GUACAMOLE-360: Merge update active connection permission check to support user groups.

2025-09-06 21:27:40 +00:00 · 2018-10-01 21:15:51 -04:00
parent 658ce78846 ea142d15ce
commit 220d9b2994
3 changed files with 17 additions and 2 deletions
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/activeconnection/ActiveConnectionPermissionService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/activeconnection/ActiveConnectionPermissionService.java
@@ -97,7 +97,7 @@ public class ActiveConnectionPermissionService
                permissions.add(new ObjectPermission(ObjectPermission.Type.READ, identifier));

                // If we're an admin, or the connection is ours, then we can DELETE
-                if (isAdmin || targetUser.getIdentifier().equals(record.getUsername()))
+                if (isAdmin || targetEntity.isUser(record.getUsername()))
                    permissions.add(new ObjectPermission(ObjectPermission.Type.DELETE, identifier));

            }
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledPermissions.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledPermissions.java
@@ -105,6 +105,21 @@ public abstract class ModeledPermissions<ModelType extends EntityModel>
        return getModel().getEntityType() == EntityType.USER;
    }

+    /**
+     * Returns whether the underlying entity represents a specific user having
+     * the given username.
+     *
+     * @param username
+     *     The username of a user.
+     *
+     * @return
+     *     true if the underlying entity is a user that has the given username,
+     *     false otherwise.
+     */
+    public boolean isUser(String username) {
+        return isUser() && getIdentifier().equals(username);
+    }
+
    /**
     * Returns whether the underlying entity is a user group. Entities may be
     * either users or user groups.
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/AbstractPermissionService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/AbstractPermissionService.java
@@ -101,7 +101,7 @@ public abstract class AbstractPermissionService<PermissionSetType extends Permis
            throws GuacamoleException {

        // A user can always read their own permissions
-        if (targetEntity.isUser() && user.getUser().getIdentifier().equals(targetEntity.getIdentifier()))
+        if (targetEntity.isUser(user.getUser().getIdentifier()))
            return true;
        
        // A system adminstrator can do anything