From f4ccf8ef626e236f39ed24b1ab28f2cc9699dee7 Mon Sep 17 00:00:00 2001 From: Michael Jumper Date: Sun, 30 Sep 2018 23:11:20 -0700 Subject: [PATCH] GUACAMOLE-220: Remove effectively-redundant admin permission check. --- .../permission/ModeledObjectPermissionService.java | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledObjectPermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledObjectPermissionService.java index d9bb6bc28..8c4be58fd 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledObjectPermissionService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledObjectPermissionService.java @@ -187,19 +187,15 @@ public abstract class ModeledObjectPermissionService if (identifiers.isEmpty()) return identifiers; - // Retrieve permissions only if allowed - if (canReadPermissions(user, targetEntity)) { + // If user is an admin, everything is accessible + if (user.getUser().isAdministrator()) + return identifiers; - // If user is an admin, everything is accessible - if (user.getUser().isAdministrator()) - return identifiers; - - // Otherwise, return explicitly-retrievable identifiers + // Otherwise, return explicitly-retrievable identifiers only if allowed + if (canReadPermissions(user, targetEntity)) return getPermissionMapper().selectAccessibleIdentifiers( targetEntity.getModel(), permissions, identifiers, effectiveGroups); - - } // User cannot read this entity's permissions throw new GuacamoleSecurityException("Permission denied.");