From 1430c9ce3ab67ae359dc4ba3273d1617e6b8cd9e Mon Sep 17 00:00:00 2001
From: Michael Jumper <mike.jumper@guac-dev.org>
Date: Tue, 24 Feb 2015 17:44:09 -0800
Subject: [PATCH] GUAC-1101: Test permissions prior to retrieving connection
 parameters.

---
 .../auth/mysql/service/ConnectionService.java | 24 ++++++++++++++-----
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/service/ConnectionService.java b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/service/ConnectionService.java
index bcfe38404..4bab4d194 100644
--- a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/service/ConnectionService.java
+++ b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/service/ConnectionService.java
@@ -25,6 +25,7 @@ package net.sourceforge.guacamole.net.auth.mysql.service;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
 import java.util.Collection;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Set;
@@ -202,14 +203,25 @@ public class ConnectionService extends DirectoryObjectService<MySQLConnection, C
     public Map<String, String> retrieveParameters(AuthenticatedUser user,
             String identifier) {
 
-        // FIXME: Check permissions
-        
         Map<String, String> parameterMap = new HashMap<String, String>();
 
-        // Convert associated parameters to map
-        Collection<ParameterModel> parameters = parameterMapper.select(identifier);
-        for (ParameterModel parameter : parameters)
-            parameterMap.put(parameter.getName(), parameter.getValue());
+        // Determine whether we have permission to read parameters
+        boolean canRetrieveParameters;
+        try {
+            canRetrieveParameters = hasObjectPermission(user, identifier,
+                    ObjectPermission.Type.UPDATE);
+        }
+
+        // Provide empty (but mutable) map if unable to check permissions
+        catch (GuacamoleException e) {
+            return parameterMap;
+        }
+
+        // Populate parameter map if we have permission to do so
+        if (canRetrieveParameters) {
+            for (ParameterModel parameter : parameterMapper.select(identifier))
+                parameterMap.put(parameter.getName(), parameter.getValue());
+        }
 
         return parameterMap;