From 402bdaee341294710cc5af94e8d334f7d7488d51 Mon Sep 17 00:00:00 2001
From: Michael Jumper <mike.jumper@guac-dev.org>
Date: Thu, 15 Aug 2013 01:08:32 -0700
Subject: [PATCH] Do not attempt to list groups unless we can expect to have
 the rights to do so.

---
 .../net/basic/crud/connections/List.java          | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/guacamole/src/main/java/net/sourceforge/guacamole/net/basic/crud/connections/List.java b/guacamole/src/main/java/net/sourceforge/guacamole/net/basic/crud/connections/List.java
index 2ef6af751..49eda14e3 100644
--- a/guacamole/src/main/java/net/sourceforge/guacamole/net/basic/crud/connections/List.java
+++ b/guacamole/src/main/java/net/sourceforge/guacamole/net/basic/crud/connections/List.java
@@ -34,6 +34,7 @@ import net.sourceforge.guacamole.net.auth.ConnectionRecord;
 import net.sourceforge.guacamole.net.auth.Directory;
 import net.sourceforge.guacamole.net.auth.User;
 import net.sourceforge.guacamole.net.auth.UserContext;
+import net.sourceforge.guacamole.net.auth.permission.ConnectionGroupPermission;
 import net.sourceforge.guacamole.net.auth.permission.ConnectionPermission;
 import net.sourceforge.guacamole.net.auth.permission.ObjectPermission;
 import net.sourceforge.guacamole.net.auth.permission.Permission;
@@ -123,9 +124,17 @@ public class List extends AuthenticatingHttpServlet {
 
         }
 
-        // Write contained groups and connections
-        writeConnections(self, xml, group.getConnectionDirectory());
-        writeConnectionGroups(self, xml, group.getConnectionGroupDirectory());
+        Permission group_admin_permission = new ConnectionGroupPermission(
+                ObjectPermission.Type.ADMINISTER, group.getIdentifier());
+
+        // Attempt to list contained groups and connections ONLY if the group
+        // is organizational or we have admin rights to it
+        if (group.getType() == ConnectionGroup.Type.ORGANIZATIONAL
+                || self.hasPermission(SYSTEM_PERMISSION)
+                || self.hasPermission(group_admin_permission)) {
+            writeConnections(self, xml, group.getConnectionDirectory());
+            writeConnectionGroups(self, xml, group.getConnectionGroupDirectory());
+        }
 
         // End of group
         xml.writeEndElement();