From aa0d11fb7386f1df7d0d69dad5a20de6799d2746 Mon Sep 17 00:00:00 2001 From: Michael Jumper Date: Mon, 5 Jan 2015 18:09:36 -0800 Subject: [PATCH] GUAC-992: Ignore root group when determining admin access. Take all permissions into account. Redirect to home screen if management UI cannot be used. --- .../app/home/controllers/homeController.js | 25 ++++++++++++++++--- .../manage/controllers/manageController.js | 25 +++++++++++++++---- 2 files changed, 42 insertions(+), 8 deletions(-) diff --git a/guacamole/src/main/webapp/app/home/controllers/homeController.js b/guacamole/src/main/webapp/app/home/controllers/homeController.js index c96f3a053..728b29923 100644 --- a/guacamole/src/main/webapp/app/home/controllers/homeController.js +++ b/guacamole/src/main/webapp/app/home/controllers/homeController.js @@ -76,12 +76,31 @@ angular.module('home').controller('homeController', ['$scope', '$injector', permissionService.getPermissions(authenticationService.getCurrentUserID()) .success(function permissionsRetrieved(permissions) { - // Determine whether the current user can access the management UI + // Ignore permission to update root group + PermissionSet.removeConnectionGroupPermission(permissions, PermissionSet.ObjectPermissionType.UPDATE, ConnectionGroup.ROOT_IDENTIFIER); + + // Determine whether the current user needs access to the management UI $scope.canManageGuacamole = + + // System permissions PermissionSet.hasSystemPermission(permissions, PermissionSet.SystemPermissionType.ADMINISTER) - || PermissionSet.hasConnectionPermission(permissions, PermissionSet.ObjectPermissionType.UPDATE) + || PermissionSet.hasSystemPermission(permissions, PermissionSet.SystemPermissionType.CREATE_CONNECTION) + || PermissionSet.hasSystemPermission(permissions, PermissionSet.SystemPermissionType.CREATE_CONNECTION_GROUP) + + // Permission to update objects + || PermissionSet.hasConnectionPermission(permissions, PermissionSet.ObjectPermissionType.UPDATE) || PermissionSet.hasConnectionGroupPermission(permissions, PermissionSet.ObjectPermissionType.UPDATE) - || PermissionSet.hasUserPermission(permissions, PermissionSet.ObjectPermissionType.UPDATE); + || PermissionSet.hasUserPermission(permissions, PermissionSet.ObjectPermissionType.UPDATE) + + // Permission to delete objects + || PermissionSet.hasConnectionPermission(permissions, PermissionSet.ObjectPermissionType.DELETE) + || PermissionSet.hasConnectionGroupPermission(permissions, PermissionSet.ObjectPermissionType.DELETE) + || PermissionSet.hasUserPermission(permissions, PermissionSet.ObjectPermissionType.DELETE) + + // Permission to administer objects + || PermissionSet.hasConnectionPermission(permissions, PermissionSet.ObjectPermissionType.ADMINISTER) + || PermissionSet.hasConnectionGroupPermission(permissions, PermissionSet.ObjectPermissionType.ADMINISTER) + || PermissionSet.hasUserPermission(permissions, PermissionSet.ObjectPermissionType.ADMINISTER); }); diff --git a/guacamole/src/main/webapp/app/manage/controllers/manageController.js b/guacamole/src/main/webapp/app/manage/controllers/manageController.js index a1c9cf2de..e1a992191 100644 --- a/guacamole/src/main/webapp/app/manage/controllers/manageController.js +++ b/guacamole/src/main/webapp/app/manage/controllers/manageController.js @@ -32,6 +32,7 @@ angular.module('manage').controller('manageController', ['$scope', '$injector', var User = $injector.get('User'); // Required services + var $location = $injector.get('$location'); var authenticationService = $injector.get('authenticationService'); var connectionGroupService = $injector.get('connectionGroupService'); var permissionService = $injector.get('permissionService'); @@ -134,6 +135,9 @@ angular.module('manage').controller('manageController', ['$scope', '$injector', permissionService.getPermissions(authenticationService.getCurrentUserID()) .success(function permissionsRetrieved(permissions) { + // Ignore permission to update root group + PermissionSet.removeConnectionGroupPermission(permissions, PermissionSet.ObjectPermissionType.UPDATE, ConnectionGroup.ROOT_IDENTIFIER); + // Determine whether the current user can create new users $scope.canCreateUsers = PermissionSet.hasSystemPermission(permissions, PermissionSet.SystemPermissionType.ADMINISTER) @@ -152,15 +156,26 @@ angular.module('manage').controller('manageController', ['$scope', '$injector', // Determine whether the current user can manage other users $scope.canManageUsers = $scope.canCreateUsers - || PermissionSet.hasUserPermission(permissions, PermissionSet.ObjectPermissionType.UPDATE); + || PermissionSet.hasUserPermission(permissions, PermissionSet.ObjectPermissionType.UPDATE) + || PermissionSet.hasUserPermission(permissions, PermissionSet.ObjectPermissionType.DELETE); - // Determine whether the current user can manage other connections + // Determine whether the current user can manage other connections or groups $scope.canManageConnections = + + // Permission to manage connections $scope.canCreateConnections - || $scope.canCreateConnectionGroups || PermissionSet.hasConnectionPermission(permissions, PermissionSet.ObjectPermissionType.UPDATE) - || PermissionSet.hasConnectionGroupPermission(permissions, PermissionSet.ObjectPermissionType.UPDATE); - + || PermissionSet.hasConnectionPermission(permissions, PermissionSet.ObjectPermissionType.DELETE) + + // Permission to manage groups + || $scope.canCreateConnectionGroups + || PermissionSet.hasConnectionGroupPermission(permissions, PermissionSet.ObjectPermissionType.UPDATE) + || PermissionSet.hasConnectionGroupPermission(permissions, PermissionSet.ObjectPermissionType.DELETE); + + // Return to home if there's nothing to do here + if (!$scope.canManageUsers && !$scope.canManageConnections) + $location.path('/'); + }); // Retrieve all connections for which we have UPDATE permission