GUACAMOLE-220: Allow manipulation and retrieval of user group permissions via JavaScript.

2025-09-12 07:57:41 +00:00 · 2018-04-19 14:39:04 -07:00
parent 9f01fcb155
commit 55bcf25a1c
3 changed files with 163 additions and 33 deletions
--- a/guacamole/src/main/webapp/app/rest/services/permissionService.js
+++ b/guacamole/src/main/webapp/app/rest/services/permissionService.js
@@ -45,6 +45,11 @@ angular.module('rest').factory('permissionService', ['$injector',
     * within that data source (and thus cannot be found beneath
     * "api/session/data/{dataSource}/users")
     *
+     * NOTE: Unlike getPermissionsResourceURL(),
+     * getEffectivePermissionsResourceURL() CANNOT be applied to user groups.
+     * Only users have retrievable effective permissions as far as the REST API
+     * is concerned.
+     *
     * @param {String} dataSource
     *     The unique identifier of the data source containing the user whose
     *     permissions should be retrieved. This identifier corresponds to an
@@ -82,6 +87,10 @@ angular.module('rest').factory('permissionService', ['$injector',
     * from the permissions returned via getPermissions() in that permissions
     * which are not directly granted to the user are included.
     *
+     * NOTE: Unlike getPermissions(), getEffectivePermissions() CANNOT be
+     * applied to user groups. Only users have retrievable effective
+     * permissions as far as the REST API is concerned.
+     *
     * @param {String} dataSource
     *     The unique identifier of the data source containing the user whose
     *     permissions should be retrieved. This identifier corresponds to an
@@ -113,10 +122,10 @@ angular.module('rest').factory('permissionService', ['$injector',

    /**
     * Returns the URL for the REST resource most appropriate for accessing
-     * the permissions of the user having the given identifier. The permissions
-     * retrieved differ from effective permissions (those returned by
-     * getEffectivePermissions()) in that only permissions which are directly
-     * granted to the user are included.
+     * the permissions of the user or group having the given identifier. The
+     * permissions retrieved differ from effective permissions (those returned
+     * by getEffectivePermissions()) in that only permissions which are directly
+     * granted to the user or group are included.
     * 
     * It is important to note that a particular data source can authenticate
     * and provide permissions for a user, even if that user does not exist
@@ -129,18 +138,27 @@ angular.module('rest').factory('permissionService', ['$injector',
     *     AuthenticationProvider within the Guacamole web application.
     *
     * @param {String} identifier
-     *     The identifier of the user for which the URL of the proper REST
-     *     resource should be derived.
+     *     The identifier of the user or group for which the URL of the proper
+     *     REST resource should be derived.
+     *
+     * @param {Boolean} [group]
+     *     Whether the provided identifier refers to a user group. If false or
+     *     omitted, the identifier given is assumed to refer to a user.
     *
     * @returns {String}
-     *     The URL for the REST resource representing the user having the given
-     *     identifier.
+     *     The URL for the REST resource representing the user or group having
+     *     the given identifier.
     */
-    var getPermissionsResourceURL = function getPermissionsResourceURL(dataSource, identifier) {
+    var getPermissionsResourceURL = function getPermissionsResourceURL(dataSource, identifier, group) {

        // Create base URL for data source
        var base = 'api/session/data/' + encodeURIComponent(dataSource);

+        // Access group permissions directly (there is no "self" for user groups
+        // as there is for users)
+        if (group)
+            return base + '/userGroups/' + encodeURIComponent(identifier) + '/permissions';
+
        // If the username is that of the current user, do not rely on the
        // user actually existing (they may not). Access their permissions via
        // "self" rather than the collection of defined users.
@@ -155,36 +173,41 @@ angular.module('rest').factory('permissionService', ['$injector',

    /**
     * Makes a request to the REST API to get the list of permissions for a
-     * given user, returning a promise that provides an array of
+     * given user or user group, returning a promise that provides an array of
     * @link{Permission} objects if successful. The permissions retrieved
     * differ from effective permissions (those returned by
-     * getEffectivePermissions()) in that only permissions which are directly
-     * granted to the user included.
+     * getEffectivePermissions()) in that both users and groups may be queried,
+     * and only permissions which are directly granted to the user or group are
+     * included.
     * 
     * @param {String} dataSource
-     *     The unique identifier of the data source containing the user whose
-     *     permissions should be retrieved. This identifier corresponds to an
-     *     AuthenticationProvider within the Guacamole web application.
+     *     The unique identifier of the data source containing the user or group
+     *     whose permissions should be retrieved. This identifier corresponds to
+     *     an AuthenticationProvider within the Guacamole web application.
     *
     * @param {String} identifier
-     *     The identifier of the user to retrieve the permissions for.
+     *     The identifier of the user or group to retrieve the permissions for.
+     *
+     * @param {Boolean} [group]
+     *     Whether the provided identifier refers to a user group. If false or
+     *     omitted, the identifier given is assumed to refer to a user.
     *
     * @returns {Promise.<PermissionSet>}
     *     A promise which will resolve with a @link{PermissionSet} upon
     *     success.
     */
-    service.getPermissions = function getPermissions(dataSource, identifier) {
+    service.getPermissions = function getPermissions(dataSource, identifier, group) {

        // Build HTTP parameters set
        var httpParameters = {
            token : authenticationService.getCurrentToken()
        };

-        // Retrieve user permissions
+        // Retrieve user/group permissions
        return requestService({
            cache   : cacheService.users,
            method  : 'GET',
-            url     : getPermissionsResourceURL(dataSource, identifier),
+            url     : getPermissionsResourceURL(dataSource, identifier, group),
            params  : httpParameters
        });

@@ -261,6 +284,10 @@ angular.module('rest').factory('permissionService', ['$injector',
        addObjectPatchOperations(patch, operation, "/userPermissions",
            permissions.userPermissions);

+        // Add user group permission operations to patch
+        addObjectPatchOperations(patch, operation, "/userGroupPermissions",
+            permissions.userGroupPermissions);
+
        // Add system operations to patch
        permissions.systemPermissions.forEach(function addSystemPatch(type) {
            patch.push({
@@ -274,18 +301,18 @@ angular.module('rest').factory('permissionService', ['$injector',
            
    /**
     * Makes a request to the REST API to modify the permissions for a given
-     * user, returning a promise that can be used for processing the results of
-     * the call. This request affects only the permissions directly granted to
-     * the user, and may not affect permissions inherited through other means
-     * (effective permissions).
+     * user or group, returning a promise that can be used for processing the
+     * results of the call. This request affects only the permissions directly
+     * granted to the user or group, and may not affect permissions inherited
+     * through other means (effective permissions).
     * 
     * @param {String} dataSource
-     *     The unique identifier of the data source containing the user whose
-     *     permissions should be modified. This identifier corresponds to an
-     *     AuthenticationProvider within the Guacamole web application.
+     *     The unique identifier of the data source containing the user or group
+     *     whose permissions should be modified. This identifier corresponds to
+     *     an AuthenticationProvider within the Guacamole web application.
     *
     * @param {String} identifier
-     *     The identifier of the user to modify the permissions of.
+     *     The identifier of the user or group to modify the permissions of.
     *                          
     * @param {PermissionSet} [permissionsToAdd]
     *     The set of permissions to add, if any.
@@ -293,12 +320,16 @@ angular.module('rest').factory('permissionService', ['$injector',
     * @param {PermissionSet} [permissionsToRemove]
     *     The set of permissions to remove, if any.
     *
+     * @param {Boolean} [group]
+     *     Whether the provided identifier refers to a user group. If false or
+     *     omitted, the identifier given is assumed to refer to a user.
+     *
     * @returns {Promise}
     *     A promise for the HTTP call which will succeed if and only if the
     *     patch operation is successful.
     */
    service.patchPermissions = function patchPermissions(dataSource, identifier,
-            permissionsToAdd, permissionsToRemove) {
+            permissionsToAdd, permissionsToRemove, group) {

        var permissionPatch = [];
        
@@ -313,10 +344,10 @@ angular.module('rest').factory('permissionService', ['$injector',
        // Add all the remove operations to the patch
        addPatchOperations(permissionPatch, PermissionPatch.Operation.REMOVE, permissionsToRemove);

-        // Patch user permissions
+        // Patch user/group permissions
        return requestService({
            method  : 'PATCH', 
-            url     : getPermissionsResourceURL(dataSource, identifier),
+            url     : getPermissionsResourceURL(dataSource, identifier, group),
            params  : httpParameters,
            data    : permissionPatch
        })