Merge pull request #104 from glyptodon/permission-permissions

GUAC-1113: Require only READ to read another user's permissions.
2025-09-06 21:27:40 +00:00 · 2015-03-05 17:57:49 -08:00
parent e35a26ce6a 8ae0215e5f
commit 91449624cc
2 changed files with 45 additions and 12 deletions
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/permission/ObjectPermissionService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/permission/ObjectPermissionService.java
@@ -185,9 +185,8 @@ public abstract class ObjectPermissionService
            ModeledUser targetUser, ObjectPermission.Type type,
            String identifier) throws GuacamoleException {

-        // Only an admin can read permissions that aren't his own
-        if (user.getUser().getIdentifier().equals(targetUser.getIdentifier())
-                || user.getUser().isAdministrator()) {
+        // Retrieve permissions only if allowed
+        if (canReadPermissions(user, targetUser)) {

            // Read permission from database, return null if not found
            ObjectPermissionModel model = getPermissionMapper().selectOne(targetUser.getModel(), type, identifier);
@@ -237,14 +236,11 @@ public abstract class ObjectPermissionService
        if (identifiers.isEmpty())
            return identifiers;
        
-        // Determine whether the user is an admin
-        boolean isAdmin = user.getUser().isAdministrator();
-        
-        // Only an admin can read permissions that aren't his own
-        if (isAdmin || user.getUser().getIdentifier().equals(targetUser.getIdentifier())) {
+        // Retrieve permissions only if allowed
+        if (canReadPermissions(user, targetUser)) {

            // If user is an admin, everything is accessible
-            if (isAdmin)
+            if (user.getUser().isAdministrator())
                return identifiers;

            // Otherwise, return explicitly-retrievable identifiers
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/permission/PermissionService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/permission/PermissionService.java
@@ -30,6 +30,8 @@ import org.glyptodon.guacamole.auth.jdbc.user.AuthenticatedUser;
 import org.glyptodon.guacamole.auth.jdbc.user.ModeledUser;
 import org.glyptodon.guacamole.GuacamoleException;
 import org.glyptodon.guacamole.GuacamoleSecurityException;
+import org.glyptodon.guacamole.net.auth.permission.ObjectPermission;
+import org.glyptodon.guacamole.net.auth.permission.ObjectPermissionSet;
 import org.glyptodon.guacamole.net.auth.permission.Permission;
 import org.glyptodon.guacamole.net.auth.permission.PermissionSet;

@@ -141,6 +143,42 @@ public abstract class PermissionService<PermissionSetType extends PermissionSet<

    }

+    /**
+     * Determines whether the given user can read the permissions currently
+     * granted to the given target user. If the reading user and the target
+     * user are not the same, then explicit READ or SYSTEM_ADMINISTER access is
+     * required.
+     *
+     * @param user
+     *     The user attempting to read permissions.
+     *
+     * @param targetUser
+     *     The user whose permissions are being read.
+     *
+     * @return
+     *     true if permission is granted, false otherwise.
+     *
+     * @throws GuacamoleException 
+     *     If an error occurs while checking permission status, or if
+     *     permission is denied to read the current user's permissions.
+     */
+    protected boolean canReadPermissions(AuthenticatedUser user,
+            ModeledUser targetUser) throws GuacamoleException {
+
+        // A user can always read their own permissions
+        if (user.getUser().getIdentifier().equals(targetUser.getIdentifier()))
+            return true;
+        
+        // A system adminstrator can do anything
+        if (user.getUser().isAdministrator())
+            return true;
+
+        // Can read permissions on target user if explicit READ is granted
+        ObjectPermissionSet userPermissionSet = user.getUser().getUserPermissions();
+        return userPermissionSet.hasPermission(ObjectPermission.Type.READ, targetUser.getIdentifier());
+
+    }
+
    /**
     * Returns a permission set that can be used to retrieve and manipulate the
     * permissions of the given user.
@@ -183,9 +221,8 @@ public abstract class PermissionService<PermissionSetType extends PermissionSet<
    public Set<PermissionType> retrievePermissions(AuthenticatedUser user,
            ModeledUser targetUser) throws GuacamoleException {

-        // Only an admin can read permissions that aren't his own
-        if (user.getUser().getIdentifier().equals(targetUser.getIdentifier())
-                || user.getUser().isAdministrator())
+        // Retrieve permissions only if allowed
+        if (canReadPermissions(user, targetUser))
            return getPermissionInstances(getPermissionMapper().select(targetUser.getModel()));

        // User cannot read this user's permissions