From 51f6f3577be2b2d94874c8d414740672f6939e80 Mon Sep 17 00:00:00 2001 From: Juan Cabrerizo Date: Fri, 3 Apr 2026 17:51:48 +0200 Subject: [PATCH] Checking `DEPLOY_APPLICATION` entitlement before computing EntitySpec --- .../brooklyn/rest/resources/ApplicationResource.java | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/resources/ApplicationResource.java b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/resources/ApplicationResource.java index a45e4b9d8d..e853834448 100644 --- a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/resources/ApplicationResource.java +++ b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/resources/ApplicationResource.java @@ -414,6 +414,10 @@ public Response createFromYamlAndFormatAndAppId(String yaml, String format, Stri } protected Response createFromYaml(String yaml, String format, Optional appId) { + // Pre check DEPLOY_APPLICATION before computing `spec` + if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.DEPLOY_APPLICATION, null)) { + throw WebResourceUtils.forbidden(AUTHORIZATION_ERR_MSG, Entitlements.getEntitlementContext().user(), yaml); + } // First of all, see if it's a URL Preconditions.checkNotNull(yaml, "Blueprint must not be null"); URI uri = null; @@ -545,6 +549,10 @@ public Response createWithFormatMultipart(String plan, String format) { } public Response createWithFormat(String inputToAutodetectType, String format) { + // Pre check DEPLOY_APPLICATION before computing `spec` + if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.DEPLOY_APPLICATION, null)) { + throw WebResourceUtils.forbidden(AUTHORIZATION_ERR_MSG, Entitlements.getEntitlementContext().user(), inputToAutodetectType); + } if (format!=null) format = format.trim(); log.debug("Creating app from autodetecting input");