Fix aaccess to template/ISO list for domain/resource admins

nvazquez · bernardodemarco · Daan Hoogland · commit 38f3107211bc · 2025-05-27T16:24:29.000+02:00
In Apache CloudStack, while using the listTemplates and listIsos APIs, Domain Admins and Resource Admins can retrieve templates and ISOs outside their intended scope.

Co-authored-by: bernardodemarco &lt;bernardomg2004@gmail.com&gt;
Co-authored-by: nvazquez &lt;nicovazquez90@gmail.com&gt;
diff --git a/server/src/main/java/com/cloud/api/query/QueryManagerImpl.java b/server/src/main/java/com/cloud/api/query/QueryManagerImpl.java
@@ -4572,7 +4572,7 @@ else if (!template.isPublicTemplate() && caller.getType() != Account.Type.ADMIN)
             if (!permittedAccounts.isEmpty()) {
                 domain = _domainDao.findById(permittedAccounts.get(0).getDomainId());
             } else {
-                domain = _domainDao.findById(Domain.ROOT_DOMAIN);
+                domain = _domainDao.findById(caller.getDomainId());
             }
 
             setIdsListToSearchCriteria(sc, ids);

Original file line number	Diff line number	Diff line change
`@@ -4572,7 +4572,7 @@ else if (!template.isPublicTemplate() && caller.getType() != Account.Type.ADMIN)`
`4572`	`4572`	`if (!permittedAccounts.isEmpty()) {`
`4573`	`4573`	`domain = _domainDao.findById(permittedAccounts.get(0).getDomainId());`
`4574`	`4574`	`} else {`
`4575`		`- domain = _domainDao.findById(Domain.ROOT_DOMAIN);`
	`4575`	`+ domain = _domainDao.findById(caller.getDomainId());`
`4576`	`4576`	`}`
`4577`	`4577`
`4578`	`4578`	`setIdsListToSearchCriteria(sc, ids);`