GUACAMOLE-220: Merge add base extension API support for user groups.

2025-09-06 13:17:41 +00:00 · 2018-04-22 15:45:46 -04:00
parent 456ad7f28e e75e9715f7
commit 1ac08257bc
35 changed files with 875 additions and 167 deletions
--- a/guacamole/src/main/java/org/apache/guacamole/rest/connection/ConnectionResource.java
+++ b/guacamole/src/main/java/org/apache/guacamole/rest/connection/ConnectionResource.java
@@ -35,9 +35,9 @@ import org.apache.guacamole.GuacamoleSecurityException;
 import org.apache.guacamole.net.auth.Connection;
 import org.apache.guacamole.net.auth.ConnectionRecord;
 import org.apache.guacamole.net.auth.Directory;
+import org.apache.guacamole.net.auth.Permissions;
 import org.apache.guacamole.rest.directory.DirectoryView;
 import org.apache.guacamole.net.auth.SharingProfile;
-import org.apache.guacamole.net.auth.User;
 import org.apache.guacamole.net.auth.UserContext;
 import org.apache.guacamole.net.auth.permission.ObjectPermission;
 import org.apache.guacamole.net.auth.permission.ObjectPermissionSet;
@@ -119,11 +119,12 @@ public class ConnectionResource extends DirectoryObjectResource<Connection, APIC
    public Map<String, String> getConnectionParameters()
            throws GuacamoleException {

-        User self = userContext.self();
+        // Pull effective permissions
+        Permissions effective = userContext.self().getEffectivePermissions();

        // Retrieve permission sets
-        SystemPermissionSet systemPermissions = self.getSystemPermissions();
-        ObjectPermissionSet connectionPermissions = self.getConnectionPermissions();
+        SystemPermissionSet systemPermissions = effective.getSystemPermissions();
+        ObjectPermissionSet connectionPermissions = effective.getConnectionPermissions();

        // Deny access if adminstrative or update permission is missing
        String identifier = connection.getIdentifier();
--- a/guacamole/src/main/java/org/apache/guacamole/rest/connectiongroup/ConnectionGroupTree.java
+++ b/guacamole/src/main/java/org/apache/guacamole/rest/connectiongroup/ConnectionGroupTree.java
@@ -29,8 +29,8 @@ import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.net.auth.Connection;
 import org.apache.guacamole.net.auth.ConnectionGroup;
 import org.apache.guacamole.net.auth.Directory;
+import org.apache.guacamole.net.auth.Permissions;
 import org.apache.guacamole.net.auth.SharingProfile;
-import org.apache.guacamole.net.auth.User;
 import org.apache.guacamole.net.auth.UserContext;
 import org.apache.guacamole.net.auth.permission.ObjectPermission;
 import org.apache.guacamole.net.auth.permission.ObjectPermissionSet;
@@ -356,9 +356,9 @@ public class ConnectionGroupTree {
        retrievedGroups.put(root.getIdentifier(), this.rootAPIGroup);

        // Store user's current permissions
-        User self = userContext.self();
-        this.connectionPermissions = self.getConnectionPermissions();
-        this.sharingProfilePermissions = self.getSharingProfilePermissions();
+        Permissions effective = userContext.self().getEffectivePermissions();
+        this.connectionPermissions = effective.getConnectionPermissions();
+        this.sharingProfilePermissions = effective.getSharingProfilePermissions();

        // Store required directories
        this.connectionDirectory = userContext.getConnectionDirectory();
--- a/guacamole/src/main/java/org/apache/guacamole/rest/directory/DirectoryResource.java
+++ b/guacamole/src/main/java/org/apache/guacamole/rest/directory/DirectoryResource.java
@@ -37,7 +37,7 @@ import org.apache.guacamole.GuacamoleResourceNotFoundException;
 import org.apache.guacamole.GuacamoleUnsupportedException;
 import org.apache.guacamole.net.auth.Directory;
 import org.apache.guacamole.net.auth.Identifiable;
-import org.apache.guacamole.net.auth.User;
+import org.apache.guacamole.net.auth.Permissions;
 import org.apache.guacamole.net.auth.UserContext;
 import org.apache.guacamole.net.auth.permission.ObjectPermission;
 import org.apache.guacamole.net.auth.permission.ObjectPermissionSet;
@@ -142,14 +142,14 @@ public abstract class DirectoryResource<InternalType extends Identifiable, Exter
            throws GuacamoleException {

        // An admin user has access to all objects
-        User self = userContext.self();
-        SystemPermissionSet systemPermissions = self.getSystemPermissions();
+        Permissions effective = userContext.self().getEffectivePermissions();
+        SystemPermissionSet systemPermissions = effective.getSystemPermissions();
        boolean isAdmin = systemPermissions.hasPermission(SystemPermission.Type.ADMINISTER);

        // Filter objects, if requested
        Collection<String> identifiers = directory.getIdentifiers();
        if (!isAdmin && permissions != null && !permissions.isEmpty()) {
-            ObjectPermissionSet objectPermissions = self.getUserPermissions();
+            ObjectPermissionSet objectPermissions = effective.getUserPermissions();
            identifiers = objectPermissions.getAccessibleObjects(permissions, identifiers);
        }

--- a/guacamole/src/main/java/org/apache/guacamole/rest/permission/APIPermissionSet.java
+++ b/guacamole/src/main/java/org/apache/guacamole/rest/permission/APIPermissionSet.java
@@ -24,20 +24,20 @@ import java.util.HashMap;
 import java.util.Map;
 import java.util.Set;
 import org.apache.guacamole.GuacamoleException;
-import org.apache.guacamole.net.auth.User;
+import org.apache.guacamole.net.auth.Permissions;
 import org.apache.guacamole.net.auth.permission.ObjectPermission;
 import org.apache.guacamole.net.auth.permission.ObjectPermissionSet;
 import org.apache.guacamole.net.auth.permission.SystemPermission;
 import org.apache.guacamole.net.auth.permission.SystemPermissionSet;

 /**
- * The set of permissions which are granted to a specific user, organized by
- * object type and, if applicable, identifier. This object can be constructed
- * with arbitrary permissions present, or manipulated after creation through
- * the manipulation or replacement of its collections of permissions, but is
- * otherwise not intended for internal use as a data structure for permissions.
- * Its primary purpose is as a hierarchical format for exchanging granted
- * permissions with REST clients.
+ * The set of permissions which are granted to a specific user or user group,
+ * organized by object type and, if applicable, identifier. This object can be
+ * constructed with arbitrary permissions present, or manipulated after creation
+ * through the manipulation or replacement of its collections of permissions,
+ * but is otherwise not intended for internal use as a data structure for
+ * permissions. Its primary purpose is as a hierarchical format for exchanging
+ * granted permissions with REST clients.
 */
 public class APIPermissionSet {

@@ -146,24 +146,23 @@ public class APIPermissionSet {
    
    /**
     * Creates a new permission set containing all permissions currently
-     * granted to the given user.
+     * granted within the given Permissions object.
     *
-     * @param user
-     *     The user whose permissions should be stored within this permission
-     *     set.
+     * @param permissions
+     *     The permissions that should be stored within this permission set.
     *
     * @throws GuacamoleException
-     *     If an error occurs while retrieving the user's permissions.
+     *     If an error occurs while retrieving the permissions.
     */
-    public APIPermissionSet(User user) throws GuacamoleException {
+    public APIPermissionSet(Permissions permissions) throws GuacamoleException {

        // Add all permissions from the provided user
-        addSystemPermissions(systemPermissions,           user.getSystemPermissions());
-        addObjectPermissions(connectionPermissions,       user.getConnectionPermissions());
-        addObjectPermissions(connectionGroupPermissions,  user.getConnectionGroupPermissions());
-        addObjectPermissions(sharingProfilePermissions,   user.getSharingProfilePermissions());
-        addObjectPermissions(activeConnectionPermissions, user.getActiveConnectionPermissions());
-        addObjectPermissions(userPermissions,             user.getUserPermissions());
+        addSystemPermissions(systemPermissions,           permissions.getSystemPermissions());
+        addObjectPermissions(connectionPermissions,       permissions.getConnectionPermissions());
+        addObjectPermissions(connectionGroupPermissions,  permissions.getConnectionGroupPermissions());
+        addObjectPermissions(sharingProfilePermissions,   permissions.getSharingProfilePermissions());
+        addObjectPermissions(activeConnectionPermissions, permissions.getActiveConnectionPermissions());
+        addObjectPermissions(userPermissions,             permissions.getUserPermissions());
        
    }

@@ -229,7 +228,7 @@ public class APIPermissionSet {

    /**
     * Returns a map of user IDs to the set of permissions granted for that
-     * user. If no permissions are granted to a particular user, its ID will
+     * user. If no permissions are granted for a particular user, its ID will
     * not be present as a key in the map. This map is mutable, and changes to
     * to this map will affect the permission set directly.
     *
--- a/guacamole/src/main/java/org/apache/guacamole/rest/sharingprofile/SharingProfileResource.java
+++ b/guacamole/src/main/java/org/apache/guacamole/rest/sharingprofile/SharingProfileResource.java
@@ -30,8 +30,8 @@ import javax.ws.rs.core.MediaType;
 import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.GuacamoleSecurityException;
 import org.apache.guacamole.net.auth.Directory;
+import org.apache.guacamole.net.auth.Permissions;
 import org.apache.guacamole.net.auth.SharingProfile;
-import org.apache.guacamole.net.auth.User;
 import org.apache.guacamole.net.auth.UserContext;
 import org.apache.guacamole.net.auth.permission.ObjectPermission;
 import org.apache.guacamole.net.auth.permission.ObjectPermissionSet;
@@ -103,11 +103,12 @@ public class SharingProfileResource
    public Map<String, String> getParameters()
            throws GuacamoleException {

-        User self = userContext.self();
+        // Pull effective permissions
+        Permissions effective = userContext.self().getEffectivePermissions();

        // Retrieve permission sets
-        SystemPermissionSet systemPermissions = self.getSystemPermissions();
-        ObjectPermissionSet sharingProfilePermissions = self.getSharingProfilePermissions();
+        SystemPermissionSet systemPermissions = effective.getSystemPermissions();
+        ObjectPermissionSet sharingProfilePermissions = effective.getSharingProfilePermissions();

        // Deny access if adminstrative or update permission is missing
        String identifier = sharingProfile.getIdentifier();
--- a/guacamole/src/main/java/org/apache/guacamole/rest/user/APIUserWrapper.java
+++ b/guacamole/src/main/java/org/apache/guacamole/rest/user/APIUserWrapper.java
@@ -26,6 +26,8 @@ import java.util.Map;
 import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.GuacamoleUnsupportedException;
 import org.apache.guacamole.net.auth.ActivityRecord;
+import org.apache.guacamole.net.auth.Permissions;
+import org.apache.guacamole.net.auth.RelatedObjectSet;
 import org.apache.guacamole.net.auth.User;
 import org.apache.guacamole.net.auth.permission.ObjectPermissionSet;
 import org.apache.guacamole.net.auth.permission.SystemPermissionSet;
@@ -110,12 +112,28 @@ public class APIUserWrapper implements User {
        throw new GuacamoleUnsupportedException("APIUserWrapper does not provide permission access.");
    }

+    @Override
+    public ObjectPermissionSet getUserGroupPermissions()
+            throws GuacamoleException {
+        throw new GuacamoleUnsupportedException("APIUserWrapper does not provide permission access.");
+    }
+
    @Override
    public ObjectPermissionSet getActiveConnectionPermissions()
            throws GuacamoleException {
        throw new GuacamoleUnsupportedException("APIUserWrapper does not provide permission access.");
    }

+    @Override
+    public Permissions getEffectivePermissions() throws GuacamoleException {
+        throw new GuacamoleUnsupportedException("APIUserWrapper does not provide permission access.");
+    }
+
+    @Override
+    public RelatedObjectSet getUserGroups() throws GuacamoleException {
+        throw new GuacamoleUnsupportedException("APIUserWrapper does not provide group access.");
+    }
+
    @Override
    public Date getLastActive() {
        return null;
--- a/guacamole/src/main/java/org/apache/guacamole/rest/user/UserResource.java
+++ b/guacamole/src/main/java/org/apache/guacamole/rest/user/UserResource.java
@@ -43,6 +43,7 @@ import org.apache.guacamole.net.auth.credentials.GuacamoleCredentialsException;
 import org.apache.guacamole.rest.directory.DirectoryObjectResource;
 import org.apache.guacamole.rest.directory.DirectoryObjectTranslator;
 import org.apache.guacamole.rest.history.APIActivityRecord;
+import org.apache.guacamole.rest.permission.APIPermissionSet;
 import org.apache.guacamole.rest.permission.PermissionSetResource;

 /**
@@ -181,7 +182,8 @@ public class UserResource

    /**
     * Returns a resource which abstracts operations available on the overall
-     * permissions granted to the User represented by this UserResource.
+     * permissions granted directly to the User represented by this
+     * UserResource.
     *
     * @return
     *     A resource which representing the permissions granted to the User
@@ -192,4 +194,21 @@ public class UserResource
        return new PermissionSetResource(user);
    }

+    /**
+     * Returns a read-only view of the permissions effectively granted to this
+     * user, including permissions which may be inherited or implied.
+     *
+     * @return
+     *     A read-only view of the permissions effectively granted to this
+     *     user.
+     *
+     * @throws GuacamoleException
+     *     If the effective permissions for this user cannot be retrieved.
+     */
+    @GET
+    @Path("effectivePermissions")
+    public APIPermissionSet getEffectivePermissions() throws GuacamoleException {
+        return new APIPermissionSet(user.getEffectivePermissions());
+    }
+
 }
--- a/guacamole/src/main/webapp/app/manage/controllers/manageConnectionController.js
+++ b/guacamole/src/main/webapp/app/manage/controllers/manageConnectionController.js
@@ -199,7 +199,7 @@ angular.module('manage').controller('manageConnectionController', ['$scope', '$i
    });
    
    // Query the user's permissions for the current connection
-    permissionService.getPermissions($scope.selectedDataSource, authenticationService.getCurrentUsername())
+    permissionService.getEffectivePermissions($scope.selectedDataSource, authenticationService.getCurrentUsername())
    .success(function permissionsReceived(permissions) {
                
        $scope.permissions = permissions;
--- a/guacamole/src/main/webapp/app/manage/controllers/manageConnectionGroupController.js
+++ b/guacamole/src/main/webapp/app/manage/controllers/manageConnectionGroupController.js
@@ -134,7 +134,7 @@ angular.module('manage').controller('manageConnectionGroupController', ['$scope'
    });

    // Query the user's permissions for the current connection group
-    permissionService.getPermissions($scope.selectedDataSource, authenticationService.getCurrentUsername())
+    permissionService.getEffectivePermissions($scope.selectedDataSource, authenticationService.getCurrentUsername())
    .success(function permissionsReceived(permissions) {
                
        $scope.permissions = permissions;
--- a/guacamole/src/main/webapp/app/manage/controllers/manageSharingProfileController.js
+++ b/guacamole/src/main/webapp/app/manage/controllers/manageSharingProfileController.js
@@ -175,7 +175,7 @@ angular.module('manage').controller('manageSharingProfileController', ['$scope',
    });

    // Query the user's permissions for the current sharing profile
-    permissionService.getPermissions($scope.selectedDataSource, authenticationService.getCurrentUsername())
+    permissionService.getEffectivePermissions($scope.selectedDataSource, authenticationService.getCurrentUsername())
    .success(function permissionsReceived(permissions) {

        $scope.permissions = permissions;
--- a/guacamole/src/main/webapp/app/manage/controllers/manageUserController.js
+++ b/guacamole/src/main/webapp/app/manage/controllers/manageUserController.js
@@ -680,7 +680,7 @@ angular.module('manage').controller('manageUserController', ['$scope', '$injecto
    
    // Query the user's permissions for the current user
    dataSourceService.apply(
-        permissionService.getPermissions,
+        permissionService.getEffectivePermissions,
        dataSources,
        currentUsername
    )
--- a/guacamole/src/main/webapp/app/navigation/services/userPageService.js
+++ b/guacamole/src/main/webapp/app/navigation/services/userPageService.js
@@ -329,7 +329,7 @@ angular.module('navigation').factory('userPageService', ['$injector',

        // Retrieve current permissions
        dataSourceService.apply(
-            permissionService.getPermissions,
+            permissionService.getEffectivePermissions,
            authenticationService.getAvailableDataSources(),
            authenticationService.getCurrentUsername() 
        )
@@ -422,7 +422,7 @@ angular.module('navigation').factory('userPageService', ['$injector',

        // Retrieve current permissions
        dataSourceService.apply(
-            permissionService.getPermissions,
+            permissionService.getEffectivePermissions,
            authenticationService.getAvailableDataSources(),
            authenticationService.getCurrentUsername()
        )
--- a/guacamole/src/main/webapp/app/rest/services/permissionService.js
+++ b/guacamole/src/main/webapp/app/rest/services/permissionService.js
@@ -36,8 +36,11 @@ angular.module('rest').factory('permissionService', ['$injector',

    /**
     * Returns the URL for the REST resource most appropriate for accessing
-     * the permissions of the user having the given username.
-     * 
+     * the effective permissions of the user having the given username.
+     * Effective permissions differ from the permissions returned via
+     * getPermissions() in that permissions which are not directly granted to
+     * the user are included.
+     *
     * It is important to note that a particular data source can authenticate
     * and provide permissions for a user, even if that user does not exist
     * within that data source (and thus cannot be found beneath
@@ -56,7 +59,7 @@ angular.module('rest').factory('permissionService', ['$injector',
     *     The URL for the REST resource representing the user having the given
     *     username.
     */
-    var getPermissionsResourceURL = function getPermissionsResourceURL(dataSource, username) {
+    var getEffectivePermissionsResourceURL = function getEffectivePermissionsResourceURL(dataSource, username) {

        // Create base URL for data source
        var base = 'api/session/data/' + encodeURIComponent(dataSource);
@@ -65,19 +68,21 @@ angular.module('rest').factory('permissionService', ['$injector',
        // user actually existing (they may not). Access their permissions via
        // "self" rather than the collection of defined users.
        if (username === authenticationService.getCurrentUsername())
-            return base + '/self/permissions';
+            return base + '/self/effectivePermissions';

        // Otherwise, the user must exist for their permissions to be
        // accessible. Use the collection of defined users.
-        return base + '/users/' + encodeURIComponent(username) + '/permissions';
+        return base + '/users/' + encodeURIComponent(username) + '/effectivePermissions';

    };

    /**
-     * Makes a request to the REST API to get the list of permissions for a
-     * given user, returning a promise that provides an array of
-     * @link{Permission} objects if successful.
-     * 
+     * Makes a request to the REST API to get the list of effective permissions
+     * for a given user, returning a promise that provides an array of
+     * @link{Permission} objects if successful. Effective permissions differ
+     * from the permissions returned via getPermissions() in that permissions
+     * which are not directly granted to the user are included.
+     *
     * @param {String} dataSource
     *     The unique identifier of the data source containing the user whose
     *     permissions should be retrieved. This identifier corresponds to an
@@ -85,12 +90,12 @@ angular.module('rest').factory('permissionService', ['$injector',
     *
     * @param {String} userID
     *     The ID of the user to retrieve the permissions for.
-     *                          
+     *
     * @returns {Promise.<PermissionSet>}
     *     A promise which will resolve with a @link{PermissionSet} upon
     *     success.
     */
-    service.getPermissions = function getPermissions(dataSource, userID) {
+    service.getEffectivePermissions = function getEffectivePermissions(dataSource, userID) {

        // Build HTTP parameters set
        var httpParameters = {
@@ -101,58 +106,89 @@ angular.module('rest').factory('permissionService', ['$injector',
        return $http({
            cache   : cacheService.users,
            method  : 'GET',
-            url     : getPermissionsResourceURL(dataSource, userID),
+            url     : getEffectivePermissionsResourceURL(dataSource, userID),
            params  : httpParameters
        });

    };

    /**
-     * Makes a request to the REST API to add permissions for a given user,
-     * returning a promise that can be used for processing the results of the
-     * call.
+     * Returns the URL for the REST resource most appropriate for accessing
+     * the permissions of the user having the given identifier. The permissions
+     * retrieved differ from effective permissions (those returned by
+     * getEffectivePermissions()) in that only permissions which are directly
+     * granted to the user are included.
     * 
+     * It is important to note that a particular data source can authenticate
+     * and provide permissions for a user, even if that user does not exist
+     * within that data source (and thus cannot be found beneath
+     * "api/session/data/{dataSource}/users")
+     *
     * @param {String} dataSource
     *     The unique identifier of the data source containing the user whose
-     *     permissions should be modified. This identifier corresponds to an
+     *     permissions should be retrieved. This identifier corresponds to an
     *     AuthenticationProvider within the Guacamole web application.
     *
-     * @param {String} userID
-     *     The ID of the user to modify the permissions of.
-     *                          
-     * @param {PermissionSet} permissions
-     *     The set of permissions to add.
-     *                          
-     * @returns {Promise}
-     *     A promise for the HTTP call which will succeed if and only if the
-     *     add operation is successful.
+     * @param {String} identifier
+     *     The identifier of the user for which the URL of the proper REST
+     *     resource should be derived.
+     *
+     * @returns {String}
+     *     The URL for the REST resource representing the user having the given
+     *     identifier.
     */
-    service.addPermissions = function addPermissions(dataSource, userID, permissions) {
-        return service.patchPermissions(dataSource, userID, permissions, null);
+    var getPermissionsResourceURL = function getPermissionsResourceURL(dataSource, identifier) {
+
+        // Create base URL for data source
+        var base = 'api/session/data/' + encodeURIComponent(dataSource);
+
+        // If the username is that of the current user, do not rely on the
+        // user actually existing (they may not). Access their permissions via
+        // "self" rather than the collection of defined users.
+        if (identifier === authenticationService.getCurrentUsername())
+            return base + '/self/permissions';
+
+        // Otherwise, the user must exist for their permissions to be
+        // accessible. Use the collection of defined users.
+        return base + '/users/' + encodeURIComponent(identifier) + '/permissions';
+
    };
-    
+
    /**
-     * Makes a request to the REST API to remove permissions for a given user,
-     * returning a promise that can be used for processing the results of the
-     * call.
+     * Makes a request to the REST API to get the list of permissions for a
+     * given user, returning a promise that provides an array of
+     * @link{Permission} objects if successful. The permissions retrieved
+     * differ from effective permissions (those returned by
+     * getEffectivePermissions()) in that only permissions which are directly
+     * granted to the user included.
     * 
     * @param {String} dataSource
     *     The unique identifier of the data source containing the user whose
-     *     permissions should be modified. This identifier corresponds to an
+     *     permissions should be retrieved. This identifier corresponds to an
     *     AuthenticationProvider within the Guacamole web application.
     *
-     * @param {String} userID
-     *     The ID of the user to modify the permissions of.
-     *                          
-     * @param {PermissionSet} permissions
-     *     The set of permissions to remove.
-     *                          
-     * @returns {Promise}
-     *     A promise for the HTTP call which will succeed if and only if the
-     *     remove operation is successful.
+     * @param {String} identifier
+     *     The identifier of the user to retrieve the permissions for.
+     *
+     * @returns {Promise.<PermissionSet>}
+     *     A promise which will resolve with a @link{PermissionSet} upon
+     *     success.
     */
-    service.removePermissions = function removePermissions(dataSource, userID, permissions) {
-        return service.patchPermissions(dataSource, userID, null, permissions);
+    service.getPermissions = function getPermissions(dataSource, identifier) {
+
+        // Build HTTP parameters set
+        var httpParameters = {
+            token : authenticationService.getCurrentToken()
+        };
+
+        // Retrieve user permissions
+        return $http({
+            cache   : cacheService.users,
+            method  : 'GET',
+            url     : getPermissionsResourceURL(dataSource, identifier),
+            params  : httpParameters
+        });
+
    };

    /**
@@ -240,27 +276,30 @@ angular.module('rest').factory('permissionService', ['$injector',
    /**
     * Makes a request to the REST API to modify the permissions for a given
     * user, returning a promise that can be used for processing the results of
-     * the call.
+     * the call. This request affects only the permissions directly granted to
+     * the user, and may not affect permissions inherited through other means
+     * (effective permissions).
     * 
     * @param {String} dataSource
     *     The unique identifier of the data source containing the user whose
     *     permissions should be modified. This identifier corresponds to an
     *     AuthenticationProvider within the Guacamole web application.
     *
-     * @param {String} userID
-     *     The ID of the user to modify the permissions of.
+     * @param {String} identifier
+     *     The identifier of the user to modify the permissions of.
     *                          
     * @param {PermissionSet} [permissionsToAdd]
     *     The set of permissions to add, if any.
     *
     * @param {PermissionSet} [permissionsToRemove]
     *     The set of permissions to remove, if any.
-     *                          
+     *
     * @returns {Promise}
     *     A promise for the HTTP call which will succeed if and only if the
     *     patch operation is successful.
     */
-    service.patchPermissions = function patchPermissions(dataSource, userID, permissionsToAdd, permissionsToRemove) {
+    service.patchPermissions = function patchPermissions(dataSource, identifier,
+            permissionsToAdd, permissionsToRemove) {

        var permissionPatch = [];
        
@@ -278,7 +317,7 @@ angular.module('rest').factory('permissionService', ['$injector',
        // Patch user permissions
        return $http({
            method  : 'PATCH', 
-            url     : getPermissionsResourceURL(dataSource, userID),
+            url     : getPermissionsResourceURL(dataSource, identifier),
            params  : httpParameters,
            data    : permissionPatch
        })
--- a/guacamole/src/main/webapp/app/settings/directives/guacSettingsConnections.js
+++ b/guacamole/src/main/webapp/app/settings/directives/guacSettingsConnections.js
@@ -404,7 +404,7 @@ angular.module('settings').directive('guacSettingsConnections', [function guacSe
            };

            // Retrieve current permissions
-            permissionService.getPermissions($scope.dataSource, currentUsername)
+            permissionService.getEffectivePermissions($scope.dataSource, currentUsername)
            .success(function permissionsRetrieved(permissions) {

                // Store retrieved permissions
--- a/guacamole/src/main/webapp/app/settings/directives/guacSettingsPreferences.js
+++ b/guacamole/src/main/webapp/app/settings/directives/guacSettingsPreferences.js
@@ -185,7 +185,7 @@ angular.module('settings').directive('guacSettingsPreferences', [function guacSe
            });

            // Retrieve current permissions
-            permissionService.getPermissions(dataSource, username)
+            permissionService.getEffectivePermissions(dataSource, username)
            .success(function permissionsRetrieved(permissions) {

                // Add action for changing password if permission is granted
--- a/guacamole/src/main/webapp/app/settings/directives/guacSettingsUsers.js
+++ b/guacamole/src/main/webapp/app/settings/directives/guacSettingsUsers.js
@@ -232,7 +232,7 @@ angular.module('settings').directive('guacSettingsUsers', [function guacSettings

            // Retrieve current permissions
            dataSourceService.apply(
-                permissionService.getPermissions,
+                permissionService.getEffectivePermissions,
                dataSources,
                currentUsername
            )