/** * Create any new system permissions for a given user. All permissions in the given list will be * inserted. * * @param user_id The ID of the user whose permissions should be updated. * @param permissions The new system permissions that the given user should have when this * operation completes. * @throws GuacamoleException If permission to administer system permissions is denied. */ private void createSystemPermissions(int user_id, Collection<SystemPermission> permissions) throws GuacamoleException { // If no permissions given, stop now if (permissions.isEmpty()) return; // Only a system administrator can add system permissions. permissionCheckService.verifySystemAccess( this.user_id, SystemPermission.Type.ADMINISTER.name()); // Insert all requested permissions for (SystemPermission permission : permissions) { // Insert permission SystemPermissionKey newSystemPermission = new SystemPermissionKey(); newSystemPermission.setUser_id(user_id); newSystemPermission.setPermission(MySQLConstants.getSystemConstant(permission.getType())); systemPermissionDAO.insert(newSystemPermission); } }
/** * Delete permissions having to do with connections for a given user. * * @param user_id The ID of the user to change the permissions of. * @param permissions The permissions the given user should no longer have when this operation * completes. * @throws GuacamoleException If permission to alter the access permissions of affected objects is * denied. */ private void deleteConnectionPermissions( int user_id, Collection<ConnectionPermission> permissions) throws GuacamoleException { // If no permissions given, stop now if (permissions.isEmpty()) return; // Get list of administerable connection IDs List<Integer> administerableConnectionIDs = permissionCheckService.retrieveConnectionIDs( this.user_id, MySQLConstants.CONNECTION_ADMINISTER); // Get set of names corresponding to administerable connections Map<String, Integer> administerableConnections = connectionService.translateNames(administerableConnectionIDs); // Delete requested permissions for (ConnectionPermission permission : permissions) { // Get original ID Integer connection_id = administerableConnections.get(permission.getObjectIdentifier()); // Verify that the user actually has permission to administrate // every one of these connections if (connection_id == null) throw new GuacamoleSecurityException( "User #" + this.user_id + " does not have permission to administrate connection " + permission.getObjectIdentifier()); ConnectionPermissionExample connectionPermissionExample = new ConnectionPermissionExample(); connectionPermissionExample .createCriteria() .andUser_idEqualTo(user_id) .andPermissionEqualTo(MySQLConstants.getConnectionConstant(permission.getType())) .andConnection_idEqualTo(connection_id); connectionPermissionDAO.deleteByExample(connectionPermissionExample); } }
/** * Delete permissions having to do with users for a given user. * * @param user_id The ID of the user to change the permissions of. * @param permissions The permissions the given user should no longer have when this operation * completes. * @throws GuacamoleException If permission to alter the access permissions of affected objects is * denied. */ private void deleteUserPermissions(int user_id, Collection<UserPermission> permissions) throws GuacamoleException { // If no permissions given, stop now if (permissions.isEmpty()) return; // Get list of administerable user IDs List<Integer> administerableUserIDs = permissionCheckService.retrieveUserIDs(this.user_id, MySQLConstants.USER_ADMINISTER); // Get set of usernames corresponding to administerable users Map<String, Integer> administerableUsers = userService.translateUsernames(administerableUserIDs); // Delete requested permissions for (UserPermission permission : permissions) { // Get original ID Integer affected_id = administerableUsers.get(permission.getObjectIdentifier()); // Verify that the user actually has permission to administrate // every one of these users if (affected_id == null) throw new GuacamoleSecurityException( "User #" + this.user_id + " does not have permission to administrate user " + permission.getObjectIdentifier()); // Delete requested permission UserPermissionExample userPermissionExample = new UserPermissionExample(); userPermissionExample .createCriteria() .andUser_idEqualTo(user_id) .andPermissionEqualTo(MySQLConstants.getUserConstant(permission.getType())) .andAffected_user_idEqualTo(affected_id); userPermissionDAO.deleteByExample(userPermissionExample); } }
/** * Create any new permissions having to do with connections for a given user. * * @param user_id The ID of the user to assign or remove permissions from. * @param permissions The new permissions the user should have after this operation completes. * @throws GuacamoleException If permission to alter the access permissions of affected objects is * deniedD */ private void createConnectionPermissions( int user_id, Collection<ConnectionPermission> permissions) throws GuacamoleException { // If no permissions given, stop now if (permissions.isEmpty()) return; // Get list of administerable connection IDs List<Integer> administerableConnectionIDs = permissionCheckService.retrieveConnectionIDs( this.user_id, MySQLConstants.CONNECTION_ADMINISTER); // Get set of names corresponding to administerable connections Map<String, Integer> administerableConnections = connectionService.translateNames(administerableConnectionIDs); // Insert all given permissions for (ConnectionPermission permission : permissions) { // Get original ID Integer connection_id = administerableConnections.get(permission.getObjectIdentifier()); // Throw exception if permission to administer this connection // is not granted if (connection_id == null) throw new GuacamoleSecurityException( "User #" + this.user_id + " does not have permission to administrate connection " + permission.getObjectIdentifier()); // Create new permission ConnectionPermissionKey newPermission = new ConnectionPermissionKey(); newPermission.setUser_id(user_id); newPermission.setPermission(MySQLConstants.getConnectionConstant(permission.getType())); newPermission.setConnection_id(connection_id); connectionPermissionDAO.insert(newPermission); } }
/** * Delete system permissions for a given user. All permissions in the given list will be removed * from the user. * * @param user_id The ID of the user whose permissions should be updated. * @param permissions The permissions the given user should no longer have when this operation * completes. * @throws GuacamoleException If the permissions specified could not be removed due to system * restrictions. */ private void deleteSystemPermissions(int user_id, Collection<SystemPermission> permissions) throws GuacamoleException { // If no permissions given, stop now if (permissions.isEmpty()) return; // Prevent self-de-adminifying if (user_id == this.user_id) throw new GuacamoleClientException( "Removing your own administrative permissions is not allowed."); // Build list of requested system permissions List<String> systemPermissionTypes = new ArrayList<String>(); for (SystemPermission permission : permissions) systemPermissionTypes.add(MySQLConstants.getSystemConstant(permission.getType())); // Delete the requested system permissions for this user SystemPermissionExample systemPermissionExample = new SystemPermissionExample(); systemPermissionExample .createCriteria() .andUser_idEqualTo(user_id) .andPermissionIn(systemPermissionTypes); systemPermissionDAO.deleteByExample(systemPermissionExample); }