safebox/guacamole-client
4
0
Fork 0
mirror of https://github.com/gyurix1968/guacamole-client.git synced 2025-09-06 21:27:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #66 from glyptodon/GUAC-995

Browse Source 
GUAC-995 Connection permission filter should take admin permission into account when filtering connection list.
This commit is contained in:
Mike Jumper
2015-01-13 21:36:59 -08:00
parent 9181706784 459449c6d3
commit e758fac0c0
8 changed files with 143 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

65
guacamole/src/main/java/org/glyptodon/guacamole/net/basic/rest/connectiongroup/ConnectionGroupRESTService.java
View File

@@ -25,6 +25,7 @@ package org.glyptodon.guacamole.net.basic.rest.connectiongroup;
import com.google.inject.Inject; import com.google.inject.Inject;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Collection; import java.util.Collection;
import java.util.List;
import javax.ws.rs.Consumes; import javax.ws.rs.Consumes;
import javax.ws.rs.DELETE; import javax.ws.rs.DELETE;
import javax.ws.rs.GET; import javax.ws.rs.GET;
@@ -45,6 +46,7 @@ import org.glyptodon.guacamole.net.auth.User;
import org.glyptodon.guacamole.net.auth.UserContext; import org.glyptodon.guacamole.net.auth.UserContext;
import org.glyptodon.guacamole.net.auth.permission.ConnectionPermission; import org.glyptodon.guacamole.net.auth.permission.ConnectionPermission;
import org.glyptodon.guacamole.net.auth.permission.ObjectPermission; import org.glyptodon.guacamole.net.auth.permission.ObjectPermission;
import org.glyptodon.guacamole.net.auth.permission.SystemPermission;
import org.glyptodon.guacamole.net.basic.rest.AuthProviderRESTExposure; import org.glyptodon.guacamole.net.basic.rest.AuthProviderRESTExposure;
import org.glyptodon.guacamole.net.basic.rest.ObjectRetrievalService; import org.glyptodon.guacamole.net.basic.rest.ObjectRetrievalService;
import org.glyptodon.guacamole.net.basic.rest.auth.AuthenticationService; import org.glyptodon.guacamole.net.basic.rest.auth.AuthenticationService;
@@ -79,6 +81,40 @@ public class ConnectionGroupRESTService {
@Inject @Inject
private ObjectRetrievalService retrievalService; private ObjectRetrievalService retrievalService;
/**
* Determines whether the given user has at least one of the given
* permissions for the connection having the given identifier.
*
* @param user
* The user to check permissions for.
*
* @param identifier
* The identifier of the connection to check permissions for.
*
* @param permissions
* The permissions to check. The given user must have one or more of
* these permissions for this function to return true.
*
* @return
* true if the user has at least one of the given permissions.
*/
private boolean hasConnectionPermission(User user, String identifier,
List<ObjectPermission.Type> permissions) throws GuacamoleException {
// Determine whether user has at least one of the given permissions
for (ObjectPermission.Type permission : permissions) {
ConnectionPermission connectionPermission = new ConnectionPermission(permission, identifier);
if (user.hasPermission(connectionPermission))
return true;
}
// None of the given permissions were present
return false;
}
/** /**
* Retrieves the given connection group from the user context, including * Retrieves the given connection group from the user context, including
* all descendant connections and groups if requested. * all descendant connections and groups if requested.
@@ -93,10 +129,10 @@ public class ConnectionGroupRESTService {
* Whether the descendant connections and groups of the given * Whether the descendant connections and groups of the given
* connection group should also be retrieved. * connection group should also be retrieved.
* *
* @param permission * @param permissions
* The permission the current user must have for a connection or * The set of permissions to filter with. A user must have one or more
* connection group to be returned in the results, if any. If null * of these permissions for a connection to appear in the result.
* is specified, no filtering by permission will be performed. * If null, no filtering will be performed.
* *
* @return * @return
* The requested connection group, or null if no such connection group * The requested connection group, or null if no such connection group
@@ -107,11 +143,14 @@ public class ConnectionGroupRESTService {
* or any of its descendants. * or any of its descendants.
*/ */
private APIConnectionGroup retrieveConnectionGroup(UserContext userContext, private APIConnectionGroup retrieveConnectionGroup(UserContext userContext,
String identifier, boolean includeDescendants, ObjectPermission.Type permission) String identifier, boolean includeDescendants, List<ObjectPermission.Type> permissions)
throws GuacamoleException { throws GuacamoleException {
User self = userContext.self(); User self = userContext.self();
// An admin user has access to any connection or connection group
boolean isAdmin = self.hasPermission(new SystemPermission(SystemPermission.Type.ADMINISTER));
// Retrieve specified connection group // Retrieve specified connection group
ConnectionGroup connectionGroup; ConnectionGroup connectionGroup;
try { try {
@@ -139,7 +178,7 @@ public class ConnectionGroupRESTService {
continue; continue;
// Filter based on permission, if requested // Filter based on permission, if requested
if (permission == null || self.hasPermission(new ConnectionPermission(permission, childIdentifier))) if (isAdmin || permissions == null || hasConnectionPermission(self, childIdentifier, permissions))
apiConnections.add(new APIConnection(childConnection)); apiConnections.add(new APIConnection(childConnection));
} }
@@ -154,7 +193,7 @@ public class ConnectionGroupRESTService {
for (String childIdentifier : groupDirectory.getIdentifiers()) { for (String childIdentifier : groupDirectory.getIdentifiers()) {
// Pull current connection group - silently ignore if connection group was removed prior to read // Pull current connection group - silently ignore if connection group was removed prior to read
APIConnectionGroup childConnectionGroup = retrieveConnectionGroup(userContext, childIdentifier, true, permission); APIConnectionGroup childConnectionGroup = retrieveConnectionGroup(userContext, childIdentifier, true, permissions);
if (childConnectionGroup == null) if (childConnectionGroup == null)
continue; continue;
@@ -215,11 +254,11 @@ public class ConnectionGroupRESTService {
* @param connectionGroupID * @param connectionGroupID
* The ID of the connection group to retrieve. * The ID of the connection group to retrieve.
* *
* @param permission * @param permissions
* If specified, limit the returned list to only those connections for * If specified, limit the returned list to only those connections for
* which the current user has the given permission. Otherwise, all * which the current user has any of the given permissions. Otherwise,
* visible connections are returned. Connection groups are unaffected * all visible connections are returned. Connection groups are
* by this parameter. * unaffected by this parameter.
* *
* @return * @return
* The requested connection group, including all descendants. * The requested connection group, including all descendants.
@@ -233,13 +272,13 @@ public class ConnectionGroupRESTService {
@AuthProviderRESTExposure @AuthProviderRESTExposure
public APIConnectionGroup getConnectionGroupTree(@QueryParam("token") String authToken, public APIConnectionGroup getConnectionGroupTree(@QueryParam("token") String authToken,
@PathParam("connectionGroupID") String connectionGroupID, @PathParam("connectionGroupID") String connectionGroupID,
@QueryParam("permission") ObjectPermission.Type permission) @QueryParam("permission") List<ObjectPermission.Type> permissions)
throws GuacamoleException { throws GuacamoleException {
UserContext userContext = authenticationService.getUserContext(authToken); UserContext userContext = authenticationService.getUserContext(authToken);
// Retrieve requested connection group and all descendants // Retrieve requested connection group and all descendants
APIConnectionGroup connectionGroup = retrieveConnectionGroup(userContext, connectionGroupID, true, permission); APIConnectionGroup connectionGroup = retrieveConnectionGroup(userContext, connectionGroupID, true, permissions);
if (connectionGroup == null) if (connectionGroup == null)
throw new GuacamoleResourceNotFoundException("No such connection group: \"" + connectionGroupID + "\""); throw new GuacamoleResourceNotFoundException("No such connection group: \"" + connectionGroupID + "\"");

39
guacamole/src/main/webapp/app/manage/controllers/manageConnectionController.js
View File

@@ -35,8 +35,10 @@ angular.module('manage').controller('manageConnectionController', ['$scope', '$i
// Required services // Required services
var $location = $injector.get('$location'); var $location = $injector.get('$location');
var $routeParams = $injector.get('$routeParams'); var $routeParams = $injector.get('$routeParams');
var authenticationService = $injector.get('authenticationService');
var connectionService = $injector.get('connectionService'); var connectionService = $injector.get('connectionService');
var connectionGroupService = $injector.get('connectionGroupService'); var connectionGroupService = $injector.get('connectionGroupService');
var permissionService = $injector.get('permissionService');
var protocolService = $injector.get('protocolService'); var protocolService = $injector.get('protocolService');
var translationStringService = $injector.get('translationStringService'); var translationStringService = $injector.get('translationStringService');
@@ -96,6 +98,20 @@ angular.module('manage').controller('manageConnectionController', ['$scope', '$i
*/ */
$scope.historyEntryWrappers = null; $scope.historyEntryWrappers = null;
/**
* Whether the user has UPDATE permission for the current connection.
*
* @type boolean
*/
$scope.hasUpdatePermission = null;
/**
* Whether the user has DELETE permission for the current connection.
*
* @type boolean
*/
$scope.hasDeletePermission = null;
/** /**
* Returns whether critical data has completed being loaded. * Returns whether critical data has completed being loaded.
* *
@@ -109,16 +125,35 @@ angular.module('manage').controller('manageConnectionController', ['$scope', '$i
&& $scope.rootGroup !== null && $scope.rootGroup !== null
&& $scope.connection !== null && $scope.connection !== null
&& $scope.parameters !== null && $scope.parameters !== null
&& $scope.historyEntryWrappers !== null; && $scope.historyEntryWrappers !== null
&& $scope.hasUpdatePermission !== null
&& $scope.hasDeletePermission !== null;
}; };
// Pull connection group hierarchy // Pull connection group hierarchy
connectionGroupService.getConnectionGroupTree(ConnectionGroup.ROOT_IDENTIFIER, PermissionSet.ObjectPermissionType.UPDATE) connectionGroupService.getConnectionGroupTree(ConnectionGroup.ROOT_IDENTIFIER,
[PermissionSet.ObjectPermissionType.ADMINISTER])
.success(function connectionGroupReceived(rootGroup) { .success(function connectionGroupReceived(rootGroup) {
$scope.rootGroup = rootGroup; $scope.rootGroup = rootGroup;
}); });
// Query the user's permissions for the current connection
permissionService.getPermissions(authenticationService.getCurrentUserID())
.success(function permissionsReceived(permissions) {
// Check if the user has UPDATE permission
$scope.hasUpdatePermission =
PermissionSet.hasSystemPermission(permissions, PermissionSet.SystemPermissionType.ADMINISTER)
|| PermissionSet.hasConnectionPermission(permissions, PermissionSet.ObjectPermissionType.UPDATE, identifier);
// Check if the user has DELETE permission
$scope.hasDeletePermission =
PermissionSet.hasSystemPermission(permissions, PermissionSet.SystemPermissionType.ADMINISTER)
|| PermissionSet.hasConnectionPermission(permissions, PermissionSet.ObjectPermissionType.DELETE, identifier);
});
// Get protocol metadata // Get protocol metadata
protocolService.getProtocols().success(function protocolsReceived(protocols) { protocolService.getProtocols().success(function protocolsReceived(protocols) {
$scope.protocols = protocols; $scope.protocols = protocols;

38
guacamole/src/main/webapp/app/manage/controllers/manageConnectionGroupController.js
View File

@@ -33,7 +33,9 @@ angular.module('manage').controller('manageConnectionGroupController', ['$scope'
// Required services // Required services
var $location = $injector.get('$location'); var $location = $injector.get('$location');
var $routeParams = $injector.get('$routeParams'); var $routeParams = $injector.get('$routeParams');
var authenticationService = $injector.get('authenticationService');
var connectionGroupService = $injector.get('connectionGroupService'); var connectionGroupService = $injector.get('connectionGroupService');
var permissionService = $injector.get('permissionService');
/** /**
* An action to be provided along with the object sent to showStatus which * An action to be provided along with the object sent to showStatus which
@@ -69,6 +71,20 @@ angular.module('manage').controller('manageConnectionGroupController', ['$scope'
*/ */
$scope.connectionGroup = null; $scope.connectionGroup = null;
/**
* Whether the user has UPDATE permission for the current connection group.
*
* @type boolean
*/
$scope.hasUpdatePermission = null;
/**
* Whether the user has DELETE permission for the current connection group.
*
* @type boolean
*/
$scope.hasDeletePermission = null;
/** /**
* Returns whether critical data has completed being loaded. * Returns whether critical data has completed being loaded.
* *
@@ -79,13 +95,31 @@ angular.module('manage').controller('manageConnectionGroupController', ['$scope'
$scope.isLoaded = function isLoaded() { $scope.isLoaded = function isLoaded() {
return $scope.rootGroup !== null return $scope.rootGroup !== null
&& $scope.connectionGroup !== null; && $scope.connectionGroup !== null
&& $scope.hasUpdatePermission !== null
&& $scope.hasDeletePermission !== null;
}; };
// Query the user's permissions for the current connection group
permissionService.getPermissions(authenticationService.getCurrentUserID())
.success(function permissionsReceived(permissions) {
// Check if the user has UPDATE permission
$scope.hasUpdatePermission =
PermissionSet.hasSystemPermission(permissions, PermissionSet.SystemPermissionType.ADMINISTER)
|| PermissionSet.hasConnectionPermission(permissions, PermissionSet.ObjectPermissionType.UPDATE, identifier);
// Check if the user has DELETE permission
$scope.hasDeletePermission =
PermissionSet.hasSystemPermission(permissions, PermissionSet.SystemPermissionType.ADMINISTER)
|| PermissionSet.hasConnectionPermission(permissions, PermissionSet.ObjectPermissionType.DELETE, identifier);
});
// Pull connection group hierarchy // Pull connection group hierarchy
connectionGroupService.getConnectionGroupTree(ConnectionGroup.ROOT_IDENTIFIER, PermissionSet.ObjectPermissionType.UPDATE) connectionGroupService.getConnectionGroupTree(ConnectionGroup.ROOT_IDENTIFIER, [PermissionSet.ObjectPermissionType.ADMINISTER])
.success(function connectionGroupReceived(rootGroup) { .success(function connectionGroupReceived(rootGroup) {
$scope.rootGroup = rootGroup; $scope.rootGroup = rootGroup;
}); });

5
guacamole/src/main/webapp/app/manage/controllers/manageController.js
View File

@@ -178,8 +178,9 @@ angular.module('manage').controller('manageController', ['$scope', '$injector',
}); });
// Retrieve all connections for which we have UPDATE permission // Retrieve all connections for which we have UPDATE or DELETE permission
connectionGroupService.getConnectionGroupTree(ConnectionGroup.ROOT_IDENTIFIER, PermissionSet.ObjectPermissionType.UPDATE) connectionGroupService.getConnectionGroupTree(ConnectionGroup.ROOT_IDENTIFIER,
[PermissionSet.ObjectPermissionType.UPDATE, PermissionSet.ObjectPermissionType.DELETE])
.success(function connectionGroupReceived(rootGroup) { .success(function connectionGroupReceived(rootGroup) {
$scope.rootGroup = rootGroup; $scope.rootGroup = rootGroup;
}); });

4
guacamole/src/main/webapp/app/manage/controllers/manageUserController.js
View File

@@ -103,8 +103,8 @@ angular.module('manage').controller('manageUserController', ['$scope', '$injecto
$scope.permissionFlags = PermissionFlagSet.fromPermissionSet(permissions); $scope.permissionFlags = PermissionFlagSet.fromPermissionSet(permissions);
}); });
// Retrieve all connections for which we have UPDATE permission // Retrieve all connections for which we have ADMINISTER permission
connectionGroupService.getConnectionGroupTree(ConnectionGroup.ROOT_IDENTIFIER, PermissionSet.ObjectPermissionType.ADMINISTER) connectionGroupService.getConnectionGroupTree(ConnectionGroup.ROOT_IDENTIFIER, [PermissionSet.ObjectPermissionType.ADMINISTER])
.success(function connectionGroupReceived(rootGroup) { .success(function connectionGroupReceived(rootGroup) {
$scope.rootGroup = rootGroup; $scope.rootGroup = rootGroup;
}); });

4
guacamole/src/main/webapp/app/manage/templates/manageConnection.html
View File

@@ -76,9 +76,9 @@ THE SOFTWARE.
<!-- Form action buttons --> <!-- Form action buttons -->
<div class="action-buttons"> <div class="action-buttons">
<button ng-click="saveConnection()">{{'MANAGE_CONNECTION.ACTION_SAVE' | translate}}</button> <button ng-show="hasUpdatePermission" ng-click="saveConnection()">{{'MANAGE_CONNECTION.ACTION_SAVE' | translate}}</button>
<button ng-click="cancel()">{{'MANAGE_CONNECTION.ACTION_CANCEL' | translate}}</button> <button ng-click="cancel()">{{'MANAGE_CONNECTION.ACTION_CANCEL' | translate}}</button>
<button ng-click="deleteConnection()" class="danger">{{'MANAGE_CONNECTION.ACTION_DELETE' | translate}}</button> <button ng-show="hasDeletePermission" ng-click="deleteConnection()" class="danger">{{'MANAGE_CONNECTION.ACTION_DELETE' | translate}}</button>
</div> </div>
<!-- Connection history --> <!-- Connection history -->

4
guacamole/src/main/webapp/app/manage/templates/manageConnectionGroup.html
View File

@@ -61,9 +61,9 @@ THE SOFTWARE.
<!-- Form action buttons --> <!-- Form action buttons -->
<div class="action-buttons"> <div class="action-buttons">
<button ng-click="saveConnectionGroup()">{{'MANAGE_CONNECTION_GROUP.ACTION_SAVE' | translate}}</button> <button ng-show="hasUpdatePermission" ng-click="saveConnectionGroup()">{{'MANAGE_CONNECTION_GROUP.ACTION_SAVE' | translate}}</button>
<button ng-click="cancel()">{{'MANAGE_CONNECTION_GROUP.ACTION_CANCEL' | translate}}</button> <button ng-click="cancel()">{{'MANAGE_CONNECTION_GROUP.ACTION_CANCEL' | translate}}</button>
<button ng-click="deleteConnectionGroup()" class="danger">{{'MANAGE_CONNECTION_GROUP.ACTION_DELETE' | translate}}</button> <button ng-show="hasDeletePermission" ng-click="deleteConnectionGroup()" class="danger">{{'MANAGE_CONNECTION_GROUP.ACTION_DELETE' | translate}}</button>
</div> </div>
</div> </div>

16
guacamole/src/main/webapp/app/rest/services/connectionGroupService.js
View File

@@ -39,17 +39,17 @@ angular.module('rest').factory('connectionGroupService', ['$http', 'authenticati
* The ID of the connection group to retrieve. If not provided, the * The ID of the connection group to retrieve. If not provided, the
* root connection group will be retrieved by default. * root connection group will be retrieved by default.
* *
* @param {String} [permissionType] * @param {String[]} [permissionType]
* The permission type string of the permission that the current user * The set of permissions to filter with. A user must have one or more
* must have for a given connection or connection group to appear * of these permissions for a connection to appear in the result.
* within the result. Valid values are listed within * If null, no filtering will be performed. Valid values are listed
* PermissionSet.ObjectType. * within PermissionSet.ObjectType.
* *
* @returns {Promise.ConnectionGroup} * @returns {Promise.ConnectionGroup}
* A promise which will resolve with a @link{ConnectionGroup} upon * A promise which will resolve with a @link{ConnectionGroup} upon
* success. * success.
*/ */
service.getConnectionGroupTree = function getConnectionGroupTree(connectionGroupID, permissionType) { service.getConnectionGroupTree = function getConnectionGroupTree(connectionGroupID, permissionTypes) {
// Use the root connection group ID if no ID is passed in // Use the root connection group ID if no ID is passed in
connectionGroupID = connectionGroupID || ConnectionGroup.ROOT_IDENTIFIER; connectionGroupID = connectionGroupID || ConnectionGroup.ROOT_IDENTIFIER;
@@ -60,8 +60,8 @@ angular.module('rest').factory('connectionGroupService', ['$http', 'authenticati
}; };
// Add permission filter if specified // Add permission filter if specified
if (permissionType) if (permissionTypes)
httpParameters.permission = permissionType; httpParameters.permission = permissionTypes;
// Retrieve connection group // Retrieve connection group
return $http({ return $http({