GUAC-1101: Implement getAccessibleObjects() and supporting methods.

2025-09-06 13:17:41 +00:00 · 2015-02-28 15:07:04 -08:00
parent 03633fb902
commit 7d399a0fbe
3 changed files with 76 additions and 1 deletions
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/permission/ObjectPermissionMapper.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/permission/ObjectPermissionMapper.java
@@ -22,6 +22,7 @@

 package org.glyptodon.guacamole.auth.jdbc.permission;

+import java.util.Collection;
 import org.apache.ibatis.annotations.Param;
 import org.glyptodon.guacamole.auth.jdbc.user.UserModel;
 import org.glyptodon.guacamole.net.auth.permission.ObjectPermission;
@@ -55,4 +56,28 @@ public interface ObjectPermissionMapper extends PermissionMapper<ObjectPermissio
            @Param("type") ObjectPermission.Type type,
            @Param("identifier") String identifier);

+    /**
+     * Retrieves the subset of the given identifiers for which the given user
+     * has at least one of the given permissions.
+     *
+     * @param user
+     *     The user to check permissions of.
+     *
+     * @param permissions
+     *     The permissions to check. An identifier will be included in the
+     *     resulting collection if at least one of these permissions is granted
+     *     for the associated object
+     *
+     * @param identifiers
+     *     The identifiers of the objects affected by the permissions being
+     *     checked.
+     *
+     * @return
+     *     A collection containing the subset of identifiers for which at least
+     *     one of the specified permissions is granted.
+     */
+    Collection<String> selectAccessibleIdentifiers(@Param("user") UserModel user,
+            @Param("permissions") Collection<ObjectPermission.Type> permissions,
+            @Param("identifiers") Collection<String> identifiers);
+
 }
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/permission/ObjectPermissionService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/permission/ObjectPermissionService.java
@@ -201,4 +201,54 @@ public abstract class ObjectPermissionService
        
    }

+    /**
+     * Retrieves the subset of the given identifiers for which the given user
+     * has at least one of the given permissions.
+     *
+     * @param user
+     *     The user checking the permissions.
+     *
+     * @param targetUser
+     *     The user to check permissions of.
+     *
+     * @param permissions
+     *     The permissions to check. An identifier will be included in the
+     *     resulting collection if at least one of these permissions is granted
+     *     for the associated object
+     *
+     * @param identifiers
+     *     The identifiers of the objects affected by the permissions being
+     *     checked.
+     *
+     * @return
+     *     A collection containing the subset of identifiers for which at least
+     *     one of the specified permissions is granted.
+     *
+     * @throws GuacamoleException
+     *     If an error occurs while retrieving permissions.
+     */
+    public Collection<String> retrieveAccessibleIdentifiers(AuthenticatedUser user,
+            ModeledUser targetUser, Collection<ObjectPermission.Type> permissions,
+            Collection<String> identifiers) throws GuacamoleException {
+
+        // Determine whether the user is an admin
+        boolean isAdmin = user.getUser().isAdministrator();
+        
+        // Only an admin can read permissions that aren't his own
+        if (isAdmin || user.getUser().getIdentifier().equals(targetUser.getIdentifier())) {
+
+            // If user is an admin, everything is accessible
+            if (isAdmin)
+                return identifiers;
+
+            // Otherwise, return explicitly-retrievable identifiers
+            return getPermissionMapper().selectAccessibleIdentifiers(targetUser.getModel(), permissions, identifiers);
+            
+        }
+
+        // User cannot read this user's permissions
+        throw new GuacamoleSecurityException("Permission denied.");
+
+    }
+
 }
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/permission/ObjectPermissionSet.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/permission/ObjectPermissionSet.java
@@ -107,7 +107,7 @@ public abstract class ObjectPermissionSet extends RestrictedObject
    @Override
    public Collection<String> getAccessibleObjects(Collection<ObjectPermission.Type> permissions,
            Collection<String> identifiers) throws GuacamoleException {
-        throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
+        return getObjectPermissionService().retrieveAccessibleIdentifiers(getCurrentUser(), user, permissions, identifiers);
    }

    @Override