safebox/guacamole-client
4
0
Fork 0
mirror of https://github.com/gyurix1968/guacamole-client.git synced 2025-09-06 13:17:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #37 from glyptodon/deny-parameters

Browse Source 
GUAC-943: Deny access to connection parameters when user lacks permission to update that connection.
This commit is contained in:
Mike Jumper
2014-12-27 22:10:06 -08:00
parent e49f427070 4322d8fa0a
commit ede9182655
1 changed files with 18 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
guacamole/src/main/java/org/glyptodon/guacamole/net/basic/rest/connection/ConnectionRESTService.java
View File

@@ -37,11 +37,17 @@ import javax.ws.rs.QueryParam;
import javax.ws.rs.core.MediaType;
import org.glyptodon.guacamole.GuacamoleClientException;
import org.glyptodon.guacamole.GuacamoleException;
import org.glyptodon.guacamole.GuacamoleSecurityException;
import org.glyptodon.guacamole.net.auth.Connection;
import org.glyptodon.guacamole.net.auth.ConnectionGroup;
import org.glyptodon.guacamole.net.auth.ConnectionRecord;
import org.glyptodon.guacamole.net.auth.Directory;
import org.glyptodon.guacamole.net.auth.User;
import org.glyptodon.guacamole.net.auth.UserContext;
import org.glyptodon.guacamole.net.auth.permission.ConnectionPermission;
import org.glyptodon.guacamole.net.auth.permission.ObjectPermission;
import org.glyptodon.guacamole.net.auth.permission.Permission;
import org.glyptodon.guacamole.net.auth.permission.SystemPermission;
import org.glyptodon.guacamole.net.basic.rest.AuthProviderRESTExposure;
import org.glyptodon.guacamole.net.basic.rest.ObjectRetrievalService;
import org.glyptodon.guacamole.net.basic.rest.auth.AuthenticationService;
@@ -63,6 +69,12 @@ public class ConnectionRESTService {
* Logger for this class.
*/
private static final Logger logger = LoggerFactory.getLogger(ConnectionRESTService.class);
/**
* System administration permission.
*/
private static final Permission SYSTEM_PERMISSION =
new SystemPermission(SystemPermission.Type.ADMINISTER);
/**
* A service for authenticating users from auth tokens.
@@ -128,6 +140,12 @@ public class ConnectionRESTService {
@PathParam("connectionID") String connectionID) throws GuacamoleException {
UserContext userContext = authenticationService.getUserContext(authToken);
User self = userContext.self();
// Deny access if adminstrative or update permission is missing
if (!self.hasPermission(SYSTEM_PERMISSION)
&& !self.hasPermission(new ConnectionPermission(ObjectPermission.Type.UPDATE, connectionID)))
throw new GuacamoleSecurityException("Permission to read connection parameters denied.");
// Retrieve the requested connection
Connection connection = retrievalService.retrieveConnection(userContext, connectionID);