diff --git a/server/src/main/java/com/cloud/user/AccountManagerImpl.java b/server/src/main/java/com/cloud/user/AccountManagerImpl.java index e01137cffbc2..c485aae87ec9 100644 --- a/server/src/main/java/com/cloud/user/AccountManagerImpl.java +++ b/server/src/main/java/com/cloud/user/AccountManagerImpl.java @@ -1341,20 +1341,19 @@ public UserAccount createUserAccount(final String userName, final String passwor final String accountNameFinal = accountName; final Long domainIdFinal = domainId; - final String accountUUIDFinal = accountUUID; + final String resolvedAccountUUID = accountUUID != null ? accountUUID : UUID.randomUUID().toString(); + + // Check role escalation before the transaction — this is a read-only check + // that iterates all API commands and doesn't need a write transaction open. + AccountVO requestedAccount = new AccountVO(accountNameFinal, domainIdFinal, networkDomain, accountType, roleId, resolvedAccountUUID); + checkRoleEscalation(getCurrentCallingAccount(), requestedAccount); + Pair pair = Transaction.execute(new TransactionCallback<>() { @Override public Pair doInTransaction(TransactionStatus status) { - // create account - String accountUUID = accountUUIDFinal; - if (accountUUID == null) { - accountUUID = UUID.randomUUID().toString(); - } - AccountVO account = createAccount(accountNameFinal, accountType, roleId, domainIdFinal, networkDomain, details, accountUUID); + AccountVO account = createAccount(accountNameFinal, accountType, roleId, domainIdFinal, networkDomain, details, resolvedAccountUUID); long accountId = account.getId(); - checkRoleEscalation(getCurrentCallingAccount(), account); - // create the first user for the account UserVO user = createUser(accountId, userName, password, firstName, lastName, email, timezone, userUUID, source);