GUAC-1110: Do not allow connection groups to be updated if doing so would create a cycle.

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/connectiongroup/ConnectionGroupService.java

@@ -31,6 +31,7 @@ import org.glyptodon.guacamole.auth.jdbc.socket.GuacamoleSocketService;
 import org.glyptodon.guacamole.GuacamoleClientException;
 import org.glyptodon.guacamole.GuacamoleException;
 import org.glyptodon.guacamole.GuacamoleSecurityException;
+import org.glyptodon.guacamole.GuacamoleUnsupportedException;
 import org.glyptodon.guacamole.auth.jdbc.base.GroupedDirectoryObjectService;
 import org.glyptodon.guacamole.auth.jdbc.permission.ConnectionGroupPermissionMapper;
 import org.glyptodon.guacamole.auth.jdbc.permission.ObjectPermissionMapper;
@@ -166,6 +167,20 @@ public class ConnectionGroupService extends GroupedDirectoryObjectService<Modele
 
         }
 
+        // Verify that this connection group's location does not create a cycle
+        String relativeParentIdentifier = model.getParentIdentifier();
+        while (relativeParentIdentifier != null) {
+
+            // Abort if cycle is detected
+            if (relativeParentIdentifier.equals(model.getIdentifier()))
+                throw new GuacamoleUnsupportedException("A connection group may not contain itself.");
+
+            // Advance to next parent
+            ModeledConnectionGroup relativeParentGroup = retrieveObject(user, relativeParentIdentifier);
+            relativeParentIdentifier = relativeParentGroup.getModel().getParentIdentifier();
+
+        } 
+
     }
 
     /**