GUACAMOLE-220: Use effective permissions when deciding whether a user has permission to perform an action.

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledChildDirectoryObjectService.java

@@ -53,7 +53,8 @@ public abstract class ModeledChildDirectoryObjectService<InternalType extends Mo
     /**
      * Returns the permission set associated with the given user and related
      * to the type of objects which can be parents of the child objects handled
-     * by this directory object service.
+     * by this directory object service, taking into account permission
+     * inheritance via user groups.
      *
      * @param user
      *     The user whose permissions are being retrieved.
@@ -66,7 +67,7 @@ public abstract class ModeledChildDirectoryObjectService<InternalType extends Mo
      * @throws GuacamoleException
      *     If permission to read the user's permissions is denied.
      */
-    protected abstract ObjectPermissionSet getParentPermissionSet(
+    protected abstract ObjectPermissionSet getParentEffectivePermissionSet(
             ModeledAuthenticatedUser user) throws GuacamoleException;
 
     /**
@@ -155,7 +156,7 @@ public abstract class ModeledChildDirectoryObjectService<InternalType extends Mo
         Collection<String> modifiedParents = getModifiedParents(user, identifier, model);
         if (!modifiedParents.isEmpty()) {
 
-            ObjectPermissionSet permissionSet = getParentPermissionSet(user);
+            ObjectPermissionSet permissionSet = getParentEffectivePermissionSet(user);
             Collection<String> updateableParents = permissionSet.getAccessibleObjects(
                 Collections.singleton(ObjectPermission.Type.UPDATE),
                 modifiedParents

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledDirectoryObjectService.java

@@ -126,7 +126,8 @@ public abstract class ModeledDirectoryObjectService<InternalType extends Modeled
 
     /**
      * Returns whether the given user has permission to create the type of
-     * objects that this directory object service manages.
+     * objects that this directory object service manages, taking into account
+     * permission inheritance through user groups.
      *
      * @param user
      *     The user being checked.
@@ -143,7 +144,8 @@ public abstract class ModeledDirectoryObjectService<InternalType extends Modeled
 
     /**
      * Returns whether the given user has permission to perform a certain
-     * action on a specific object managed by this directory object service.
+     * action on a specific object managed by this directory object service,
+     * taking into account permission inheritance through user groups.
      *
      * @param user
      *     The user being checked.
@@ -166,7 +168,7 @@ public abstract class ModeledDirectoryObjectService<InternalType extends Modeled
             throws GuacamoleException {
 
         // Get object permissions
-        ObjectPermissionSet permissionSet = getPermissionSet(user);
+        ObjectPermissionSet permissionSet = getEffectivePermissionSet(user);
         
         // Return whether permission is granted
         return user.getUser().isAdministrator()
@@ -176,7 +178,8 @@ public abstract class ModeledDirectoryObjectService<InternalType extends Modeled
  
     /**
      * Returns the permission set associated with the given user and related
-     * to the type of objects handled by this directory object service.
+     * to the type of objects handled by this directory object service, taking
+     * into account permission inheritance via user groups.
      *
      * @param user
      *     The user whose permissions are being retrieved.
@@ -189,7 +192,7 @@ public abstract class ModeledDirectoryObjectService<InternalType extends Modeled
      * @throws GuacamoleException
      *     If permission to read the user's permissions is denied.
      */
-    protected abstract ObjectPermissionSet getPermissionSet(ModeledAuthenticatedUser user)
+    protected abstract ObjectPermissionSet getEffectivePermissionSet(ModeledAuthenticatedUser user)
             throws GuacamoleException;
 
     /**

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connection/ConnectionService.java

@@ -131,26 +131,26 @@ public class ConnectionService extends ModeledChildDirectoryObjectService<Modele
             throws GuacamoleException {
 
         // Return whether user has explicit connection creation permission
-        SystemPermissionSet permissionSet = user.getUser().getSystemPermissions();
+        SystemPermissionSet permissionSet = user.getUser().getEffectivePermissions().getSystemPermissions();
         return permissionSet.hasPermission(SystemPermission.Type.CREATE_CONNECTION);
 
     }
 
     @Override
-    protected ObjectPermissionSet getPermissionSet(ModeledAuthenticatedUser user)
+    protected ObjectPermissionSet getEffectivePermissionSet(ModeledAuthenticatedUser user)
             throws GuacamoleException {
 
         // Return permissions related to connections 
-        return user.getUser().getConnectionPermissions();
+        return user.getUser().getEffectivePermissions().getConnectionPermissions();
 
     }
 
     @Override
-    protected ObjectPermissionSet getParentPermissionSet(ModeledAuthenticatedUser user)
+    protected ObjectPermissionSet getParentEffectivePermissionSet(ModeledAuthenticatedUser user)
             throws GuacamoleException {
 
         // Connections are contained by connection groups
-        return user.getUser().getConnectionGroupPermissions();
+        return user.getUser().getEffectivePermissions().getConnectionGroupPermissions();
 
     }
 

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connectiongroup/ConnectionGroupService.java

@@ -112,26 +112,26 @@ public class ConnectionGroupService extends ModeledChildDirectoryObjectService<M
             throws GuacamoleException {
 
         // Return whether user has explicit connection group creation permission
-        SystemPermissionSet permissionSet = user.getUser().getSystemPermissions();
+        SystemPermissionSet permissionSet = user.getUser().getEffectivePermissions().getSystemPermissions();
         return permissionSet.hasPermission(SystemPermission.Type.CREATE_CONNECTION_GROUP);
 
     }
 
     @Override
-    protected ObjectPermissionSet getPermissionSet(ModeledAuthenticatedUser user)
+    protected ObjectPermissionSet getEffectivePermissionSet(ModeledAuthenticatedUser user)
             throws GuacamoleException {
 
         // Return permissions related to connection groups 
-        return user.getUser().getConnectionGroupPermissions();
+        return user.getUser().getEffectivePermissions().getConnectionGroupPermissions();
 
     }
 
     @Override
-    protected ObjectPermissionSet getParentPermissionSet(ModeledAuthenticatedUser user)
+    protected ObjectPermissionSet getParentEffectivePermissionSet(ModeledAuthenticatedUser user)
             throws GuacamoleException {
 
         // Connection groups are contained by other connection groups
-        return user.getUser().getConnectionGroupPermissions();
+        return user.getUser().getEffectivePermissions().getConnectionGroupPermissions();
 
     }
 

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/AbstractPermissionService.java

@@ -45,7 +45,7 @@ public abstract class AbstractPermissionService<PermissionSetType extends Permis
      * Determines whether the given user can read the permissions currently
      * granted to the given target user. If the reading user and the target
      * user are not the same, then explicit READ or SYSTEM_ADMINISTER access is
-     * required.
+     * required. Permission inheritance via user groups is taken into account.
      *
      * @param user
      *     The user attempting to read permissions.
@@ -72,7 +72,7 @@ public abstract class AbstractPermissionService<PermissionSetType extends Permis
             return true;
 
         // Can read permissions on target user if explicit READ is granted
-        ObjectPermissionSet userPermissionSet = user.getUser().getUserPermissions();
+        ObjectPermissionSet userPermissionSet = user.getUser().getEffectivePermissions().getUserPermissions();
         return userPermissionSet.hasPermission(ObjectPermission.Type.READ, targetUser.getIdentifier());
 
     }

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledObjectPermissionService.java

@@ -67,6 +67,7 @@ public abstract class ModeledObjectPermissionService
      * depends on whether the current user is a system administrator, whether
      * they have explicit UPDATE permission on the target user, and whether
      * they have explicit ADMINISTER permission on all affected objects.
+     * Permission inheritance via user groups is taken into account.
      *
      * @param user
      *     The user who is changing permissions.
@@ -95,7 +96,7 @@ public abstract class ModeledObjectPermissionService
             return true;
         
         // Verify user has update permission on the target user
-        ObjectPermissionSet userPermissionSet = user.getUser().getUserPermissions();
+        ObjectPermissionSet userPermissionSet = user.getUser().getEffectivePermissions().getUserPermissions();
         if (!userPermissionSet.hasPermission(ObjectPermission.Type.UPDATE, targetUser.getIdentifier()))
             return false;
 

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileService.java

@@ -112,26 +112,26 @@ public class SharingProfileService
             throws GuacamoleException {
 
         // Return whether user has explicit sharing profile creation permission
-        SystemPermissionSet permissionSet = user.getUser().getSystemPermissions();
+        SystemPermissionSet permissionSet = user.getUser().getEffectivePermissions().getSystemPermissions();
         return permissionSet.hasPermission(SystemPermission.Type.CREATE_SHARING_PROFILE);
 
     }
 
     @Override
-    protected ObjectPermissionSet getPermissionSet(ModeledAuthenticatedUser user)
+    protected ObjectPermissionSet getEffectivePermissionSet(ModeledAuthenticatedUser user)
             throws GuacamoleException {
 
         // Return permissions related to sharing profiles
-        return user.getUser().getSharingProfilePermissions();
+        return user.getUser().getEffectivePermissions().getSharingProfilePermissions();
 
     }
 
     @Override
-    protected ObjectPermissionSet getParentPermissionSet(ModeledAuthenticatedUser user)
+    protected ObjectPermissionSet getParentEffectivePermissionSet(ModeledAuthenticatedUser user)
             throws GuacamoleException {
 
         // Sharing profiles are children of connections
-        return user.getUser().getConnectionPermissions();
+        return user.getUser().getEffectivePermissions().getConnectionPermissions();
 
     }
 

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java

@@ -333,7 +333,8 @@ public class ModeledUser extends ModeledDirectoryObject<UserModel> implements Us
 
     /**
      * Returns whether this user is a system administrator, and thus is not
-     * restricted by permissions.
+     * restricted by permissions, taking into account permission inheritance
+     * via user groups.
      *
      * @return
      *    true if this user is a system administrator, false otherwise.
@@ -343,7 +344,7 @@ public class ModeledUser extends ModeledDirectoryObject<UserModel> implements Us
      *    status.
      */
     public boolean isAdministrator() throws GuacamoleException {
-        SystemPermissionSet systemPermissionSet = getSystemPermissions();
+        SystemPermissionSet systemPermissionSet = getEffectivePermissions().getSystemPermissions();
         return systemPermissionSet.hasPermission(SystemPermission.Type.ADMINISTER);
     }
     

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java

@@ -216,17 +216,17 @@ public class UserService extends ModeledDirectoryObjectService<ModeledUser, User
             throws GuacamoleException {
 
         // Return whether user has explicit user creation permission
-        SystemPermissionSet permissionSet = user.getUser().getSystemPermissions();
+        SystemPermissionSet permissionSet = user.getUser().getEffectivePermissions().getSystemPermissions();
         return permissionSet.hasPermission(SystemPermission.Type.CREATE_USER);
 
     }
 
     @Override
-    protected ObjectPermissionSet getPermissionSet(ModeledAuthenticatedUser user)
+    protected ObjectPermissionSet getEffectivePermissionSet(ModeledAuthenticatedUser user)
             throws GuacamoleException {
 
         // Return permissions related to users
-        return user.getUser().getUserPermissions();
+        return user.getUser().getEffectivePermissions().getUserPermissions();
 
     }