GUACAMOLE-708: Handle implicit permissions where no entity exists.
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
index a1883be..3f54be8 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
@@ -132,7 +132,7 @@
user = userService.retrieveSkeletonUser(authenticationProvider, authenticatedUser);
// If auto account creation is enabled, add user to DB.
- if(environment.autoCreateAbsentAccounts()) {
+ if (environment.autoCreateAbsentAccounts()) {
userService.createObject(new PrivilegedModeledAuthenticatedUser(user.getCurrentUser()), user);
}
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledDirectoryObjectService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledDirectoryObjectService.java
index f8d0e8a..db86d35 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledDirectoryObjectService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledDirectoryObjectService.java
@@ -410,9 +410,9 @@
}
/**
- * Returns a collection of permissions that should be granted due to the
- * creation of the given object. These permissions need not be granted
- * solely to the user creating the object.
+ * Returns an immutable collection of permissions that should be granted due
+ * to the creation of the given object. These permissions need not be
+ * granted solely to the user creating the object.
*
* @param user
* The user creating the object.
@@ -427,16 +427,22 @@
protected Collection<ObjectPermissionModel> getImplicitPermissions(ModeledAuthenticatedUser user,
ModelType model) {
+ // Get the user model and check for an entity ID.
+ UserModel userModel = user.getUser().getModel();
+ Integer entityId = userModel.getEntityID();
+ if (entityId == null)
+ return Collections.emptyList();
+
// Build list of implicit permissions
Collection<ObjectPermissionModel> implicitPermissions =
- new ArrayList<ObjectPermissionModel>(IMPLICIT_OBJECT_PERMISSIONS.length);
+ new ArrayList<>(IMPLICIT_OBJECT_PERMISSIONS.length);
- UserModel userModel = user.getUser().getModel();
+
for (ObjectPermission.Type permission : IMPLICIT_OBJECT_PERMISSIONS) {
// Create model which grants this permission to the current user
ObjectPermissionModel permissionModel = new ObjectPermissionModel();
- permissionModel.setEntityID(userModel.getEntityID());
+ permissionModel.setEntityID(entityId);
permissionModel.setType(permission);
permissionModel.setObjectIdentifier(model.getIdentifier());
@@ -445,7 +451,7 @@
}
- return implicitPermissions;
+ return Collections.unmodifiableCollection(implicitPermissions);
}
@@ -464,7 +470,9 @@
object.setIdentifier(model.getIdentifier());
// Add implicit permissions
- getPermissionMapper().insert(getImplicitPermissions(user, model));
+ Collection<ObjectPermissionModel> implicitPermissions = getImplicitPermissions(user, model);
+ if (implicitPermissions != null && !implicitPermissions.isEmpty())
+ getPermissionMapper().insert(implicitPermissions);
// Add any arbitrary attributes
if (model.hasArbitraryAttributes())
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java
index e284205..50b9e42 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java
@@ -52,7 +52,6 @@
import org.apache.guacamole.net.auth.AuthenticatedUser;
import org.apache.guacamole.net.auth.AuthenticationProvider;
import org.apache.guacamole.net.auth.User;
-import org.apache.guacamole.net.auth.UserContext;
import org.apache.guacamole.net.auth.credentials.CredentialsInfo;
import org.apache.guacamole.net.auth.permission.ObjectPermission;
import org.apache.guacamole.net.auth.permission.ObjectPermissionSet;
@@ -297,8 +296,9 @@
protected Collection<ObjectPermissionModel>
getImplicitPermissions(ModeledAuthenticatedUser user, UserModel model) {
- // Get original set of implicit permissions
- Collection<ObjectPermissionModel> implicitPermissions = super.getImplicitPermissions(user, model);
+ // Get original set of implicit permissions and make a copy
+ Collection<ObjectPermissionModel> implicitPermissions =
+ new ArrayList<>(super.getImplicitPermissions(user, model));
// Grant implicit permissions to the new user
for (ObjectPermission.Type permissionType : IMPLICIT_USER_PERMISSIONS) {
@@ -313,7 +313,7 @@
}
- return implicitPermissions;
+ return Collections.unmodifiableCollection(implicitPermissions);
}
@Override
@@ -447,8 +447,6 @@
public ModeledUser retrieveSkeletonUser(AuthenticationProvider authenticationProvider,
AuthenticatedUser authenticatedUser) throws GuacamoleException {
- logger.info(">>>JDBC<<< Creating skeleton user {}", authenticatedUser.getIdentifier());
-
// Set up an empty user model
ModeledUser user = getObjectInstance(null,
new UserModel(authenticatedUser.getIdentifier()));