fix: do accessibility check when dissociate eip from resource

yunionio · Jul 24, 2020 · 8451954 · 8451954
1 parent d5f8855
commit 8451954
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 2 deletions.
diff --git a/pkg/compute/models/elasticips.go b/pkg/compute/models/elasticips.go
@@ -33,6 +33,7 @@ import (
 	"yunion.io/x/onecloud/pkg/cloudcommon/db/lockman"
 	"yunion.io/x/onecloud/pkg/cloudcommon/db/quotas"
 	"yunion.io/x/onecloud/pkg/cloudcommon/db/taskman"
+	"yunion.io/x/onecloud/pkg/cloudcommon/policy"
 	"yunion.io/x/onecloud/pkg/cloudprovider"
 	"yunion.io/x/onecloud/pkg/httperrors"
 	"yunion.io/x/onecloud/pkg/mcclient"
@@ -1078,10 +1079,16 @@ func (self *SElasticip) PerformDissociate(ctx context.Context, userCred mcclient
 	}
 
 	// associate with an invalid vm
-	if !self.IsAssociated() {
+	res := self.GetAssociateResource()
+	if res == nil {
 		return nil, self.Dissociate(ctx, userCred)
 	}
 
+	err := db.IsObjectRbacAllowed(res, userCred, policy.PolicyActionGet)
+	if err != nil {
+		return nil, errors.Wrap(err, "associated resource is not accessible")
+	}
+
 	if self.Status != api.EIP_STATUS_READY {
 		return nil, httperrors.NewInvalidStatusError("eip cannot dissociate in status %s", self.Status)
 	}
@@ -1120,7 +1127,7 @@ func (self *SElasticip) PerformDissociate(ctx context.Context, userCred mcclient
 
 	autoDelete := jsonutils.QueryBoolean(data, "auto_delete", false)
 
-	err := self.StartEipDissociateTask(ctx, userCred, autoDelete, "")
+	err = self.StartEipDissociateTask(ctx, userCred, autoDelete, "")
 	return nil, err
 }
 

diff --git a/pkg/compute/models/guest_actions.go b/pkg/compute/models/guest_actions.go
@@ -46,6 +46,7 @@ import (
 	"yunion.io/x/onecloud/pkg/cloudcommon/db/quotas"
 	"yunion.io/x/onecloud/pkg/cloudcommon/db/taskman"
 	"yunion.io/x/onecloud/pkg/cloudcommon/notifyclient"
+	"yunion.io/x/onecloud/pkg/cloudcommon/policy"
 	"yunion.io/x/onecloud/pkg/cloudcommon/userdata"
 	"yunion.io/x/onecloud/pkg/cloudcommon/validators"
 	"yunion.io/x/onecloud/pkg/compute/options"
@@ -2903,6 +2904,11 @@ func (self *SGuest) PerformDissociateEip(ctx context.Context, userCred mcclient.
 		return nil, httperrors.NewInvalidStatusError("No eip to dissociate")
 	}
 
+	err = db.IsObjectRbacAllowed(eip, userCred, policy.PolicyActionGet)
+	if err != nil {
+		return nil, errors.Wrap(err, "eip is not accessible")
+	}
+
 	self.SetStatus(userCred, api.VM_DISSOCIATE_EIP, "associate eip")
 
 	autoDelete := jsonutils.QueryBoolean(data, "auto_delete", false)