diff --git a/guacamole/src/main/java/net/sourceforge/guacamole/net/basic/crud/connections/List.java b/guacamole/src/main/java/net/sourceforge/guacamole/net/basic/crud/connections/List.java index 8f2c5adec..77750adc7 100644 --- a/guacamole/src/main/java/net/sourceforge/guacamole/net/basic/crud/connections/List.java +++ b/guacamole/src/main/java/net/sourceforge/guacamole/net/basic/crud/connections/List.java @@ -32,11 +32,9 @@ import net.sourceforge.guacamole.net.auth.ConnectionRecord; import net.sourceforge.guacamole.net.auth.Directory; import net.sourceforge.guacamole.net.auth.User; import net.sourceforge.guacamole.net.auth.UserContext; -import net.sourceforge.guacamole.net.auth.permission.ConnectionDirectoryPermission; import net.sourceforge.guacamole.net.auth.permission.ConnectionPermission; import net.sourceforge.guacamole.net.auth.permission.ObjectPermission; import net.sourceforge.guacamole.net.auth.permission.Permission; -import net.sourceforge.guacamole.net.auth.permission.SystemPermission; import net.sourceforge.guacamole.net.basic.AuthenticatingHttpServlet; import net.sourceforge.guacamole.protocol.GuacamoleConfiguration; @@ -48,35 +46,6 @@ import net.sourceforge.guacamole.protocol.GuacamoleConfiguration; */ public class List extends AuthenticatingHttpServlet { - /** - * Checks whether the given user has permission to perform the given - * system operation. Security exceptions are handled appropriately - only - * non-security exceptions pass through. - * - * @param user The user whose permissions should be verified. - * @param type The type of operation to check for permission for. - * @return true if permission is granted, false otherwise. - * - * @throws GuacamoleException If an error occurs while checking permissions. - */ - private boolean hasConfigPermission(User user, SystemPermission.Type type) - throws GuacamoleException { - - // Build permission - Permission permission = - new ConnectionDirectoryPermission(type); - - try { - // Return result of permission check, if possible - return user.hasPermission(permission); - } - catch (GuacamoleSecurityException e) { - // If cannot check due to security restrictions, no permission - return false; - } - - } - /** * Checks whether the given user has permission to perform the given * object operation. Security exceptions are handled appropriately - only @@ -148,10 +117,6 @@ public class List extends AuthenticatingHttpServlet { xml.writeStartDocument(); xml.writeStartElement("connections"); - // Save connection create permission attribute - if (hasConfigPermission(self, SystemPermission.Type.CREATE)) - xml.writeAttribute("create", "yes"); - // For each entry, write corresponding connection element for (String identifier : directory.getIdentifiers()) { @@ -164,22 +129,10 @@ public class List extends AuthenticatingHttpServlet { xml.writeAttribute("protocol", connection.getConfiguration().getProtocol()); - // Save admin permission attribute - if (hasConfigPermission(self, ObjectPermission.Type.ADMINISTER, - identifier)) - xml.writeAttribute("admin", "yes"); - - // Save delete permission attribute - if (hasConfigPermission(self, ObjectPermission.Type.DELETE, - identifier)) - xml.writeAttribute("delete", "yes"); - - // Save update permission attribute, include parameters + // If update permission available, include parameters if (hasConfigPermission(self, ObjectPermission.Type.UPDATE, identifier)) { - xml.writeAttribute("update", "yes"); - // As update permission is present, also list parameters GuacamoleConfiguration config = connection.getConfiguration(); for (String name : config.getParameterNames()) { diff --git a/guacamole/src/main/java/net/sourceforge/guacamole/net/basic/crud/permissions/List.java b/guacamole/src/main/java/net/sourceforge/guacamole/net/basic/crud/permissions/List.java index 94ec140ff..ade180e01 100644 --- a/guacamole/src/main/java/net/sourceforge/guacamole/net/basic/crud/permissions/List.java +++ b/guacamole/src/main/java/net/sourceforge/guacamole/net/basic/crud/permissions/List.java @@ -30,12 +30,10 @@ import net.sourceforge.guacamole.GuacamoleSecurityException; import net.sourceforge.guacamole.net.auth.Directory; import net.sourceforge.guacamole.net.auth.User; import net.sourceforge.guacamole.net.auth.UserContext; -import net.sourceforge.guacamole.net.auth.permission.ConnectionDirectoryPermission; import net.sourceforge.guacamole.net.auth.permission.ConnectionPermission; import net.sourceforge.guacamole.net.auth.permission.ObjectPermission; import net.sourceforge.guacamole.net.auth.permission.Permission; import net.sourceforge.guacamole.net.auth.permission.SystemPermission; -import net.sourceforge.guacamole.net.auth.permission.UserDirectoryPermission; import net.sourceforge.guacamole.net.auth.permission.UserPermission; import net.sourceforge.guacamole.net.basic.AuthenticatingHttpServlet; @@ -61,7 +59,9 @@ public class List extends AuthenticatingHttpServlet { throws GuacamoleException { switch (type) { - case CREATE: return "create"; + case CREATE_USER: return "create-user"; + case CREATE_CONNECTION: return "create-connection"; + case ADMINISTER: return "admin"; } throw new GuacamoleException("Unknown permission type: " + type); @@ -136,16 +136,15 @@ public class List extends AuthenticatingHttpServlet { // For each entry, write corresponding user element for (Permission permission : user.getPermissions()) { - // Config directory permission - if (permission instanceof ConnectionDirectoryPermission) { + // System permission + if (permission instanceof SystemPermission) { // Get permission - ConnectionDirectoryPermission cdp = - (ConnectionDirectoryPermission) permission; + SystemPermission sp = (SystemPermission) permission; // Write permission - xml.writeEmptyElement("connections"); - xml.writeAttribute("type", toString(cdp.getType())); + xml.writeEmptyElement("system"); + xml.writeAttribute("type", toString(sp.getType())); } @@ -163,19 +162,6 @@ public class List extends AuthenticatingHttpServlet { } - // User directory permission - else if (permission instanceof UserDirectoryPermission) { - - // Get permission - UserDirectoryPermission udp = - (UserDirectoryPermission) permission; - - // Write permission - xml.writeEmptyElement("users"); - xml.writeAttribute("type", toString(udp.getType())); - - } - // User permission else if (permission instanceof UserPermission) { diff --git a/guacamole/src/main/java/net/sourceforge/guacamole/net/basic/crud/users/List.java b/guacamole/src/main/java/net/sourceforge/guacamole/net/basic/crud/users/List.java index a9f609947..8b50b249f 100644 --- a/guacamole/src/main/java/net/sourceforge/guacamole/net/basic/crud/users/List.java +++ b/guacamole/src/main/java/net/sourceforge/guacamole/net/basic/crud/users/List.java @@ -31,11 +31,6 @@ import net.sourceforge.guacamole.GuacamoleSecurityException; import net.sourceforge.guacamole.net.auth.Directory; import net.sourceforge.guacamole.net.auth.User; import net.sourceforge.guacamole.net.auth.UserContext; -import net.sourceforge.guacamole.net.auth.permission.ObjectPermission; -import net.sourceforge.guacamole.net.auth.permission.Permission; -import net.sourceforge.guacamole.net.auth.permission.SystemPermission; -import net.sourceforge.guacamole.net.auth.permission.UserDirectoryPermission; -import net.sourceforge.guacamole.net.auth.permission.UserPermission; import net.sourceforge.guacamole.net.basic.AuthenticatingHttpServlet; /** @@ -45,65 +40,6 @@ import net.sourceforge.guacamole.net.basic.AuthenticatingHttpServlet; */ public class List extends AuthenticatingHttpServlet { - /** - * Checks whether the given user has permission to perform the given - * system operation. Security exceptions are handled appropriately - only - * non-security exceptions pass through. - * - * @param user The user whose permissions should be verified. - * @param type The type of operation to check for permission for. - * @return true if permission is granted, false otherwise. - * - * @throws GuacamoleException If an error occurs while checking permissions. - */ - private boolean hasUserPermission(User user, SystemPermission.Type type) - throws GuacamoleException { - - // Build permission - Permission permission = new UserDirectoryPermission(type); - - try { - // Return result of permission check, if possible - return user.hasPermission(permission); - } - catch (GuacamoleSecurityException e) { - // If cannot check due to security restrictions, no permission - return false; - } - - } - - /** - * Checks whether the given user has permission to perform the given - * object operation. Security exceptions are handled appropriately - only - * non-security exceptions pass through. - * - * @param user The user whose permissions should be verified. - * @param type The type of operation to check for permission for. - * @param identifier The identifier of the user the operation would be - * performed upon. - * @return true if permission is granted, false otherwise. - * - * @throws GuacamoleException If an error occurs while checking permissions. - */ - private boolean hasUserPermission(User user, ObjectPermission.Type type, - String identifier) - throws GuacamoleException { - - // Build permission - Permission permission = new UserPermission(type, identifier); - - try { - // Return result of permission check, if possible - return user.hasPermission(permission); - } - catch (GuacamoleSecurityException e) { - // If cannot check due to security restrictions, no permission - return false; - } - - } - @Override protected void authenticatedService( UserContext context, @@ -135,10 +71,6 @@ public class List extends AuthenticatingHttpServlet { xml.writeStartDocument(); xml.writeStartElement("users"); - // Save user create permission attribute - if (hasUserPermission(self, SystemPermission.Type.CREATE)) - xml.writeAttribute("create", "yes"); - // For each entry, write corresponding user element for (String username : users) { @@ -149,21 +81,6 @@ public class List extends AuthenticatingHttpServlet { xml.writeEmptyElement("user"); xml.writeAttribute("name", user.getUsername()); - // Save update permission attribute - if (hasUserPermission(self, ObjectPermission.Type.UPDATE, - user.getUsername())) - xml.writeAttribute("update", "yes"); - - // Save admin permission attribute - if (hasUserPermission(self, ObjectPermission.Type.ADMINISTER, - user.getUsername())) - xml.writeAttribute("admin", "yes"); - - // Save delete permission attribute - if (hasUserPermission(self, ObjectPermission.Type.DELETE, - user.getUsername())) - xml.writeAttribute("delete", "yes"); - } // End document diff --git a/guacamole/src/main/java/net/sourceforge/guacamole/net/basic/crud/users/Update.java b/guacamole/src/main/java/net/sourceforge/guacamole/net/basic/crud/users/Update.java index bc3a27b4c..a9110bf7f 100644 --- a/guacamole/src/main/java/net/sourceforge/guacamole/net/basic/crud/users/Update.java +++ b/guacamole/src/main/java/net/sourceforge/guacamole/net/basic/crud/users/Update.java @@ -26,12 +26,10 @@ import net.sourceforge.guacamole.GuacamoleException; import net.sourceforge.guacamole.net.auth.Directory; import net.sourceforge.guacamole.net.auth.User; import net.sourceforge.guacamole.net.auth.UserContext; -import net.sourceforge.guacamole.net.auth.permission.ConnectionDirectoryPermission; import net.sourceforge.guacamole.net.auth.permission.ConnectionPermission; import net.sourceforge.guacamole.net.auth.permission.ObjectPermission; import net.sourceforge.guacamole.net.auth.permission.Permission; import net.sourceforge.guacamole.net.auth.permission.SystemPermission; -import net.sourceforge.guacamole.net.auth.permission.UserDirectoryPermission; import net.sourceforge.guacamole.net.auth.permission.UserPermission; import net.sourceforge.guacamole.net.basic.AuthenticatingHttpServlet; @@ -43,9 +41,19 @@ import net.sourceforge.guacamole.net.basic.AuthenticatingHttpServlet; public class Update extends AuthenticatingHttpServlet { /** - * String given for directory creation permission. + * String given for user creation permission. */ - private static final String CREATE_PERMISSION = "create"; + private static final String CREATE_USER_PERMISSION = "create-user"; + + /** + * String given for connection creation permission. + */ + private static final String CREATE_CONNECTION_PERMISSION = "create-connection"; + + /** + * String given for system administration permission. + */ + private static final String ADMIN_PERMISSION = "admin"; /** * Prefix given before an object identifier for read permission. @@ -67,6 +75,32 @@ public class Update extends AuthenticatingHttpServlet { */ private static final String ADMIN_PREFIX = "admin:"; + /** + * Given a permission string, returns the corresponding system permission. + * + * @param str The permission string to parse. + * @return The parsed system permission. + * @throws GuacamoleException If the given string could not be parsed. + */ + private Permission parseSystemPermission(String str) + throws GuacamoleException { + + // Create user + if (str.startsWith(CREATE_USER_PERMISSION)) + return new SystemPermission(SystemPermission.Type.CREATE_USER); + + // Create connection + if (str.startsWith(CREATE_CONNECTION_PERMISSION)) + return new SystemPermission(SystemPermission.Type.CREATE_CONNECTION); + + // Administration + if (str.startsWith(ADMIN_PERMISSION)) + return new SystemPermission(SystemPermission.Type.ADMINISTER); + + throw new GuacamoleException("Invalid permission string."); + + } + /** * Given a permission string, returns the corresponding user permission. * @@ -77,10 +111,6 @@ public class Update extends AuthenticatingHttpServlet { private Permission parseUserPermission(String str) throws GuacamoleException { - // Create permission - if (str.equals(CREATE_PERMISSION)) - return new UserDirectoryPermission(SystemPermission.Type.CREATE); - // Read if (str.startsWith(READ_PREFIX)) return new UserPermission(ObjectPermission.Type.READ, @@ -116,10 +146,6 @@ public class Update extends AuthenticatingHttpServlet { private Permission parseConnectionPermission(String str) throws GuacamoleException { - // Create permission - if (str.equals(CREATE_PERMISSION)) - return new ConnectionDirectoryPermission(SystemPermission.Type.CREATE); - // Read if (str.startsWith(READ_PREFIX)) return new ConnectionPermission(ObjectPermission.Type.READ, @@ -166,28 +192,50 @@ public class Update extends AuthenticatingHttpServlet { if (password != null) user.setPassword(password); - // Set user permissions + /* + * NEW PERMISSIONS + */ + + // Set added system permissions + String[] add_sys_permission = request.getParameterValues("+sys"); + if (add_sys_permission != null) { + for (String str : add_sys_permission) + user.addPermission(parseSystemPermission(str)); + } + + // Set added user permissions String[] add_user_permission = request.getParameterValues("+user"); if (add_user_permission != null) { for (String str : add_user_permission) user.addPermission(parseUserPermission(str)); } - // Set connection permissions + // Set added connection permissions String[] add_connection_permission = request.getParameterValues("+connection"); if (add_connection_permission != null) { for (String str : add_connection_permission) user.addPermission(parseConnectionPermission(str)); } - // Set user permissions + /* + * REMOVED PERMISSIONS + */ + + // Unset removed system permissions + String[] remove_sys_permission = request.getParameterValues("-sys"); + if (remove_sys_permission != null) { + for (String str : remove_sys_permission) + user.removePermission(parseSystemPermission(str)); + } + + // Unset removed user permissions String[] remove_user_permission = request.getParameterValues("-user"); if (remove_user_permission != null) { for (String str : remove_user_permission) user.removePermission(parseUserPermission(str)); } - // Set connection permissions + // Unset removed connection permissions String[] remove_connection_permission = request.getParameterValues("-connection"); if (remove_connection_permission != null) { for (String str : remove_connection_permission) diff --git a/guacamole/src/main/webapp/scripts/service.js b/guacamole/src/main/webapp/scripts/service.js index e9510952d..18cb74ea6 100644 --- a/guacamole/src/main/webapp/scripts/service.js +++ b/guacamole/src/main/webapp/scripts/service.js @@ -117,6 +117,11 @@ GuacamoleService.PermissionSet = function() { */ this.create_connection = false; + /** + * Whether permission to administer the system in general is granted. + */ + this.administer = false; + /** * Object with a property entry for each readable user. */ @@ -416,9 +421,10 @@ GuacamoleService.Users = { var name; - // Creation permissions - if (permissions_added.create_user) data += "&%2Buser=create"; - if (permissions_added.create_connection) data += "&%2Bconnection=create"; + // System permissions + if (permissions_added.create_user) data += "&%2Bsys=create-user"; + if (permissions_added.create_connection) data += "&%2Bsys=create-connection"; + if (permissions_added.administer) data += "&%2Bsys=admin"; // User permissions for (name in permissions_added.read_user) @@ -441,8 +447,9 @@ GuacamoleService.Users = { data += "&%2Bconnection=delete:" + encodeURIComponent(name); // Creation permissions - if (permissions_removed.create_user) data += "&-user=create"; - if (permissions_removed.create_connection) data += "&-connection=create"; + if (permissions_removed.create_user) data += "&-sys=create-user"; + if (permissions_removed.create_connection) data += "&-sys=create-connection"; + if (permissions_removed.administer) data += "&-sys=admin"; // User permissions for (name in permissions_removed.read_user) @@ -574,19 +581,29 @@ GuacamoleService.Permissions = { var i, type, name; var permissions = new GuacamoleService.PermissionSet(); - // Read connections permissions - var connectionsElements = xhr.responseXML.getElementsByTagName("connections"); + // Read system permissions + var connectionsElements = xhr.responseXML.getElementsByTagName("system"); for (i=0; i