GUACAMOLE-220: Correct handling of permission-filtered directory search.

The correct ObjectPermissionSet should be used to filter the identifiers
used. Previous code was always using the ObjectPermissionSet specific to
permissions affecting user objects, and thus was incorrect for all other
types of objects (connections, connection groups, etc.).

guacamole/src/main/java/org/apache/guacamole/rest/activeconnection/ActiveConnectionDirectoryResource.java

@@ -24,9 +24,12 @@ import com.google.inject.assistedinject.AssistedInject;
 import javax.ws.rs.Consumes;
 import javax.ws.rs.Produces;
 import javax.ws.rs.core.MediaType;
+import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.net.auth.ActiveConnection;
 import org.apache.guacamole.net.auth.Directory;
+import org.apache.guacamole.net.auth.Permissions;
 import org.apache.guacamole.net.auth.UserContext;
+import org.apache.guacamole.net.auth.permission.ObjectPermissionSet;
 import org.apache.guacamole.rest.directory.DirectoryObjectResourceFactory;
 import org.apache.guacamole.rest.directory.DirectoryObjectTranslator;
 import org.apache.guacamole.rest.directory.DirectoryResource;
@@ -67,4 +70,10 @@ public class ActiveConnectionDirectoryResource
         super(userContext, directory, translator, resourceFactory);
     }
 
+    @Override
+    protected ObjectPermissionSet getObjectPermissions(Permissions permissions)
+            throws GuacamoleException {
+        return permissions.getActiveConnectionPermissions();
+    }
+
 }

guacamole/src/main/java/org/apache/guacamole/rest/connection/ConnectionDirectoryResource.java

@@ -24,9 +24,12 @@ import com.google.inject.assistedinject.AssistedInject;
 import javax.ws.rs.Consumes;
 import javax.ws.rs.Produces;
 import javax.ws.rs.core.MediaType;
+import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.net.auth.Connection;
 import org.apache.guacamole.net.auth.Directory;
+import org.apache.guacamole.net.auth.Permissions;
 import org.apache.guacamole.net.auth.UserContext;
+import org.apache.guacamole.net.auth.permission.ObjectPermissionSet;
 import org.apache.guacamole.rest.directory.DirectoryObjectResourceFactory;
 import org.apache.guacamole.rest.directory.DirectoryObjectTranslator;
 import org.apache.guacamole.rest.directory.DirectoryResource;
@@ -66,4 +69,10 @@ public class ConnectionDirectoryResource
         super(userContext, directory, translator, resourceFactory);
     }
 
+    @Override
+    protected ObjectPermissionSet getObjectPermissions(Permissions permissions)
+            throws GuacamoleException {
+        return permissions.getConnectionPermissions();
+    }
+
 }

guacamole/src/main/java/org/apache/guacamole/rest/connectiongroup/ConnectionGroupDirectoryResource.java

@@ -27,7 +27,9 @@ import javax.ws.rs.core.MediaType;
 import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.net.auth.ConnectionGroup;
 import org.apache.guacamole.net.auth.Directory;
+import org.apache.guacamole.net.auth.Permissions;
 import org.apache.guacamole.net.auth.UserContext;
+import org.apache.guacamole.net.auth.permission.ObjectPermissionSet;
 import org.apache.guacamole.rest.directory.DirectoryObjectResource;
 import org.apache.guacamole.rest.directory.DirectoryObjectResourceFactory;
 import org.apache.guacamole.rest.directory.DirectoryObjectTranslator;
@@ -102,4 +104,10 @@ public class ConnectionGroupDirectoryResource
 
     }
 
+    @Override
+    protected ObjectPermissionSet getObjectPermissions(Permissions permissions)
+            throws GuacamoleException {
+        return permissions.getConnectionGroupPermissions();
+    }
+
 }

guacamole/src/main/java/org/apache/guacamole/rest/directory/DirectoryResource.java

@@ -119,6 +119,26 @@ public abstract class DirectoryResource<InternalType extends Identifiable, Exter
         this.resourceFactory = resourceFactory;
     }
 
+    /**
+     * Returns the ObjectPermissionSet defined within the given Permissions
+     * that represents the permissions affecting objects available within this
+     * DirectoryResource.
+     *
+     * @param permissions
+     *     The Permissions object from which the ObjectPermissionSet should be
+     *     retrieved.
+     *
+     * @return
+     *     The ObjectPermissionSet defined within the given Permissions object
+     *     that represents the permissions affecting objects available within
+     *     this DirectoryResource.
+     *
+     * @throws GuacamoleException
+     *     If an error prevents retrieval of permissions.
+     */
+    protected abstract ObjectPermissionSet getObjectPermissions(
+            Permissions permissions) throws GuacamoleException;
+
     /**
      * Returns a map of all objects available within this DirectoryResource,
      * filtering the returned map by the given permission, if specified.
@@ -149,7 +169,7 @@ public abstract class DirectoryResource<InternalType extends Identifiable, Exter
         // Filter objects, if requested
         Collection<String> identifiers = directory.getIdentifiers();
         if (!isAdmin && permissions != null && !permissions.isEmpty()) {
-            ObjectPermissionSet objectPermissions = effective.getUserPermissions();
+            ObjectPermissionSet objectPermissions = getObjectPermissions(effective);
             identifiers = objectPermissions.getAccessibleObjects(permissions, identifiers);
         }
 

guacamole/src/main/java/org/apache/guacamole/rest/sharingprofile/SharingProfileDirectoryResource.java

@@ -24,9 +24,12 @@ import com.google.inject.assistedinject.AssistedInject;
 import javax.ws.rs.Consumes;
 import javax.ws.rs.Produces;
 import javax.ws.rs.core.MediaType;
+import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.net.auth.Directory;
+import org.apache.guacamole.net.auth.Permissions;
 import org.apache.guacamole.net.auth.SharingProfile;
 import org.apache.guacamole.net.auth.UserContext;
+import org.apache.guacamole.net.auth.permission.ObjectPermissionSet;
 import org.apache.guacamole.rest.directory.DirectoryObjectResourceFactory;
 import org.apache.guacamole.rest.directory.DirectoryObjectTranslator;
 import org.apache.guacamole.rest.directory.DirectoryResource;
@@ -67,4 +70,10 @@ public class SharingProfileDirectoryResource
         super(userContext, directory, translator, resourceFactory);
     }
 
+    @Override
+    protected ObjectPermissionSet getObjectPermissions(Permissions permissions)
+            throws GuacamoleException {
+        return permissions.getSharingProfilePermissions();
+    }
+
 }

guacamole/src/main/java/org/apache/guacamole/rest/user/UserDirectoryResource.java

@@ -24,9 +24,12 @@ import com.google.inject.assistedinject.AssistedInject;
 import javax.ws.rs.Consumes;
 import javax.ws.rs.Produces;
 import javax.ws.rs.core.MediaType;
+import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.net.auth.User;
 import org.apache.guacamole.net.auth.Directory;
+import org.apache.guacamole.net.auth.Permissions;
 import org.apache.guacamole.net.auth.UserContext;
+import org.apache.guacamole.net.auth.permission.ObjectPermissionSet;
 import org.apache.guacamole.rest.directory.DirectoryObjectResourceFactory;
 import org.apache.guacamole.rest.directory.DirectoryObjectTranslator;
 import org.apache.guacamole.rest.directory.DirectoryResource;
@@ -65,4 +68,10 @@ public class UserDirectoryResource extends DirectoryResource<User, APIUser> {
         super(userContext, directory, translator, resourceFactory);
     }
 
+    @Override
+    protected ObjectPermissionSet getObjectPermissions(Permissions permissions)
+            throws GuacamoleException {
+        return permissions.getUserPermissions();
+    }
+
 }

guacamole/src/main/java/org/apache/guacamole/rest/usergroup/UserGroupDirectoryResource.java

@@ -24,9 +24,12 @@ import com.google.inject.assistedinject.AssistedInject;
 import javax.ws.rs.Consumes;
 import javax.ws.rs.Produces;
 import javax.ws.rs.core.MediaType;
+import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.net.auth.UserGroup;
 import org.apache.guacamole.net.auth.Directory;
+import org.apache.guacamole.net.auth.Permissions;
 import org.apache.guacamole.net.auth.UserContext;
+import org.apache.guacamole.net.auth.permission.ObjectPermissionSet;
 import org.apache.guacamole.rest.directory.DirectoryObjectResourceFactory;
 import org.apache.guacamole.rest.directory.DirectoryObjectTranslator;
 import org.apache.guacamole.rest.directory.DirectoryResource;
@@ -65,4 +68,10 @@ public class UserGroupDirectoryResource extends DirectoryResource<UserGroup, API
         super(userContext, directory, translator, resourceFactory);
     }
 
+    @Override
+    protected ObjectPermissionSet getObjectPermissions(Permissions permissions)
+            throws GuacamoleException {
+        return permissions.getUserGroupPermissions();
+    }
+
 }