Normal users with granted permission on listconfigurations/updateconfiguration are able to list and update global configurations

[weizhouapache]

ISSUE TYPE

• Bug Report

COMPONENT NAME

API

CLOUDSTACK VERSION

master

CONFIGURATION

N/A

OS / ENVIRONMENT

N/A

SUMMARY

as titile

STEPS TO REPRODUCE

1. create a role from Role 'User'
2. add listconfigurations and updateconfigurations to allow lists
3. create an account/user from the new role
4. list and update configuration by the user

EXPECTED RESULTS

user can only be able to list/update account settings

ACTUAL RESULTS

user is able to list/update account settings, domain settings, cluster settings, global settings, etc

[weizhouapache]

I have discussed with @Pearl1594
It seems many apis have similar issue (not sure if it is a real issue).
some APIs have authorized = {RoleType.Admin in APICommand annotation, but many old APIs do not have it.

[yadvr]

I don't necessarily see this as bug at least for domain admin, but agree on normal user accounts/roles

[yadvr]

cc @nvazquez @sureshanaparti pl triage

[davidjumani]

I can add a fix to restrict users as well, as part of #4339