/**
* Create any new system permissions for a given user. All permissions in the given list will be
* inserted.
*
* @param user_id The ID of the user whose permissions should be updated.
* @param permissions The new system permissions that the given user should have when this
* operation completes.
* @throws GuacamoleException If permission to administer system permissions is denied.
*/
private void createSystemPermissions(int user_id, Collection<SystemPermission> permissions)
throws GuacamoleException {
// If no permissions given, stop now
if (permissions.isEmpty()) return;
// Only a system administrator can add system permissions.
permissionCheckService.verifySystemAccess(
this.user_id, SystemPermission.Type.ADMINISTER.name());
// Insert all requested permissions
for (SystemPermission permission : permissions) {
// Insert permission
SystemPermissionKey newSystemPermission = new SystemPermissionKey();
newSystemPermission.setUser_id(user_id);
newSystemPermission.setPermission(MySQLConstants.getSystemConstant(permission.getType()));
systemPermissionDAO.insert(newSystemPermission);
}
}
/**
* Delete permissions having to do with connections for a given user.
*
* @param user_id The ID of the user to change the permissions of.
* @param permissions The permissions the given user should no longer have when this operation
* completes.
* @throws GuacamoleException If permission to alter the access permissions of affected objects is
* denied.
*/
private void deleteConnectionPermissions(
int user_id, Collection<ConnectionPermission> permissions) throws GuacamoleException {
// If no permissions given, stop now
if (permissions.isEmpty()) return;
// Get list of administerable connection IDs
List<Integer> administerableConnectionIDs =
permissionCheckService.retrieveConnectionIDs(
this.user_id, MySQLConstants.CONNECTION_ADMINISTER);
// Get set of names corresponding to administerable connections
Map<String, Integer> administerableConnections =
connectionService.translateNames(administerableConnectionIDs);
// Delete requested permissions
for (ConnectionPermission permission : permissions) {
// Get original ID
Integer connection_id = administerableConnections.get(permission.getObjectIdentifier());
// Verify that the user actually has permission to administrate
// every one of these connections
if (connection_id == null)
throw new GuacamoleSecurityException(
"User #"
+ this.user_id
+ " does not have permission to administrate connection "
+ permission.getObjectIdentifier());
ConnectionPermissionExample connectionPermissionExample = new ConnectionPermissionExample();
connectionPermissionExample
.createCriteria()
.andUser_idEqualTo(user_id)
.andPermissionEqualTo(MySQLConstants.getConnectionConstant(permission.getType()))
.andConnection_idEqualTo(connection_id);
connectionPermissionDAO.deleteByExample(connectionPermissionExample);
}
}
/**
* Delete permissions having to do with users for a given user.
*
* @param user_id The ID of the user to change the permissions of.
* @param permissions The permissions the given user should no longer have when this operation
* completes.
* @throws GuacamoleException If permission to alter the access permissions of affected objects is
* denied.
*/
private void deleteUserPermissions(int user_id, Collection<UserPermission> permissions)
throws GuacamoleException {
// If no permissions given, stop now
if (permissions.isEmpty()) return;
// Get list of administerable user IDs
List<Integer> administerableUserIDs =
permissionCheckService.retrieveUserIDs(this.user_id, MySQLConstants.USER_ADMINISTER);
// Get set of usernames corresponding to administerable users
Map<String, Integer> administerableUsers =
userService.translateUsernames(administerableUserIDs);
// Delete requested permissions
for (UserPermission permission : permissions) {
// Get original ID
Integer affected_id = administerableUsers.get(permission.getObjectIdentifier());
// Verify that the user actually has permission to administrate
// every one of these users
if (affected_id == null)
throw new GuacamoleSecurityException(
"User #"
+ this.user_id
+ " does not have permission to administrate user "
+ permission.getObjectIdentifier());
// Delete requested permission
UserPermissionExample userPermissionExample = new UserPermissionExample();
userPermissionExample
.createCriteria()
.andUser_idEqualTo(user_id)
.andPermissionEqualTo(MySQLConstants.getUserConstant(permission.getType()))
.andAffected_user_idEqualTo(affected_id);
userPermissionDAO.deleteByExample(userPermissionExample);
}
}
/**
* Create any new permissions having to do with connections for a given user.
*
* @param user_id The ID of the user to assign or remove permissions from.
* @param permissions The new permissions the user should have after this operation completes.
* @throws GuacamoleException If permission to alter the access permissions of affected objects is
* deniedD
*/
private void createConnectionPermissions(
int user_id, Collection<ConnectionPermission> permissions) throws GuacamoleException {
// If no permissions given, stop now
if (permissions.isEmpty()) return;
// Get list of administerable connection IDs
List<Integer> administerableConnectionIDs =
permissionCheckService.retrieveConnectionIDs(
this.user_id, MySQLConstants.CONNECTION_ADMINISTER);
// Get set of names corresponding to administerable connections
Map<String, Integer> administerableConnections =
connectionService.translateNames(administerableConnectionIDs);
// Insert all given permissions
for (ConnectionPermission permission : permissions) {
// Get original ID
Integer connection_id = administerableConnections.get(permission.getObjectIdentifier());
// Throw exception if permission to administer this connection
// is not granted
if (connection_id == null)
throw new GuacamoleSecurityException(
"User #"
+ this.user_id
+ " does not have permission to administrate connection "
+ permission.getObjectIdentifier());
// Create new permission
ConnectionPermissionKey newPermission = new ConnectionPermissionKey();
newPermission.setUser_id(user_id);
newPermission.setPermission(MySQLConstants.getConnectionConstant(permission.getType()));
newPermission.setConnection_id(connection_id);
connectionPermissionDAO.insert(newPermission);
}
}
/**
* Delete system permissions for a given user. All permissions in the given list will be removed
* from the user.
*
* @param user_id The ID of the user whose permissions should be updated.
* @param permissions The permissions the given user should no longer have when this operation
* completes.
* @throws GuacamoleException If the permissions specified could not be removed due to system
* restrictions.
*/
private void deleteSystemPermissions(int user_id, Collection<SystemPermission> permissions)
throws GuacamoleException {
// If no permissions given, stop now
if (permissions.isEmpty()) return;
// Prevent self-de-adminifying
if (user_id == this.user_id)
throw new GuacamoleClientException(
"Removing your own administrative permissions is not allowed.");
// Build list of requested system permissions
List<String> systemPermissionTypes = new ArrayList<String>();
for (SystemPermission permission : permissions)
systemPermissionTypes.add(MySQLConstants.getSystemConstant(permission.getType()));
// Delete the requested system permissions for this user
SystemPermissionExample systemPermissionExample = new SystemPermissionExample();
systemPermissionExample
.createCriteria()
.andUser_idEqualTo(user_id)
.andPermissionIn(systemPermissionTypes);
systemPermissionDAO.deleteByExample(systemPermissionExample);
}
