From b5aa49aa69fdeb3c263adfe360b59653650cbaf3 Mon Sep 17 00:00:00 2001 From: James Muehlner Date: Fri, 15 Feb 2013 01:20:00 -0800 Subject: [PATCH] Ticket #269: Added administrate permission on delete user, and initially give full access to newly created user. --- .../net/auth/mysql/UserDirectory.java | 37 ++++++++++++++++++- 1 file changed, 36 insertions(+), 1 deletion(-) diff --git a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/UserDirectory.java b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/UserDirectory.java index 6adfa2d96..dcb512560 100644 --- a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/UserDirectory.java +++ b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/UserDirectory.java @@ -175,6 +175,19 @@ public class UserDirectory implements Directory { //create permissions in database updatePermissions(mySQLUser); + + //finally, give the current user full access to the newly created user. + UserPermissionKey newUserPermission = new UserPermissionKey(); + newUserPermission.setUser_id(this.user.getUserID()); + newUserPermission.setAffected_user_id(mySQLUser.getUserID()); + newUserPermission.setPermission(MySQLConstants.USER_READ); + userPermissionDAO.insert(newUserPermission); + newUserPermission.setPermission(MySQLConstants.USER_UPDATE); + userPermissionDAO.insert(newUserPermission); + newUserPermission.setPermission(MySQLConstants.USER_DELETE); + userPermissionDAO.insert(newUserPermission); + newUserPermission.setPermission(MySQLConstants.USER_ADMINISTER); + userPermissionDAO.insert(newUserPermission); } /** @@ -418,15 +431,37 @@ public class UserDirectory implements Directory { * Delete all permissions associated with the provided user. * @param user */ - private void deleteAllPermissions(MySQLUser user) { + private void deleteAllPermissions(MySQLUser user) throws GuacamolePermissionException { + // Get the list of all the users and connections that the user performing the user save action has. + // Need to make sure the user saving this user has permission to administrate all the objects in the permission list. + Set administerableUsers = permissionCheckUtility.getAdministerableUserIDs(this.user.getUserID()); + Set administerableConnections = permissionCheckUtility.getAdministerableConnectionIDs(this.user.getUserID()); + //delete all user permissions UserPermissionExample userPermissionExample = new UserPermissionExample(); userPermissionExample.createCriteria().andUser_idEqualTo(user.getUserID()); + List permissionsToDelete = userPermissionDAO.selectByExample(userPermissionExample); + + // verify that the user actually has permission to administrate every one of these users + for(UserPermissionKey permissionToDelete : permissionsToDelete) { + if(!administerableUsers.contains(permissionToDelete.getAffected_user_id())) + throw new GuacamolePermissionException("User '" + this.user.getUsername() + "' does not have permission to administrate user " + permissionToDelete.getAffected_user_id()); + } + userPermissionDAO.deleteByExample(userPermissionExample); //delete all connection permissions ConnectionPermissionExample connectionPermissionExample = new ConnectionPermissionExample(); connectionPermissionExample.createCriteria().andUser_idEqualTo(user.getUserID()); + + //make sure the user has permission to administrate each of these connections + List connectionPermissionsToDelete = connectionPermissionDAO.selectByExample(connectionPermissionExample); + + for(ConnectionPermissionKey connectionPermissionToDelete : connectionPermissionsToDelete) { + if(!administerableConnections.contains(connectionPermissionToDelete.getConnection_id())) + throw new GuacamolePermissionException("User '" + this.user.getUsername() + "' does not have permission to administrate connection " + connectionPermissionToDelete.getConnection_id()); + } + connectionPermissionDAO.deleteByExample(connectionPermissionExample); //delete all system permissions