From 9d395b0624bfece708035fced27897b0d592d6dc Mon Sep 17 00:00:00 2001
From: Henrique Sato <henrique.sato@scclouds.com.br>
Date: Tue, 25 Jul 2023 16:58:12 -0300
Subject: [PATCH 1/2] fix role escalation prevention

---
 .../cloudstack/acl/StaticRoleBasedAPIAccessChecker.java       | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/plugins/acl/static-role-based/src/main/java/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java b/plugins/acl/static-role-based/src/main/java/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
index 27f8305f5792..34cd46936576 100644
--- a/plugins/acl/static-role-based/src/main/java/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
+++ b/plugins/acl/static-role-based/src/main/java/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
@@ -107,6 +107,10 @@ public boolean checkAccess(User user, String commandName) throws PermissionDenie
 
     @Override
     public boolean checkAccess(Account account, String commandName) {
+        if (isEnabled()) {
+            return true;
+        }
+
         RoleType roleType = accountService.getRoleType(account);
         if (isApiAllowed(commandName, roleType)) {
             return true;

From a4d0f204208c3dfe138e1f7e43c5eafa982731d2 Mon Sep 17 00:00:00 2001
From: Henrique Sato <henrique.sato@scclouds.com.br>
Date: Tue, 15 Aug 2023 14:32:32 -0300
Subject: [PATCH 2/2] change isEnabled return

---
 .../cloudstack/acl/StaticRoleBasedAPIAccessChecker.java   | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/plugins/acl/static-role-based/src/main/java/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java b/plugins/acl/static-role-based/src/main/java/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
index 34cd46936576..7d12178f0f38 100644
--- a/plugins/acl/static-role-based/src/main/java/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
+++ b/plugins/acl/static-role-based/src/main/java/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
@@ -76,12 +76,12 @@ public boolean isEnabled() {
         if (roleService.isEnabled()) {
             LOGGER.debug("RoleService is enabled. We will use it instead of StaticRoleBasedAPIAccessChecker.");
         }
-        return roleService.isEnabled();
+        return !roleService.isEnabled();
     }
 
     @Override
     public List<String> getApisAllowedToUser(Role role, User user, List<String> apiNames) throws PermissionDeniedException {
-        if (isEnabled()) {
+        if (!isEnabled()) {
             return apiNames;
         }
 
@@ -93,7 +93,7 @@ public List<String> getApisAllowedToUser(Role role, User user, List<String> apiN
 
     @Override
     public boolean checkAccess(User user, String commandName) throws PermissionDeniedException {
-        if (isEnabled()) {
+        if (!isEnabled()) {
             return true;
         }
 
@@ -107,7 +107,7 @@ public boolean checkAccess(User user, String commandName) throws PermissionDenie
 
     @Override
     public boolean checkAccess(Account account, String commandName) {
-        if (isEnabled()) {
+        if (!isEnabled()) {
             return true;
         }