@@ -1341,20 +1341,19 @@ public UserAccount createUserAccount(final String userName, final String passwor
13411341
13421342 final String accountNameFinal = accountName ;
13431343 final Long domainIdFinal = domainId ;
1344- final String accountUUIDFinal = accountUUID ;
1344+ final String resolvedAccountUUID = accountUUID != null ? accountUUID : UUID .randomUUID ().toString ();
1345+
1346+ // Check role escalation before the transaction — this is a read-only check
1347+ // that iterates all API commands and doesn't need a write transaction open.
1348+ AccountVO requestedAccount = new AccountVO (accountNameFinal , domainIdFinal , networkDomain , accountType , roleId , resolvedAccountUUID );
1349+ checkRoleEscalation (getCurrentCallingAccount (), requestedAccount );
1350+
13451351 Pair <Long , Account > pair = Transaction .execute (new TransactionCallback <>() {
13461352 @ Override
13471353 public Pair <Long , Account > doInTransaction (TransactionStatus status ) {
1348- // create account
1349- String accountUUID = accountUUIDFinal ;
1350- if (accountUUID == null ) {
1351- accountUUID = UUID .randomUUID ().toString ();
1352- }
1353- AccountVO account = createAccount (accountNameFinal , accountType , roleId , domainIdFinal , networkDomain , details , accountUUID );
1354+ AccountVO account = createAccount (accountNameFinal , accountType , roleId , domainIdFinal , networkDomain , details , resolvedAccountUUID );
13541355 long accountId = account .getId ();
13551356
1356- checkRoleEscalation (getCurrentCallingAccount (), account );
1357-
13581357 // create the first user for the account
13591358 UserVO user = createUser (accountId , userName , password , firstName , lastName , email , timezone , userUUID , source );
13601359
0 commit comments