From 130624949043633c93f7877c3032154f27587ebe Mon Sep 17 00:00:00 2001
From: Gabriel Ortiga Fernandes <gabriel.fernandes@scclouds.com.br>
Date: Tue, 31 Jan 2023 14:27:07 -0300
Subject: [PATCH 1/7] Implement functionality

---
 .../api/command/user/network/ListNetworksCmd.java     |  8 ++++----
 .../main/java/com/cloud/api/ApiResponseHelper.java    |  6 +++++-
 .../java/com/cloud/network/vpc/VpcManagerImpl.java    | 11 ++++++++---
 ui/src/components/view/ListView.vue                   |  5 ++++-
 4 files changed, 21 insertions(+), 9 deletions(-)

diff --git a/api/src/main/java/org/apache/cloudstack/api/command/user/network/ListNetworksCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/user/network/ListNetworksCmd.java
index df82d9fd6257..5d45c4e7b5f6 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/user/network/ListNetworksCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/user/network/ListNetworksCmd.java
@@ -232,11 +232,11 @@ public void execute() {
     private void updateNetworkResponse(List<NetworkResponse> response) {
         for (NetworkResponse networkResponse : response) {
             ResourceIcon resourceIcon = resourceIconManager.getByResourceTypeAndUuid(ResourceTag.ResourceObjectType.Network, networkResponse.getId());
-            if (resourceIcon == null) {
+            if (resourceIcon == null && networkResponse.getVpcId() != null) {
                 resourceIcon = resourceIconManager.getByResourceTypeAndUuid(ResourceTag.ResourceObjectType.Vpc, networkResponse.getVpcId());
-                if (resourceIcon == null) {
-                    continue;
-                }
+            }
+            if (resourceIcon == null) {
+                continue;
             }
             ResourceIconResponse iconResponse = _responseGenerator.createResourceIconResponse(resourceIcon);
             networkResponse.setResourceIconResponse(iconResponse);
diff --git a/server/src/main/java/com/cloud/api/ApiResponseHelper.java b/server/src/main/java/com/cloud/api/ApiResponseHelper.java
index 8fffebb33034..de3b6f6d41b9 100644
--- a/server/src/main/java/com/cloud/api/ApiResponseHelper.java
+++ b/server/src/main/java/com/cloud/api/ApiResponseHelper.java
@@ -2534,7 +2534,11 @@ public NetworkResponse createNetworkResponse(ResponseView view, Network network)
         if (network.getVpcId() != null) {
             Vpc vpc = ApiDBUtils.findVpcById(network.getVpcId());
             if (vpc != null) {
-                response.setVpcId(vpc.getUuid());
+                try {
+                    _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, false, vpc);
+                    response.setVpcId(vpc.getUuid());
+                } catch (PermissionDeniedException e){
+                }
                 response.setVpcName(vpc.getName());
             }
         }
diff --git a/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java b/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java
index 9222520602f5..78f3cb436ba8 100644
--- a/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java
+++ b/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java
@@ -1764,9 +1764,14 @@ public void doInTransactionWithoutResult(final TransactionStatus status) {
                         }
                     }
 
-                    // 4) vpc and network should belong to the same owner
-                    if (vpc.getAccountId() != networkOwner.getId()) {
-                        throw new InvalidParameterValueException("Vpc " + vpc + " owner is different from the network owner " + networkOwner);
+                    // 4) Vpc's account should be able to access network owner's account
+                    Account vpcaccount = _accountMgr.getAccount(vpc.getAccountId());
+                    try {
+                        _accountMgr.checkAccess(vpcaccount, null, false, networkOwner);
+                    }
+                    catch (PermissionDeniedException e) {
+                        s_logger.error(e.getMessage());
+                        throw new InvalidParameterValueException(String.format("VPC owner does not have access to account [%s].", networkOwner.getAccountName()));
                     }
 
                     // 5) network domain should be the same as VPC's
diff --git a/ui/src/components/view/ListView.vue b/ui/src/components/view/ListView.vue
index fcd94008d88a..ee3298efa240 100644
--- a/ui/src/components/view/ListView.vue
+++ b/ui/src/components/view/ListView.vue
@@ -221,7 +221,10 @@
       <router-link :to="{ path: '/guestnetwork/' + record.associatednetworkid }">{{ text }}</router-link>
     </template>
     <template #vpcname="{ text, record }">
-      <router-link :to="{ path: '/vpc/' + record.vpcid }">{{ text }}</router-link>
+      <a v-if="record.vpcid">
+        <router-link :to="{ path: '/vpc/' + record.vpcid }">{{ text }}</router-link>
+      </a>
+      <span v-else>{{ text }}</span>
     </template>
     <template #hostname="{ text, record }">
       <router-link v-if="record.hostid" :to="{ path: '/host/' + record.hostid }">{{ text }}</router-link>

From 86881283088016247c7aa3b0c3241b7c8e384f71 Mon Sep 17 00:00:00 2001
From: Gabriel Ortiga Fernandes <gabriel.fernandes@scclouds.com.br>
Date: Fri, 3 Feb 2023 11:11:44 -0300
Subject: [PATCH 2/7] add log

---
 server/src/main/java/com/cloud/api/ApiResponseHelper.java | 1 +
 1 file changed, 1 insertion(+)

diff --git a/server/src/main/java/com/cloud/api/ApiResponseHelper.java b/server/src/main/java/com/cloud/api/ApiResponseHelper.java
index de3b6f6d41b9..78a363b5e4cb 100644
--- a/server/src/main/java/com/cloud/api/ApiResponseHelper.java
+++ b/server/src/main/java/com/cloud/api/ApiResponseHelper.java
@@ -2538,6 +2538,7 @@ public NetworkResponse createNetworkResponse(ResponseView view, Network network)
                     _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, false, vpc);
                     response.setVpcId(vpc.getUuid());
                 } catch (PermissionDeniedException e){
+                    s_logger.debug("Not setting the vpcId to the response because the caller does not have access to the VPC");
                 }
                 response.setVpcName(vpc.getName());
             }

From efc4243487081bfed2fe60f4d27d9a79fb6a1a74 Mon Sep 17 00:00:00 2001
From: Lopez <rodrigo@scclouds.com.br>
Date: Wed, 22 Feb 2023 10:05:32 -0300
Subject: [PATCH 3/7] some additional changes

---
 .../src/main/java/com/cloud/vm/dao/UserVmDao.java    |  1 +
 .../main/java/com/cloud/vm/dao/UserVmDaoImpl.java    | 12 ++++++++++++
 .../java/com/cloud/network/IpAddressManagerImpl.java |  3 ++-
 .../java/com/cloud/network/NetworkModelImpl.java     |  2 +-
 .../network/lb/LoadBalancingRulesManagerImpl.java    |  2 +-
 .../java/com/cloud/network/vpc/VpcManagerImpl.java   |  4 ++--
 ui/src/config/section/network.js                     |  4 ++--
 ui/src/views/network/EnableStaticNat.vue             |  7 +------
 ui/src/views/network/LoadBalancing.vue               |  7 ++-----
 ui/src/views/network/PortForwarding.vue              |  6 +-----
 10 files changed, 25 insertions(+), 23 deletions(-)

diff --git a/engine/schema/src/main/java/com/cloud/vm/dao/UserVmDao.java b/engine/schema/src/main/java/com/cloud/vm/dao/UserVmDao.java
index abc8d80fbb2a..39c65866658f 100644
--- a/engine/schema/src/main/java/com/cloud/vm/dao/UserVmDao.java
+++ b/engine/schema/src/main/java/com/cloud/vm/dao/UserVmDao.java
@@ -103,4 +103,5 @@ public interface UserVmDao extends GenericDao<UserVmVO, Long> {
 
     List<UserVmVO> findByUserDataId(long userdataId);
 
+    List<UserVmVO> listByIds(List<Long> ids);
 }
diff --git a/engine/schema/src/main/java/com/cloud/vm/dao/UserVmDaoImpl.java b/engine/schema/src/main/java/com/cloud/vm/dao/UserVmDaoImpl.java
index 8a1039e83be6..01439da24c5f 100644
--- a/engine/schema/src/main/java/com/cloud/vm/dao/UserVmDaoImpl.java
+++ b/engine/schema/src/main/java/com/cloud/vm/dao/UserVmDaoImpl.java
@@ -71,6 +71,7 @@ public class UserVmDaoImpl extends GenericDaoBase<UserVmVO, Long> implements Use
     protected SearchBuilder<UserVmVO> RunningSearch;
     protected SearchBuilder<UserVmVO> StateChangeSearch;
     protected SearchBuilder<UserVmVO> AccountHostSearch;
+    protected SearchBuilder<UserVmVO> IdsSearch;
 
     protected SearchBuilder<UserVmVO> DestroySearch;
     protected SearchBuilder<UserVmVO> AccountDataCenterVirtualSearch;
@@ -135,6 +136,10 @@ void init() {
         AccountSearch.and("account", AccountSearch.entity().getAccountId(), SearchCriteria.Op.EQ);
         AccountSearch.done();
 
+        IdsSearch = createSearchBuilder();
+        IdsSearch.and("ids", IdsSearch.entity().getId(), SearchCriteria.Op.IN);
+        IdsSearch.done();
+
         HostSearch = createSearchBuilder();
         HostSearch.and("host", HostSearch.entity().getHostId(), SearchCriteria.Op.EQ);
         HostSearch.done();
@@ -778,4 +783,11 @@ public List<UserVmVO> findByUserDataId(long userdataId) {
         sc.setParameters("userDataId", userdataId);
         return listBy(sc);
     }
+
+    @Override
+    public List<UserVmVO> listByIds(List<Long> ids) {
+        SearchCriteria<UserVmVO> sc = IdsSearch.create();
+        sc.setParameters("ids", ids.toArray());
+        return listBy(sc);
+    }
 }
diff --git a/server/src/main/java/com/cloud/network/IpAddressManagerImpl.java b/server/src/main/java/com/cloud/network/IpAddressManagerImpl.java
index b690acd7dd9d..ced7f1615b0e 100644
--- a/server/src/main/java/com/cloud/network/IpAddressManagerImpl.java
+++ b/server/src/main/java/com/cloud/network/IpAddressManagerImpl.java
@@ -1476,7 +1476,8 @@ public IPAddressVO associateIPToGuestNetwork(long ipId, long networkId, boolean
         //     - if shared network in Advanced zone
         //     - and it belongs to the system
         if (network.getAccountId() != owner.getId()) {
-            if (zone.getNetworkType() != NetworkType.Basic && !(zone.getNetworkType() == NetworkType.Advanced && network.getGuestType() == Network.GuestType.Shared)) {
+            if (zone.getNetworkType() != NetworkType.Basic &&
+                    !(zone.getNetworkType() == NetworkType.Advanced && network.getGuestType() == Network.GuestType.Shared || network.getVpcId() == ipToAssoc.getVpcId()))  {
                 throw new InvalidParameterValueException("The owner of the network is not the same as owner of the IP");
             }
         }
diff --git a/server/src/main/java/com/cloud/network/NetworkModelImpl.java b/server/src/main/java/com/cloud/network/NetworkModelImpl.java
index cd3b2b7671ef..48da0da3ac3e 100644
--- a/server/src/main/java/com/cloud/network/NetworkModelImpl.java
+++ b/server/src/main/java/com/cloud/network/NetworkModelImpl.java
@@ -1701,7 +1701,7 @@ private void checkAccountNetworkPermissions(Account caller, Network network) {
         if (!Account.Type.PROJECT.equals(caller.getType()) && Account.Type.PROJECT.equals(networkOwner.getType())) {
             checkProjectNetworkPermissions(caller, networkOwner, network);
         } else {
-            List<NetworkVO> networkMap = _networksDao.listBy(caller.getId(), network.getId());
+            List<NetworkVO> networkMap = _networksDao.listBy(networkOwner.getId(), network.getId());
             NetworkPermissionVO networkPermission = _networkPermissionDao.findByNetworkAndAccount(network.getId(), caller.getId());
             if (CollectionUtils.isEmpty(networkMap) && networkPermission == null) {
                 throw new PermissionDeniedException(String.format(UNABLE_TO_USE_NETWORK, ((NetworkVO) network).getUuid()));
diff --git a/server/src/main/java/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java b/server/src/main/java/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java
index 3c51e1210b8d..c9c0e83131a5 100644
--- a/server/src/main/java/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java
+++ b/server/src/main/java/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java
@@ -2351,7 +2351,7 @@ public Pair<List<? extends UserVm>, List<String>> listLoadBalancerInstances(List
             }
         }
 
-        List<UserVmVO> userVms = _vmDao.listVirtualNetworkInstancesByAcctAndNetwork(loadBalancer.getAccountId(), loadBalancer.getNetworkId());
+        List<UserVmVO> userVms = _vmDao.listByIds(appliedInstanceIdList);
 
         for (UserVmVO userVm : userVms) {
             // if the VM is destroyed, being expunged, in an error state, or in
diff --git a/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java b/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java
index 78f3cb436ba8..3356102596ed 100644
--- a/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java
+++ b/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java
@@ -2793,11 +2793,11 @@ public IpAddress associateIPToVpc(final long ipId, final long vpcId) throws Reso
         }
 
         // check permissions
-        _accountMgr.checkAccess(caller, null, true, owner, vpc);
+        _accountMgr.checkAccess(caller, null, false, owner, vpc);
 
         s_logger.debug("Associating ip " + ipToAssoc + " to vpc " + vpc);
 
-        final boolean isSourceNatFinal = isSrcNatIpRequired(vpc.getVpcOfferingId()) && getExistingSourceNatInVpc(owner.getId(), vpcId) == null;
+        final boolean isSourceNatFinal = isSrcNatIpRequired(vpc.getVpcOfferingId()) && getExistingSourceNatInVpc(vpc.getAccountId(), vpcId) == null;
         Transaction.execute(new TransactionCallbackNoReturn() {
             @Override
             public void doInTransactionWithoutResult(final TransactionStatus status) {
diff --git a/ui/src/config/section/network.js b/ui/src/config/section/network.js
index 5e197181c7a1..a3f5dc90f641 100644
--- a/ui/src/config/section/network.js
+++ b/ui/src/config/section/network.js
@@ -59,7 +59,7 @@ export default {
       }, {
         name: 'egress.rules',
         component: shallowRef(defineAsyncComponent(() => import('@/views/network/EgressRulesTab.vue'))),
-        show: (record, route, user) => { return record.type === 'Isolated' && !('vpcid' in record) && 'listEgressFirewallRules' in store.getters.apis && (['Admin', 'DomainAdmin'].includes(user.roletype) || record.account === user.account || record.projectid) }
+        show: (record, route, user) => { return record.type === 'Isolated' && !('vpcname' in record) && 'listEgressFirewallRules' in store.getters.apis && (['Admin', 'DomainAdmin'].includes(user.roletype) || record.account === user.account || record.projectid) }
       }, {
         name: 'ip.v6.firewall',
         component: shallowRef(defineAsyncComponent(() => import('@/views/network/Ipv6FirewallRulesTab.vue'))),
@@ -67,7 +67,7 @@ export default {
       }, {
         name: 'public.ip.addresses',
         component: shallowRef(defineAsyncComponent(() => import('@/views/network/IpAddressesTab.vue'))),
-        show: (record, route, user) => { return 'listPublicIpAddresses' in store.getters.apis && (record.type === 'Shared' || (record.type === 'Isolated' && !('vpcid' in record) && (['Admin', 'DomainAdmin'].includes(user.roletype) || record.account === user.account || record.projectid))) }
+        show: (record, route, user) => { return 'listPublicIpAddresses' in store.getters.apis && (record.type === 'Shared' || (record.type === 'Isolated' && !('vpcname' in record) && (['Admin', 'DomainAdmin'].includes(user.roletype) || record.account === user.account || record.projectid))) }
       }, {
         name: 'virtual.routers',
         component: shallowRef(defineAsyncComponent(() => import('@/views/network/RoutersTab.vue'))),
diff --git a/ui/src/views/network/EnableStaticNat.vue b/ui/src/views/network/EnableStaticNat.vue
index 8def80f6f8d7..94502a279632 100644
--- a/ui/src/views/network/EnableStaticNat.vue
+++ b/ui/src/views/network/EnableStaticNat.vue
@@ -188,8 +188,6 @@ export default {
         pageSize: this.pageSize,
         listAll: true,
         networkid: this.resource.associatednetworkid,
-        account: this.resource.account,
-        domainid: this.resource.domainid,
         keyword: this.searchQuery
       }).then(response => {
         this.vmCount = response.listvirtualmachinesresponse.count
@@ -207,8 +205,6 @@ export default {
         pageSize: this.pageSize,
         listAll: true,
         networkid: e,
-        account: this.resource.account,
-        domainid: this.resource.domainid,
         vpcid: this.resource.vpcid,
         keyword: this.searchQuery
       }).then(response => {
@@ -247,8 +243,7 @@ export default {
       this.loading = true
       api('listNetworks', {
         vpcid: this.resource.vpcid,
-        domainid: this.resource.domainid,
-        account: this.resource.account,
+        isrecursive: true,
         supportedservices: 'StaticNat'
       }).then(response => {
         this.networksList = response.listnetworksresponse.network
diff --git a/ui/src/views/network/LoadBalancing.vue b/ui/src/views/network/LoadBalancing.vue
index 11933650bc11..00a22cfa6e78 100644
--- a/ui/src/views/network/LoadBalancing.vue
+++ b/ui/src/views/network/LoadBalancing.vue
@@ -847,9 +847,8 @@ export default {
       this.tiers.loading = true
 
       api('listNetworks', {
-        account: this.resource.account,
-        domainid: this.resource.domainid,
         supportedservices: 'Lb',
+        isrecursive: true,
         vpcid: this.resource.vpcid
       }).then(json => {
         this.tiers.data = json.listnetworksresponse.network || []
@@ -1447,9 +1446,7 @@ export default {
         keyword: this.searchQuery,
         page: this.vmPage,
         pagesize: this.vmPageSize,
-        networkid: networkId,
-        account: this.resource.account,
-        domainid: this.resource.domainid
+        networkid: networkId
       }).then(response => {
         this.vmCount = response.listvirtualmachinesresponse.count || 0
         this.vms = response.listvirtualmachinesresponse.virtualmachine || []
diff --git a/ui/src/views/network/PortForwarding.vue b/ui/src/views/network/PortForwarding.vue
index edbf49a87e9e..88f6bed20249 100644
--- a/ui/src/views/network/PortForwarding.vue
+++ b/ui/src/views/network/PortForwarding.vue
@@ -490,8 +490,6 @@ export default {
       this.selectedTier = null
       this.tiers.loading = true
       api('listNetworks', {
-        account: this.resource.account,
-        domainid: this.resource.domainid,
         supportedservices: 'PortForwarding',
         vpcid: this.resource.vpcid
       }).then(json => {
@@ -795,9 +793,7 @@ export default {
         keyword: this.searchQuery,
         page: this.vmPage,
         pagesize: this.vmPageSize,
-        networkid: networkId,
-        account: this.resource.account,
-        domainid: this.resource.domainid
+        networkid: networkId
       }).then(response => {
         this.vmCount = response.listvirtualmachinesresponse.count || 0
         this.vms = response.listvirtualmachinesresponse.virtualmachine

From fc28686762b43760a51a52d7f829f0add4e1f1f6 Mon Sep 17 00:00:00 2001
From: Gabriel Ortiga Fernandes <gabriel.fernandes@scclouds.com.br>
Date: Mon, 27 Feb 2023 08:20:13 -0300
Subject: [PATCH 4/7] fix sonar bug

---
 .../src/main/java/com/cloud/network/IpAddressManagerImpl.java   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/src/main/java/com/cloud/network/IpAddressManagerImpl.java b/server/src/main/java/com/cloud/network/IpAddressManagerImpl.java
index ced7f1615b0e..a86b2cb937ed 100644
--- a/server/src/main/java/com/cloud/network/IpAddressManagerImpl.java
+++ b/server/src/main/java/com/cloud/network/IpAddressManagerImpl.java
@@ -1477,7 +1477,7 @@ public IPAddressVO associateIPToGuestNetwork(long ipId, long networkId, boolean
         //     - and it belongs to the system
         if (network.getAccountId() != owner.getId()) {
             if (zone.getNetworkType() != NetworkType.Basic &&
-                    !(zone.getNetworkType() == NetworkType.Advanced && network.getGuestType() == Network.GuestType.Shared || network.getVpcId() == ipToAssoc.getVpcId()))  {
+                    !(zone.getNetworkType() == NetworkType.Advanced && network.getGuestType() == Network.GuestType.Shared || network.getVpcId().equals(ipToAssoc.getVpcId())))  {
                 throw new InvalidParameterValueException("The owner of the network is not the same as owner of the IP");
             }
         }

From 8b4c34363a88e9ebaba198c7e5c9a07dd4cde66d Mon Sep 17 00:00:00 2001
From: Gabriel <gabriel.fernandes@scclouds.com.br>
Date: Thu, 4 May 2023 19:07:08 -0300
Subject: [PATCH 5/7] Extract methods

---
 .../java/com/cloud/api/ApiResponseHelper.java | 31 ++++++++++++-------
 .../com/cloud/network/vpc/VpcManagerImpl.java | 20 +++++++-----
 2 files changed, 31 insertions(+), 20 deletions(-)

diff --git a/server/src/main/java/com/cloud/api/ApiResponseHelper.java b/server/src/main/java/com/cloud/api/ApiResponseHelper.java
index 78a363b5e4cb..bc31536d80d7 100644
--- a/server/src/main/java/com/cloud/api/ApiResponseHelper.java
+++ b/server/src/main/java/com/cloud/api/ApiResponseHelper.java
@@ -2531,18 +2531,8 @@ public NetworkResponse createNetworkResponse(ResponseView view, Network network)
         }
 
         response.setSpecifyIpRanges(network.getSpecifyIpRanges());
-        if (network.getVpcId() != null) {
-            Vpc vpc = ApiDBUtils.findVpcById(network.getVpcId());
-            if (vpc != null) {
-                try {
-                    _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, false, vpc);
-                    response.setVpcId(vpc.getUuid());
-                } catch (PermissionDeniedException e){
-                    s_logger.debug("Not setting the vpcId to the response because the caller does not have access to the VPC");
-                }
-                response.setVpcName(vpc.getName());
-            }
-        }
+
+        setVpcIdInResponse(network, response);
 
         setResponseAssociatedNetworkInformation(response, network.getId());
 
@@ -2614,6 +2604,23 @@ public NetworkResponse createNetworkResponse(ResponseView view, Network network)
         return response;
     }
 
+
+    private void setVpcIdInResponse(Network network, NetworkResponse response) {
+        if (network.getVpcId() != null) {
+            Vpc vpc = ApiDBUtils.findVpcById(network.getVpcId());
+            if (vpc != null) {
+                try {
+                    _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, false, vpc);
+                    response.setVpcId(vpc.getUuid());
+                } catch (PermissionDeniedException e) {
+                    s_logger.debug("Not setting the vpcId to the response because the caller does not have access to the VPC");
+                }
+                response.setVpcName(vpc.getName());
+            }
+        }
+    }
+
+
     private void setResponseAssociatedNetworkInformation(BaseResponseWithAssociatedNetwork response, Long networkId) {
         final NetworkDetailVO detail = networkDetailsDao.findDetail(networkId, Network.AssociatedNetworkId);
         if (detail != null) {
diff --git a/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java b/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java
index 337169b86448..09441604391d 100644
--- a/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java
+++ b/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java
@@ -1765,14 +1765,7 @@ public void doInTransactionWithoutResult(final TransactionStatus status) {
                     }
 
                     // 4) Vpc's account should be able to access network owner's account
-                    Account vpcaccount = _accountMgr.getAccount(vpc.getAccountId());
-                    try {
-                        _accountMgr.checkAccess(vpcaccount, null, false, networkOwner);
-                    }
-                    catch (PermissionDeniedException e) {
-                        s_logger.error(e.getMessage());
-                        throw new InvalidParameterValueException(String.format("VPC owner does not have access to account [%s].", networkOwner.getAccountName()));
-                    }
+                    CheckAccountsAccess(vpc, networkOwner);
 
                     // 5) network domain should be the same as VPC's
                     if (!networkDomain.equalsIgnoreCase(vpc.getNetworkDomain())) {
@@ -1791,6 +1784,17 @@ public void doInTransactionWithoutResult(final TransactionStatus status) {
         });
     }
 
+    private void CheckAccountsAccess(Vpc vpc, Account networkAccount) {
+        Account vpcaccount = _accountMgr.getAccount(vpc.getAccountId());
+        try {
+            _accountMgr.checkAccess(vpcaccount, null, false, networkAccount);
+        }
+        catch (PermissionDeniedException e) {
+            s_logger.error(e.getMessage());
+            throw new InvalidParameterValueException(String.format("VPC owner does not have access to account [%s].", networkAccount.getAccountName()));
+        }
+    }
+
     public List<VpcProvider> getVpcElements() {
         if (vpcElements == null) {
             vpcElements = new ArrayList<VpcProvider>();

From 6af7181fc6fad53ede12c781e4c545692d659605 Mon Sep 17 00:00:00 2001
From: Gabriel <gabriel.fernandes@scclouds.com.br>
Date: Wed, 5 Jul 2023 14:11:21 -0300
Subject: [PATCH 6/7] Extract method on IpAddressManagerImpl

---
 .../cloud/network/IpAddressManagerImpl.java   | 36 +++++++++----------
 .../com/cloud/network/NetworkModelImpl.java   |  2 +-
 ui/src/views/network/PortForwarding.vue       |  3 +-
 3 files changed, 20 insertions(+), 21 deletions(-)

diff --git a/server/src/main/java/com/cloud/network/IpAddressManagerImpl.java b/server/src/main/java/com/cloud/network/IpAddressManagerImpl.java
index 36daeb420b0f..1352393be50e 100644
--- a/server/src/main/java/com/cloud/network/IpAddressManagerImpl.java
+++ b/server/src/main/java/com/cloud/network/IpAddressManagerImpl.java
@@ -1471,16 +1471,7 @@ public IPAddressVO associateIPToGuestNetwork(long ipId, long networkId, boolean
             throw new InvalidParameterValueException("Ip address can be associated to the network with trafficType " + TrafficType.Guest);
         }
 
-        // Check that network belongs to IP owner - skip this check
-        //     - if zone is basic zone as there is just one guest network,
-        //     - if shared network in Advanced zone
-        //     - and it belongs to the system
-        if (network.getAccountId() != owner.getId()) {
-            if (zone.getNetworkType() != NetworkType.Basic &&
-                    !(zone.getNetworkType() == NetworkType.Advanced && network.getGuestType() == Network.GuestType.Shared || network.getVpcId().equals(ipToAssoc.getVpcId())))  {
-                throw new InvalidParameterValueException("The owner of the network is not the same as owner of the IP");
-            }
-        }
+        validateNetworkAndIpOwnership(owner, ipToAssoc, network, zone);
 
         if (zone.getNetworkType() == NetworkType.Advanced) {
             // In Advance zone allow to do IP assoc only for Isolated networks with source nat service enabled
@@ -1544,6 +1535,21 @@ public IPAddressVO associateIPToGuestNetwork(long ipId, long networkId, boolean
         }
     }
 
+    /**
+     * Check that network belongs to IP owner - skip this check
+     *  - if the IP belongs to the same VPC as the network
+     *  - if zone is basic zone as there is just one guest network,
+     *  - if shared network in Advanced zone
+     *  - and it belongs to the system
+     */
+    private static void validateNetworkAndIpOwnership(Account owner, IPAddressVO ipToAssoc, Network network, DataCenter zone) {
+        if (network.getAccountId() != owner.getId()) {
+            if (!network.getVpcId().equals(ipToAssoc.getVpcId()) && zone.getNetworkType() == NetworkType.Advanced && network.getGuestType() != GuestType.Shared) {
+                throw new InvalidParameterValueException("The owner of the network is not the same as owner of the IP");
+            }
+        }
+    }
+
     /**
      * Prevents associating an IP address to an allocated (unimplemented network) network, throws an Exception otherwise
      * @param owner Used to check if the user belongs to the Network
@@ -1626,15 +1632,7 @@ public IPAddressVO disassociatePortableIPToGuestNetwork(long ipId, long networkI
 
         DataCenter zone = _entityMgr.findById(DataCenter.class, network.getDataCenterId());
 
-        // Check that network belongs to IP owner - skip this check
-        //     - if zone is basic zone as there is just one guest network,
-        //     - if shared network in Advanced zone
-        //     - and it belongs to the system
-        if (network.getAccountId() != owner.getId()) {
-            if (zone.getNetworkType() != NetworkType.Basic && !(zone.getNetworkType() == NetworkType.Advanced && network.getGuestType() == Network.GuestType.Shared)) {
-                throw new InvalidParameterValueException("The owner of the network is not the same as owner of the IP");
-            }
-        }
+        validateNetworkAndIpOwnership(owner, ipToAssoc, network, zone);
 
         // Check if IP has any services (rules) associated in the network
         List<PublicIpAddress> ipList = new ArrayList<PublicIpAddress>();
diff --git a/server/src/main/java/com/cloud/network/NetworkModelImpl.java b/server/src/main/java/com/cloud/network/NetworkModelImpl.java
index 7248319d54b6..5776d4e1628e 100644
--- a/server/src/main/java/com/cloud/network/NetworkModelImpl.java
+++ b/server/src/main/java/com/cloud/network/NetworkModelImpl.java
@@ -1701,7 +1701,7 @@ private void checkAccountNetworkPermissions(Account caller, Network network) {
         if (!Account.Type.PROJECT.equals(caller.getType()) && Account.Type.PROJECT.equals(networkOwner.getType())) {
             checkProjectNetworkPermissions(caller, networkOwner, network);
         } else {
-            List<NetworkVO> networkMap = _networksDao.listBy(networkOwner.getId(), network.getId());
+            List<NetworkVO> networkMap = _networksDao.listBy(caller.getId(), network.getId());
             NetworkPermissionVO networkPermission = _networkPermissionDao.findByNetworkAndAccount(network.getId(), caller.getId());
             if (CollectionUtils.isEmpty(networkMap) && networkPermission == null) {
                 throw new PermissionDeniedException(String.format(UNABLE_TO_USE_NETWORK, ((NetworkVO) network).getUuid()));
diff --git a/ui/src/views/network/PortForwarding.vue b/ui/src/views/network/PortForwarding.vue
index d0072c394c13..d5362039874e 100644
--- a/ui/src/views/network/PortForwarding.vue
+++ b/ui/src/views/network/PortForwarding.vue
@@ -500,7 +500,8 @@ export default {
       this.tiers.loading = true
       api('listNetworks', {
         supportedservices: 'PortForwarding',
-        vpcid: this.resource.vpcid
+        vpcid: this.resource.vpcid,
+        listall: this.resource.vpcid !== null
       }).then(json => {
         this.tiers.data = json.listnetworksresponse.network || []
         if (this.tiers.data && this.tiers.data.length > 0) {

From 32e342d28ae2c84fe276c95ad03e005ad4b77479 Mon Sep 17 00:00:00 2001
From: Gabriel <gabriel.fernandes@scclouds.com.br>
Date: Tue, 11 Jul 2023 14:30:37 -0300
Subject: [PATCH 7/7] fix UI 404 errors

---
 .../java/com/cloud/api/ApiResponseHelper.java | 47 +++++++++----------
 1 file changed, 22 insertions(+), 25 deletions(-)

diff --git a/server/src/main/java/com/cloud/api/ApiResponseHelper.java b/server/src/main/java/com/cloud/api/ApiResponseHelper.java
index a4b663f91fc7..568625c856b6 100644
--- a/server/src/main/java/com/cloud/api/ApiResponseHelper.java
+++ b/server/src/main/java/com/cloud/api/ApiResponseHelper.java
@@ -33,6 +33,7 @@
 import java.util.Map;
 import java.util.Set;
 import java.util.TimeZone;
+import java.util.function.Consumer;
 import java.util.stream.Collectors;
 
 import javax.inject.Inject;
@@ -1019,13 +1020,9 @@ public IPAddressResponse createIPAddressResponse(ResponseView view, IpAddress ip
             }
         }
 
-        if (ipAddr.getVpcId() != null) {
-            Vpc vpc = ApiDBUtils.findVpcById(ipAddr.getVpcId());
-            if (vpc != null) {
-                ipResponse.setVpcId(vpc.getUuid());
-                ipResponse.setVpcName(vpc.getName());
-            }
-        }
+
+        setVpcIdInResponse(ipAddr.getVpcId(), ipResponse::setVpcId, ipResponse::setVpcName);
+
 
         // Network id the ip is associated with (if associated networkId is
         // null, try to get this information from vlan)
@@ -1095,6 +1092,22 @@ public IPAddressResponse createIPAddressResponse(ResponseView view, IpAddress ip
         return ipResponse;
     }
 
+
+    private void setVpcIdInResponse(Long vpcId, Consumer<String> vpcUuidSetter, Consumer<String> vpcNameSetter) {
+        if (vpcId != null) {
+            Vpc vpc = ApiDBUtils.findVpcById(vpcId);
+            if (vpc != null) {
+                try {
+                    _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, false, vpc);
+                    vpcUuidSetter.accept(vpc.getUuid());
+                } catch (PermissionDeniedException e) {
+                    s_logger.debug("Not setting the vpcId to the response because the caller does not have access to the VPC");
+                }
+                vpcNameSetter.accept(vpc.getName());
+            }
+        }
+    }
+
     private void showVmInfoForSharedNetworks(boolean forVirtualNetworks, IpAddress ipAddr, IPAddressResponse ipResponse) {
         if (!forVirtualNetworks) {
             NicVO nic = ApiDBUtils.findByIp4AddressAndNetworkId(ipAddr.getAddress().toString(), ipAddr.getNetworkId());
@@ -2566,7 +2579,8 @@ public NetworkResponse createNetworkResponse(ResponseView view, Network network)
 
         response.setSpecifyIpRanges(network.getSpecifyIpRanges());
 
-        setVpcIdInResponse(network, response);
+
+        setVpcIdInResponse(network.getVpcId(), response::setVpcId, response::setVpcName);
 
         setResponseAssociatedNetworkInformation(response, network.getId());
 
@@ -2638,23 +2652,6 @@ public NetworkResponse createNetworkResponse(ResponseView view, Network network)
         return response;
     }
 
-
-    private void setVpcIdInResponse(Network network, NetworkResponse response) {
-        if (network.getVpcId() != null) {
-            Vpc vpc = ApiDBUtils.findVpcById(network.getVpcId());
-            if (vpc != null) {
-                try {
-                    _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, false, vpc);
-                    response.setVpcId(vpc.getUuid());
-                } catch (PermissionDeniedException e) {
-                    s_logger.debug("Not setting the vpcId to the response because the caller does not have access to the VPC");
-                }
-                response.setVpcName(vpc.getName());
-            }
-        }
-    }
-
-
     private void setResponseAssociatedNetworkInformation(BaseResponseWithAssociatedNetwork response, Long networkId) {
         final NetworkDetailVO detail = networkDetailsDao.findDetail(networkId, Network.AssociatedNetworkId);
         if (detail != null) {