GUAC-1113: Require only READ to read another user's permissions.

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/permission/ObjectPermissionService.java

@@ -185,9 +185,8 @@ public abstract class ObjectPermissionService
             ModeledUser targetUser, ObjectPermission.Type type,
             String identifier) throws GuacamoleException {
 
-        // Only an admin can read permissions that aren't his own
-        if (user.getUser().getIdentifier().equals(targetUser.getIdentifier())
-                || user.getUser().isAdministrator()) {
+        // Retrieve permissions only if allowed
+        if (canReadPermissions(user, targetUser)) {
 
             // Read permission from database, return null if not found
             ObjectPermissionModel model = getPermissionMapper().selectOne(targetUser.getModel(), type, identifier);
@@ -237,14 +236,11 @@ public abstract class ObjectPermissionService
         if (identifiers.isEmpty())
             return identifiers;
         
-        // Determine whether the user is an admin
-        boolean isAdmin = user.getUser().isAdministrator();
-        
-        // Only an admin can read permissions that aren't his own
-        if (isAdmin || user.getUser().getIdentifier().equals(targetUser.getIdentifier())) {
+        // Retrieve permissions only if allowed
+        if (canReadPermissions(user, targetUser)) {
 
             // If user is an admin, everything is accessible
-            if (isAdmin)
+            if (user.getUser().isAdministrator())
                 return identifiers;
 
             // Otherwise, return explicitly-retrievable identifiers

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/permission/PermissionService.java

@@ -30,6 +30,8 @@ import org.glyptodon.guacamole.auth.jdbc.user.AuthenticatedUser;
 import org.glyptodon.guacamole.auth.jdbc.user.ModeledUser;
 import org.glyptodon.guacamole.GuacamoleException;
 import org.glyptodon.guacamole.GuacamoleSecurityException;
+import org.glyptodon.guacamole.net.auth.permission.ObjectPermission;
+import org.glyptodon.guacamole.net.auth.permission.ObjectPermissionSet;
 import org.glyptodon.guacamole.net.auth.permission.Permission;
 import org.glyptodon.guacamole.net.auth.permission.PermissionSet;
 
@@ -141,6 +143,42 @@ public abstract class PermissionService<PermissionSetType extends PermissionSet<
 
     }
 
+    /**
+     * Determines whether the given user can read the permissions currently
+     * granted to the given target user. If the reading user and the target
+     * user are not the same, then explicit READ or SYSTEM_ADMINISTER access is
+     * required.
+     *
+     * @param user
+     *     The user attempting to read permissions.
+     *
+     * @param targetUser
+     *     The user whose permissions are being read.
+     *
+     * @return
+     *     true if permission is granted, false otherwise.
+     *
+     * @throws GuacamoleException 
+     *     If an error occurs while checking permission status, or if
+     *     permission is denied to read the current user's permissions.
+     */
+    protected boolean canReadPermissions(AuthenticatedUser user,
+            ModeledUser targetUser) throws GuacamoleException {
+
+        // A user can always read their own permissions
+        if (user.getUser().getIdentifier().equals(targetUser.getIdentifier()))
+            return true;
+        
+        // A system adminstrator can do anything
+        if (user.getUser().isAdministrator())
+            return true;
+
+        // Can read permissions on target user if explicit READ is granted
+        ObjectPermissionSet userPermissionSet = user.getUser().getUserPermissions();
+        return userPermissionSet.hasPermission(ObjectPermission.Type.READ, targetUser.getIdentifier());
+
+    }
+
     /**
      * Returns a permission set that can be used to retrieve and manipulate the
      * permissions of the given user.
@@ -183,9 +221,8 @@ public abstract class PermissionService<PermissionSetType extends PermissionSet<
     public Set<PermissionType> retrievePermissions(AuthenticatedUser user,
             ModeledUser targetUser) throws GuacamoleException {
 
-        // Only an admin can read permissions that aren't his own
-        if (user.getUser().getIdentifier().equals(targetUser.getIdentifier())
-                || user.getUser().isAdministrator())
+        // Retrieve permissions only if allowed
+        if (canReadPermissions(user, targetUser))
             return getPermissionInstances(getPermissionMapper().select(targetUser.getModel()));
 
         // User cannot read this user's permissions