GUAC-1132: Move canReadPermissions() into AbstractPermissionService.

2025-09-06 05:07:41 +00:00 · 2015-03-20 18:24:17 -07:00
parent f9584bb59d
commit 2179f7b143
2 changed files with 85 additions and 39 deletions
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/permission/AbstractPermissionService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/permission/AbstractPermissionService.java
@@ -0,0 +1,84 @@
+/*
+ * Copyright (C) 2015 Glyptodon LLC
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+package org.glyptodon.guacamole.auth.jdbc.permission;
+
+import org.glyptodon.guacamole.auth.jdbc.user.AuthenticatedUser;
+import org.glyptodon.guacamole.auth.jdbc.user.ModeledUser;
+import org.glyptodon.guacamole.GuacamoleException;
+import org.glyptodon.guacamole.net.auth.permission.ObjectPermission;
+import org.glyptodon.guacamole.net.auth.permission.ObjectPermissionSet;
+import org.glyptodon.guacamole.net.auth.permission.Permission;
+import org.glyptodon.guacamole.net.auth.permission.PermissionSet;
+
+/**
+ * Abstract PermissionService implementation which provides additional
+ * convenience methods for enforcing the permission model.
+ *
+ * @author Michael Jumper
+ * @param <PermissionSetType>
+ *     The type of permission sets this service provides access to.
+ *
+ * @param <PermissionType>
+ *     The type of permission this service provides access to.
+ */
+public abstract class AbstractPermissionService<PermissionSetType extends PermissionSet<PermissionType>,
+        PermissionType extends Permission>
+    implements PermissionService<PermissionSetType, PermissionType> {
+
+    /**
+     * Determines whether the given user can read the permissions currently
+     * granted to the given target user. If the reading user and the target
+     * user are not the same, then explicit READ or SYSTEM_ADMINISTER access is
+     * required.
+     *
+     * @param user
+     *     The user attempting to read permissions.
+     *
+     * @param targetUser
+     *     The user whose permissions are being read.
+     *
+     * @return
+     *     true if permission is granted, false otherwise.
+     *
+     * @throws GuacamoleException 
+     *     If an error occurs while checking permission status, or if
+     *     permission is denied to read the current user's permissions.
+     */
+    protected boolean canReadPermissions(AuthenticatedUser user,
+            ModeledUser targetUser) throws GuacamoleException {
+
+        // A user can always read their own permissions
+        if (user.getUser().getIdentifier().equals(targetUser.getIdentifier()))
+            return true;
+        
+        // A system adminstrator can do anything
+        if (user.getUser().isAdministrator())
+            return true;
+
+        // Can read permissions on target user if explicit READ is granted
+        ObjectPermissionSet userPermissionSet = user.getUser().getUserPermissions();
+        return userPermissionSet.hasPermission(ObjectPermission.Type.READ, targetUser.getIdentifier());
+
+    }
+
+}
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/permission/ModeledPermissionService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/permission/ModeledPermissionService.java
@@ -30,8 +30,6 @@ import org.glyptodon.guacamole.auth.jdbc.user.AuthenticatedUser;
 import org.glyptodon.guacamole.auth.jdbc.user.ModeledUser;
 import org.glyptodon.guacamole.GuacamoleException;
 import org.glyptodon.guacamole.GuacamoleSecurityException;
-import org.glyptodon.guacamole.net.auth.permission.ObjectPermission;
-import org.glyptodon.guacamole.net.auth.permission.ObjectPermissionSet;
 import org.glyptodon.guacamole.net.auth.permission.Permission;
 import org.glyptodon.guacamole.net.auth.permission.PermissionSet;

@@ -54,7 +52,7 @@ import org.glyptodon.guacamole.net.auth.permission.PermissionSet;
 */
 public abstract class ModeledPermissionService<PermissionSetType extends PermissionSet<PermissionType>,
        PermissionType extends Permission, ModelType>
-    implements PermissionService<PermissionSetType, PermissionType> {
+    extends AbstractPermissionService<PermissionSetType, PermissionType> {

    /**
     * Returns an instance of a mapper for the type of permission used by this
@@ -144,42 +142,6 @@ public abstract class ModeledPermissionService<PermissionSetType extends Permiss

    }

-    /**
-     * Determines whether the given user can read the permissions currently
-     * granted to the given target user. If the reading user and the target
-     * user are not the same, then explicit READ or SYSTEM_ADMINISTER access is
-     * required.
-     *
-     * @param user
-     *     The user attempting to read permissions.
-     *
-     * @param targetUser
-     *     The user whose permissions are being read.
-     *
-     * @return
-     *     true if permission is granted, false otherwise.
-     *
-     * @throws GuacamoleException 
-     *     If an error occurs while checking permission status, or if
-     *     permission is denied to read the current user's permissions.
-     */
-    protected boolean canReadPermissions(AuthenticatedUser user,
-            ModeledUser targetUser) throws GuacamoleException {
-
-        // A user can always read their own permissions
-        if (user.getUser().getIdentifier().equals(targetUser.getIdentifier()))
-            return true;
-        
-        // A system adminstrator can do anything
-        if (user.getUser().isAdministrator())
-            return true;
-
-        // Can read permissions on target user if explicit READ is granted
-        ObjectPermissionSet userPermissionSet = user.getUser().getUserPermissions();
-        return userPermissionSet.hasPermission(ObjectPermission.Type.READ, targetUser.getIdentifier());
-
-    }
-
    @Override
    public Set<PermissionType> retrievePermissions(AuthenticatedUser user,
            ModeledUser targetUser) throws GuacamoleException {