From 4bcadac53bba9eccd621bc0cf80d66d8641718d9 Mon Sep 17 00:00:00 2001
From: Michael Jumper <mike.jumper@guac-dev.org>
Date: Mon, 4 Mar 2013 00:09:30 -0800
Subject: [PATCH] Prevent foot shooting.

---
 .../guacamole/net/auth/mysql/UserDirectory.java     | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/UserDirectory.java b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/UserDirectory.java
index 228c64710..67ce9c38c 100644
--- a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/UserDirectory.java
+++ b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/UserDirectory.java
@@ -517,14 +517,21 @@ public class UserDirectory implements Directory<String, net.sourceforge.guacamol
      * @param user_id The ID of the user whose permissions should be updated.
      * @param permissions The permissions the given user should no longer have
      *                    when this operation completes.
+     * @throws GuacamoleException If the permissions specified could not be
+     *                            removed due to system restrictions.
      */
     private void deleteSystemPermissions(int user_id,
-            Collection<SystemPermission> permissions) {
+            Collection<SystemPermission> permissions)
+            throws GuacamoleException {
 
         // If no permissions given, stop now
         if (permissions.isEmpty())
             return;
 
+        // Prevent self-de-adminifying
+        if (user_id == this.user_id)
+            throw new GuacamoleClientException("Removing your own administrative permissions is not allowed.");
+        
         // Build list of requested system permissions
         List<String> systemPermissionTypes = new ArrayList<String>();
         for (SystemPermission permission : permissions)
@@ -575,6 +582,10 @@ public class UserDirectory implements Directory<String, net.sourceforge.guacamol
         // Get user pending deletion
         MySQLUser user = userService.retrieveUser(identifier);
 
+        // Prevent self-deletion
+        if (user.getUserID() == this.user_id)
+            throw new GuacamoleClientException("Deleting your own user is not allowed.");
+        
         // Validate current user has permission to remove the specified user
         permissionCheckService.verifyUserAccess(this.user_id,
                 user.getUserID(),