From a39d86379730f5a163e8a2c96ac5f9ecaeefa4ec Mon Sep 17 00:00:00 2001
From: Michael Jumper <mjumper@apache.org>
Date: Sun, 8 Apr 2018 00:27:16 -0700
Subject: [PATCH] GUACAMOLE-220: Take group "disabled" flag into account when
 determining effective groups. Do not inherit from nor apply disabled groups.

---
 .../apache/guacamole/auth/jdbc/base/EntityMapper.xml   | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/resources/org/apache/guacamole/auth/jdbc/base/EntityMapper.xml b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/resources/org/apache/guacamole/auth/jdbc/base/EntityMapper.xml
index b2ae26c35..ca779a218 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/resources/org/apache/guacamole/auth/jdbc/base/EntityMapper.xml
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/resources/org/apache/guacamole/auth/jdbc/base/EntityMapper.xml
@@ -27,6 +27,7 @@
       * SQL fragment which tests whether the value of the given column matches
       * the given entity ID. If group identifiers are provided, the IDs of the
       * entities for all groups having those identifiers are tested, as well.
+      * Disabled groups are ignored.
       *
       * @param column
       *     The name of the column to test. This column MUST contain an entity
@@ -45,8 +46,9 @@
             ${column} = ${entityID}
             <if test="!${groups}.isEmpty()">
                 OR ${column} IN (
-                    SELECT entity_id
+                    SELECT guacamole_entity.entity_id
                     FROM guacamole_entity
+                    JOIN guacamole_user_group ON guacamole_user_group.entity_id = guacamole_entity.entity_id
                     WHERE
                         type = 'USER_GROUP'::guacamole_entity_type
                         AND name IN
@@ -54,6 +56,7 @@
                                      open="(" separator="," close=")">
                                 #{effectiveGroup,jdbcType=VARCHAR}
                             </foreach>
+                        AND disabled = false
                 )
             </if>
         )
@@ -69,11 +72,13 @@
                 JOIN guacamole_user_group_member ON guacamole_user_group.user_group_id = guacamole_user_group_member.user_group_id
                 WHERE
                     guacamole_user_group_member.member_entity_id = #{entity.entityID}
+                    AND guacamole_user_group.disabled = false
             <if test="!effectiveGroups.isEmpty()">
                 UNION
                     SELECT
                         guacamole_entity.entity_id
                     FROM guacamole_entity
+                    JOIN guacamole_user_group ON guacamole_user_group.entity_id = guacamole_entity.entity_id
                     WHERE
                         type = 'USER_GROUP'::guacamole_entity_type
                         AND name IN
@@ -81,6 +86,7 @@
                                      open="(" separator="," close=")">
                                 #{effectiveGroup,jdbcType=VARCHAR}
                             </foreach>
+                        AND guacamole_user_group.disabled = false
             </if>
             UNION
                 SELECT
@@ -88,6 +94,8 @@
                 FROM related_entity
                 JOIN guacamole_user_group_member ON related_entity.entity_id = guacamole_user_group_member.member_entity_id
                 JOIN guacamole_user_group ON guacamole_user_group.user_group_id = guacamole_user_group_member.user_group_id
+                WHERE
+                    guacamole_user_group.disabled = false
         )
         SELECT name
         FROM related_entity