safebox/guacamole-client
4
0
Fork 0
mirror of https://github.com/gyurix1968/guacamole-client.git synced 2025-09-07 05:31:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

GUAC-943: Deny access to connection parameters when user lacks permission to update that connection.

Browse Source
This commit is contained in:
Michael Jumper
2014-12-27 22:08:12 -08:00
parent e49f427070
commit 4322d8fa0a
1 changed files with 18 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
guacamole/src/main/java/org/glyptodon/guacamole/net/basic/rest/connection/ConnectionRESTService.java
View File

@@ -37,11 +37,17 @@ import javax.ws.rs.QueryParam;
import javax.ws.rs.core.MediaType; import javax.ws.rs.core.MediaType;
import org.glyptodon.guacamole.GuacamoleClientException; import org.glyptodon.guacamole.GuacamoleClientException;
import org.glyptodon.guacamole.GuacamoleException; import org.glyptodon.guacamole.GuacamoleException;
import org.glyptodon.guacamole.GuacamoleSecurityException;
import org.glyptodon.guacamole.net.auth.Connection; import org.glyptodon.guacamole.net.auth.Connection;
import org.glyptodon.guacamole.net.auth.ConnectionGroup; import org.glyptodon.guacamole.net.auth.ConnectionGroup;
import org.glyptodon.guacamole.net.auth.ConnectionRecord; import org.glyptodon.guacamole.net.auth.ConnectionRecord;
import org.glyptodon.guacamole.net.auth.Directory; import org.glyptodon.guacamole.net.auth.Directory;
import org.glyptodon.guacamole.net.auth.User;
import org.glyptodon.guacamole.net.auth.UserContext; import org.glyptodon.guacamole.net.auth.UserContext;
import org.glyptodon.guacamole.net.auth.permission.ConnectionPermission;
import org.glyptodon.guacamole.net.auth.permission.ObjectPermission;
import org.glyptodon.guacamole.net.auth.permission.Permission;
import org.glyptodon.guacamole.net.auth.permission.SystemPermission;
import org.glyptodon.guacamole.net.basic.rest.AuthProviderRESTExposure; import org.glyptodon.guacamole.net.basic.rest.AuthProviderRESTExposure;
import org.glyptodon.guacamole.net.basic.rest.ObjectRetrievalService; import org.glyptodon.guacamole.net.basic.rest.ObjectRetrievalService;
import org.glyptodon.guacamole.net.basic.rest.auth.AuthenticationService; import org.glyptodon.guacamole.net.basic.rest.auth.AuthenticationService;
@@ -63,6 +69,12 @@ public class ConnectionRESTService {
* Logger for this class. * Logger for this class.
*/ */
private static final Logger logger = LoggerFactory.getLogger(ConnectionRESTService.class); private static final Logger logger = LoggerFactory.getLogger(ConnectionRESTService.class);
/**
* System administration permission.
*/
private static final Permission SYSTEM_PERMISSION =
new SystemPermission(SystemPermission.Type.ADMINISTER);
/** /**
* A service for authenticating users from auth tokens. * A service for authenticating users from auth tokens.
@@ -128,6 +140,12 @@ public class ConnectionRESTService {
@PathParam("connectionID") String connectionID) throws GuacamoleException { @PathParam("connectionID") String connectionID) throws GuacamoleException {
UserContext userContext = authenticationService.getUserContext(authToken); UserContext userContext = authenticationService.getUserContext(authToken);
User self = userContext.self();
// Deny access if adminstrative or update permission is missing
if (!self.hasPermission(SYSTEM_PERMISSION)
&& !self.hasPermission(new ConnectionPermission(ObjectPermission.Type.UPDATE, connectionID)))
throw new GuacamoleSecurityException("Permission to read connection parameters denied.");
// Retrieve the requested connection // Retrieve the requested connection
Connection connection = retrievalService.retrieveConnection(userContext, connectionID); Connection connection = retrievalService.retrieveConnection(userContext, connectionID);