safebox/guacamole-client
4
0
Fork 0
mirror of https://github.com/gyurix1968/guacamole-client.git synced 2025-09-06 13:17:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

GUACAMOLE-1020: Make sure only admin users can modify restrictions.

Browse Source
This commit is contained in:
Virtually Nick
2024-09-28 19:39:59 -04:00
parent 1e04d6d366
commit 95cd386791
2 changed files with 38 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
extensions/guacamole-auth-restrict/src/main/java/org/apache/guacamole/auth/restrict/user/RestrictedUser.java
View File

@@ -43,6 +43,12 @@ public class RestrictedUser extends DelegatingUser implements Restrictable {
*/ */
private final String remoteAddress; private final String remoteAddress;
/**
* true if the user logged in to Guacamole has administrative privileges
* for this user object, otherwise false.
*/
private final boolean hasAdmin;
/** /**
* The name of the attribute that contains a list of weekdays and times (UTC) * The name of the attribute that contains a list of weekdays and times (UTC)
* that a user is allowed to log in. The presence of this attribute will * that a user is allowed to log in. The presence of this attribute will
@@ -116,9 +122,10 @@ public class RestrictedUser extends DelegatingUser implements Restrictable {
* The remote address of the client from which the current user is logged * The remote address of the client from which the current user is logged
* in. * in.
*/ */
public RestrictedUser(User user, String remoteAddress) { public RestrictedUser(User user, String remoteAddress, boolean hasAdmin) {
super(user); super(user);
this.remoteAddress = remoteAddress; this.remoteAddress = remoteAddress;
this.hasAdmin = hasAdmin;
} }
/** /**
@@ -158,6 +165,14 @@ public class RestrictedUser extends DelegatingUser implements Restrictable {
// Loop through extension-specific attributes, only sending ones // Loop through extension-specific attributes, only sending ones
// that are non-null and non-empty to the underlying storage mechanism. // that are non-null and non-empty to the underlying storage mechanism.
for (String attribute : RESTRICT_USER_ATTRIBUTES) { for (String attribute : RESTRICT_USER_ATTRIBUTES) {
/* If the user lacks admin access, don't set restriction attributes. */
if (!hasAdmin) {
attributes.remove(attribute);
continue;
}
/* Replace empty values with null values. */
String value = attributes.get(attribute); String value = attributes.get(attribute);
if (value != null && value.isEmpty()) if (value != null && value.isEmpty())
attributes.put(attribute, null); attributes.put(attribute, null);

21
extensions/guacamole-auth-restrict/src/main/java/org/apache/guacamole/auth/restrict/user/RestrictedUserContext.java
View File

@@ -34,9 +34,12 @@ import org.apache.guacamole.net.auth.ConnectionGroup;
import org.apache.guacamole.net.auth.DecoratingDirectory; import org.apache.guacamole.net.auth.DecoratingDirectory;
import org.apache.guacamole.net.auth.DelegatingUserContext; import org.apache.guacamole.net.auth.DelegatingUserContext;
import org.apache.guacamole.net.auth.Directory; import org.apache.guacamole.net.auth.Directory;
import org.apache.guacamole.net.auth.Permissions;
import org.apache.guacamole.net.auth.User; import org.apache.guacamole.net.auth.User;
import org.apache.guacamole.net.auth.UserContext; import org.apache.guacamole.net.auth.UserContext;
import org.apache.guacamole.net.auth.UserGroup; import org.apache.guacamole.net.auth.UserGroup;
import org.apache.guacamole.net.auth.permission.ObjectPermission;
import org.apache.guacamole.net.auth.permission.SystemPermission;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
@@ -133,11 +136,25 @@ public class RestrictedUserContext extends DelegatingUserContext {
@Override @Override
public Directory<User> getUserDirectory() throws GuacamoleException { public Directory<User> getUserDirectory() throws GuacamoleException {
// Pull permissions of the current logged-in user.
Permissions currentPermissions = self().getEffectivePermissions();
boolean isAdmin = currentPermissions.getSystemPermissions().hasPermission(
SystemPermission.Type.ADMINISTER
);
Collection<String> adminIdentifiers =
currentPermissions.getUserPermissions().getAccessibleObjects(
Collections.singletonList(ObjectPermission.Type.ADMINISTER), super.getUserDirectory().getIdentifiers());
return new DecoratingDirectory<User>(super.getUserDirectory()) { return new DecoratingDirectory<User>(super.getUserDirectory()) {
@Override @Override
protected User decorate(User object) { protected User decorate(User object) throws GuacamoleException {
return new RestrictedUser(object, remoteAddress);
// Check and see if the logged in user has admin privileges -
// either system-level or for that particular object.
boolean hasAdmin = isAdmin || adminIdentifiers.contains(object.getIdentifier());
return new RestrictedUser(object, remoteAddress, hasAdmin);
} }
@Override @Override