId()) || publicTemplates) {
+                            List<DomainVO> allChildDomains = _domainDao.findAllChildren(domainTreeNode.getPath(), domainTreeNode.getId());
+                            for (DomainVO childDomain : allChildDomains) {
+                                relatedDomainIds.add(childDomain.getId());
+                            }
+                        }
+                    }
                     while (domainTreeNode.getParent() != null) {
                         domainTreeNode = _domainDao.findById(domainTreeNode.getParent());
                         relatedDomainIds.add(domainTreeNode.getId());
                     }
-
-                    // get all child domain ID's
-                    if (_accountMgr.isAdmin(account.getId()) || publicTemplates) {
-                        List<DomainVO> allChildDomains = _domainDao.findAllChildren(domainTreeNode.getPath(), domainTreeNode.getId());
-                        for (DomainVO childDomain : allChildDomains) {
-                            relatedDomainIds.add(childDomain.getId());
+                    if (!RestrictPublicTemplateAccessToDomain.value()) {
+                        // This more or less gets all domains in the system since it walks up the tree first
+                        if (_accountMgr.isAdmin(account.getId()) || publicTemplates) {
+                            List<DomainVO> allChildDomains = _domainDao.findAllChildren(domainTreeNode.getPath(), domainTreeNode.getId());
+                            for (DomainVO childDomain : allChildDomains) {
+                                relatedDomainIds.add(childDomain.getId());
+                            }
                         }
                     }
                 }
+            } else if (RestrictPublicTemplateAccessToDomain.value() && publicTemplates && caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
+                DomainVO domainTreeNode = _domainDao.findById(caller.getDomainId());
+                relatedDomainIds.add(domainTreeNode.getId());
+                List<DomainVO> allChildDomains = _domainDao.findAllChildren(domainTreeNode.getPath(), domainTreeNode.getId());
+                for (DomainVO childDomain : allChildDomains) {
+                    relatedDomainIds.add(childDomain.getId());
+                }
+                while (domainTreeNode.getParent() != null) {
+                    domainTreeNode = _domainDao.findById(domainTreeNode.getParent());
+                    relatedDomainIds.add(domainTreeNode.getId());
+                }
             }
 
             if (!isIso) {
@@ -3207,15 +3231,28 @@ else if (!template.isPublicTemplate() && caller.getType() != Account.ACCOUNT_TYP
                 }
             }
 
+            SearchCriteria<TemplateJoinVO> sc_public = _templateJoinDao.createSearchCriteria();
+            if (templateFilter == TemplateFilter.featured || templateFilter == TemplateFilter.community || templateFilter == TemplateFilter.all || templateFilter == TemplateFilter.executable) {
+                sc_public.addAnd("publicTemplate", SearchCriteria.Op.EQ, true);
+
+                if (RestrictPublicTemplateAccessToDomain.value() && !relatedDomainIds.isEmpty()) {
+                    SearchCriteria<TemplateJoinVO> sc_domains = _templateJoinDao.createSearchCriteria();
+                    sc_domains.addOr("domainId", SearchCriteria.Op.IN, relatedDomainIds.toArray());
+                    sc_domains.addOr("domainId", SearchCriteria.Op.NULL);
+
+                    sc_public.addAnd("domainId", SearchCriteria.Op.SC, sc_domains);
+                }
+            }
+
             // control different template filters
             if (templateFilter == TemplateFilter.featured || templateFilter == TemplateFilter.community) {
-                sc.addAnd("publicTemplate", SearchCriteria.Op.EQ, true);
+                sc.addAnd("publicTemplate", SearchCriteria.Op.SC, sc_public);
                 if (templateFilter == TemplateFilter.featured) {
                     sc.addAnd("featured", SearchCriteria.Op.EQ, true);
                 } else {
                     sc.addAnd("featured", SearchCriteria.Op.EQ, false);
                 }
-                if (!permittedAccounts.isEmpty()) {
+                if (!permittedAccounts.isEmpty() && !RestrictPublicTemplateAccessToDomain.value()) {
                     SearchCriteria<TemplateJoinVO> scc = _templateJoinDao.createSearchCriteria();
                     scc.addOr("domainId", SearchCriteria.Op.IN, relatedDomainIds.toArray());
                     scc.addOr("domainId", SearchCriteria.Op.NULL);
@@ -3230,14 +3267,14 @@ else if (!template.isPublicTemplate() && caller.getType() != Account.ACCOUNT_TYP
                 sc.addAnd("sharedAccountId", SearchCriteria.Op.IN, permittedAccountIds.toArray());
             } else if (templateFilter == TemplateFilter.executable) {
                 SearchCriteria<TemplateJoinVO> scc = _templateJoinDao.createSearchCriteria();
-                scc.addOr("publicTemplate", SearchCriteria.Op.EQ, true);
+                scc.addAnd("publicTemplate", SearchCriteria.Op.SC, sc_public);
                 if (!permittedAccounts.isEmpty()) {
                     scc.addOr("accountId", SearchCriteria.Op.IN, permittedAccountIds.toArray());
                 }
                 sc.addAnd("publicTemplate", SearchCriteria.Op.SC, scc);
             } else if (templateFilter == TemplateFilter.all && caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
                 SearchCriteria<TemplateJoinVO> scc = _templateJoinDao.createSearchCriteria();
-                scc.addOr("publicTemplate", SearchCriteria.Op.EQ, true);
+                scc.addOr("publicTemplate", SearchCriteria.Op.SC, sc_public);
 
                 if (listProjectResourcesCriteria == ListProjectResourcesCriteria.SkipProjectResources) {
                     scc.addOr("domainPath", SearchCriteria.Op.LIKE, _domainDao.findById(caller.getDomainId()).getPath() + "%");
@@ -3708,6 +3745,6 @@ public String getConfigComponentName() {
 
     @Override
     public ConfigKey<?>[] getConfigKeys() {
-        return new ConfigKey<?>[] {AllowUserViewDestroyedVM};
+        return new ConfigKey<?>[] {AllowUserViewDestroyedVM, RestrictPublicTemplateAccessToDomain};
     }
 }