You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@guacamole.apache.org by vn...@apache.org on 2018/08/14 23:39:40 UTC
[02/13] guacamole-client git commit: GUACAMOLE-220: Allow
manipulation and retrieval of user group permissions via JavaScript.
GUACAMOLE-220: Allow manipulation and retrieval of user group permissions via JavaScript.
Project: http://git-wip-us.apache.org/repos/asf/guacamole-client/repo
Commit: http://git-wip-us.apache.org/repos/asf/guacamole-client/commit/55bcf25a
Tree: http://git-wip-us.apache.org/repos/asf/guacamole-client/tree/55bcf25a
Diff: http://git-wip-us.apache.org/repos/asf/guacamole-client/diff/55bcf25a
Branch: refs/heads/master
Commit: 55bcf25a1c53f85ba2383fc83b46e2bc2ccd05af
Parents: 9f01fcb
Author: Michael Jumper <mj...@apache.org>
Authored: Thu Apr 19 14:39:04 2018 -0700
Committer: Michael Jumper <mj...@apache.org>
Committed: Wed Aug 8 09:00:06 2018 -0700
----------------------------------------------------------------------
.../app/rest/services/permissionService.js | 91 +++++++++++++-------
.../webapp/app/rest/types/PermissionFlagSet.js | 23 ++++-
.../main/webapp/app/rest/types/PermissionSet.js | 82 +++++++++++++++++-
3 files changed, 163 insertions(+), 33 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/55bcf25a/guacamole/src/main/webapp/app/rest/services/permissionService.js
----------------------------------------------------------------------
diff --git a/guacamole/src/main/webapp/app/rest/services/permissionService.js b/guacamole/src/main/webapp/app/rest/services/permissionService.js
index 6d3dfdf..21c5a02 100644
--- a/guacamole/src/main/webapp/app/rest/services/permissionService.js
+++ b/guacamole/src/main/webapp/app/rest/services/permissionService.js
@@ -45,6 +45,11 @@ angular.module('rest').factory('permissionService', ['$injector',
* within that data source (and thus cannot be found beneath
* "api/session/data/{dataSource}/users")
*
+ * NOTE: Unlike getPermissionsResourceURL(),
+ * getEffectivePermissionsResourceURL() CANNOT be applied to user groups.
+ * Only users have retrievable effective permissions as far as the REST API
+ * is concerned.
+ *
* @param {String} dataSource
* The unique identifier of the data source containing the user whose
* permissions should be retrieved. This identifier corresponds to an
@@ -82,6 +87,10 @@ angular.module('rest').factory('permissionService', ['$injector',
* from the permissions returned via getPermissions() in that permissions
* which are not directly granted to the user are included.
*
+ * NOTE: Unlike getPermissions(), getEffectivePermissions() CANNOT be
+ * applied to user groups. Only users have retrievable effective
+ * permissions as far as the REST API is concerned.
+ *
* @param {String} dataSource
* The unique identifier of the data source containing the user whose
* permissions should be retrieved. This identifier corresponds to an
@@ -113,10 +122,10 @@ angular.module('rest').factory('permissionService', ['$injector',
/**
* Returns the URL for the REST resource most appropriate for accessing
- * the permissions of the user having the given identifier. The permissions
- * retrieved differ from effective permissions (those returned by
- * getEffectivePermissions()) in that only permissions which are directly
- * granted to the user are included.
+ * the permissions of the user or group having the given identifier. The
+ * permissions retrieved differ from effective permissions (those returned
+ * by getEffectivePermissions()) in that only permissions which are directly
+ * granted to the user or group are included.
*
* It is important to note that a particular data source can authenticate
* and provide permissions for a user, even if that user does not exist
@@ -129,18 +138,27 @@ angular.module('rest').factory('permissionService', ['$injector',
* AuthenticationProvider within the Guacamole web application.
*
* @param {String} identifier
- * The identifier of the user for which the URL of the proper REST
- * resource should be derived.
+ * The identifier of the user or group for which the URL of the proper
+ * REST resource should be derived.
+ *
+ * @param {Boolean} [group]
+ * Whether the provided identifier refers to a user group. If false or
+ * omitted, the identifier given is assumed to refer to a user.
*
* @returns {String}
- * The URL for the REST resource representing the user having the given
- * identifier.
+ * The URL for the REST resource representing the user or group having
+ * the given identifier.
*/
- var getPermissionsResourceURL = function getPermissionsResourceURL(dataSource, identifier) {
+ var getPermissionsResourceURL = function getPermissionsResourceURL(dataSource, identifier, group) {
// Create base URL for data source
var base = 'api/session/data/' + encodeURIComponent(dataSource);
+ // Access group permissions directly (there is no "self" for user groups
+ // as there is for users)
+ if (group)
+ return base + '/userGroups/' + encodeURIComponent(identifier) + '/permissions';
+
// If the username is that of the current user, do not rely on the
// user actually existing (they may not). Access their permissions via
// "self" rather than the collection of defined users.
@@ -155,36 +173,41 @@ angular.module('rest').factory('permissionService', ['$injector',
/**
* Makes a request to the REST API to get the list of permissions for a
- * given user, returning a promise that provides an array of
+ * given user or user group, returning a promise that provides an array of
* @link{Permission} objects if successful. The permissions retrieved
* differ from effective permissions (those returned by
- * getEffectivePermissions()) in that only permissions which are directly
- * granted to the user included.
+ * getEffectivePermissions()) in that both users and groups may be queried,
+ * and only permissions which are directly granted to the user or group are
+ * included.
*
* @param {String} dataSource
- * The unique identifier of the data source containing the user whose
- * permissions should be retrieved. This identifier corresponds to an
- * AuthenticationProvider within the Guacamole web application.
+ * The unique identifier of the data source containing the user or group
+ * whose permissions should be retrieved. This identifier corresponds to
+ * an AuthenticationProvider within the Guacamole web application.
*
* @param {String} identifier
- * The identifier of the user to retrieve the permissions for.
+ * The identifier of the user or group to retrieve the permissions for.
+ *
+ * @param {Boolean} [group]
+ * Whether the provided identifier refers to a user group. If false or
+ * omitted, the identifier given is assumed to refer to a user.
*
* @returns {Promise.<PermissionSet>}
* A promise which will resolve with a @link{PermissionSet} upon
* success.
*/
- service.getPermissions = function getPermissions(dataSource, identifier) {
+ service.getPermissions = function getPermissions(dataSource, identifier, group) {
// Build HTTP parameters set
var httpParameters = {
token : authenticationService.getCurrentToken()
};
- // Retrieve user permissions
+ // Retrieve user/group permissions
return requestService({
cache : cacheService.users,
method : 'GET',
- url : getPermissionsResourceURL(dataSource, identifier),
+ url : getPermissionsResourceURL(dataSource, identifier, group),
params : httpParameters
});
@@ -261,6 +284,10 @@ angular.module('rest').factory('permissionService', ['$injector',
addObjectPatchOperations(patch, operation, "/userPermissions",
permissions.userPermissions);
+ // Add user group permission operations to patch
+ addObjectPatchOperations(patch, operation, "/userGroupPermissions",
+ permissions.userGroupPermissions);
+
// Add system operations to patch
permissions.systemPermissions.forEach(function addSystemPatch(type) {
patch.push({
@@ -274,18 +301,18 @@ angular.module('rest').factory('permissionService', ['$injector',
/**
* Makes a request to the REST API to modify the permissions for a given
- * user, returning a promise that can be used for processing the results of
- * the call. This request affects only the permissions directly granted to
- * the user, and may not affect permissions inherited through other means
- * (effective permissions).
+ * user or group, returning a promise that can be used for processing the
+ * results of the call. This request affects only the permissions directly
+ * granted to the user or group, and may not affect permissions inherited
+ * through other means (effective permissions).
*
* @param {String} dataSource
- * The unique identifier of the data source containing the user whose
- * permissions should be modified. This identifier corresponds to an
- * AuthenticationProvider within the Guacamole web application.
+ * The unique identifier of the data source containing the user or group
+ * whose permissions should be modified. This identifier corresponds to
+ * an AuthenticationProvider within the Guacamole web application.
*
* @param {String} identifier
- * The identifier of the user to modify the permissions of.
+ * The identifier of the user or group to modify the permissions of.
*
* @param {PermissionSet} [permissionsToAdd]
* The set of permissions to add, if any.
@@ -293,12 +320,16 @@ angular.module('rest').factory('permissionService', ['$injector',
* @param {PermissionSet} [permissionsToRemove]
* The set of permissions to remove, if any.
*
+ * @param {Boolean} [group]
+ * Whether the provided identifier refers to a user group. If false or
+ * omitted, the identifier given is assumed to refer to a user.
+ *
* @returns {Promise}
* A promise for the HTTP call which will succeed if and only if the
* patch operation is successful.
*/
service.patchPermissions = function patchPermissions(dataSource, identifier,
- permissionsToAdd, permissionsToRemove) {
+ permissionsToAdd, permissionsToRemove, group) {
var permissionPatch = [];
@@ -313,10 +344,10 @@ angular.module('rest').factory('permissionService', ['$injector',
// Add all the remove operations to the patch
addPatchOperations(permissionPatch, PermissionPatch.Operation.REMOVE, permissionsToRemove);
- // Patch user permissions
+ // Patch user/group permissions
return requestService({
method : 'PATCH',
- url : getPermissionsResourceURL(dataSource, identifier),
+ url : getPermissionsResourceURL(dataSource, identifier, group),
params : httpParameters,
data : permissionPatch
})
http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/55bcf25a/guacamole/src/main/webapp/app/rest/types/PermissionFlagSet.js
----------------------------------------------------------------------
diff --git a/guacamole/src/main/webapp/app/rest/types/PermissionFlagSet.js b/guacamole/src/main/webapp/app/rest/types/PermissionFlagSet.js
index 64b942b..f79e3b9 100644
--- a/guacamole/src/main/webapp/app/rest/types/PermissionFlagSet.js
+++ b/guacamole/src/main/webapp/app/rest/types/PermissionFlagSet.js
@@ -133,7 +133,7 @@ angular.module('rest').factory('PermissionFlagSet', ['PermissionSet',
* true. Valid permission type strings are defined within
* PermissionSet.ObjectPermissionType. Permissions which are not
* granted may be set to false, but this is not required.
- *
+ *
* @type Object.<String, Object.<String, Boolean>>
*/
this.userPermissions = template.userPermissions || {
@@ -143,6 +143,24 @@ angular.module('rest').factory('PermissionFlagSet', ['PermissionSet',
'ADMINISTER' : {}
};
+ /**
+ * The granted state of each permission for each user group, as a map of
+ * object permission type string to permission map. The permission map
+ * is, in turn, a map of group identifier to boolean value. A particular
+ * permission is granted if its corresponding boolean value is set to
+ * true. Valid permission type strings are defined within
+ * PermissionSet.ObjectPermissionType. Permissions which are not
+ * granted may be set to false, but this is not required.
+ *
+ * @type Object.<String, Object.<String, Boolean>>
+ */
+ this.userGroupPermissions = template.userGroupPermissions || {
+ 'READ' : {},
+ 'UPDATE' : {},
+ 'DELETE' : {},
+ 'ADMINISTER' : {}
+ };
+
};
/**
@@ -216,6 +234,9 @@ angular.module('rest').factory('PermissionFlagSet', ['PermissionSet',
// Add all granted user permissions
addObjectPermissions(permissionSet.userPermissions, permissionFlagSet.userPermissions);
+ // Add all granted user group permissions
+ addObjectPermissions(permissionSet.userGroupPermissions, permissionFlagSet.userGroupPermissions);
+
return permissionFlagSet;
};
http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/55bcf25a/guacamole/src/main/webapp/app/rest/types/PermissionSet.js
----------------------------------------------------------------------
diff --git a/guacamole/src/main/webapp/app/rest/types/PermissionSet.js b/guacamole/src/main/webapp/app/rest/types/PermissionSet.js
index 8fd1ef6..2bc2e9e 100644
--- a/guacamole/src/main/webapp/app/rest/types/PermissionSet.js
+++ b/guacamole/src/main/webapp/app/rest/types/PermissionSet.js
@@ -82,6 +82,15 @@ angular.module('rest').factory('PermissionSet', [function definePermissionSet()
this.userPermissions = template.userPermissions || {};
/**
+ * Map of user group identifiers to the corresponding array of granted
+ * permissions. Each permission is represented by a string listed
+ * within PermissionSet.ObjectPermissionType.
+ *
+ * @type Object.<String, String[]>
+ */
+ this.userGroupPermissions = template.userGroupPermissions || {};
+
+ /**
* Array of granted system permissions. Each permission is represented
* by a string listed within PermissionSet.SystemPermissionType.
*
@@ -306,7 +315,7 @@ angular.module('rest').factory('PermissionSet', [function definePermissionSet()
};
/**
- * Returns whether the given permission is granted for the user having the
+ * Returns whether the given permission is granted for the user having the
* given ID.
*
* @param {PermissionSet|Object} permSet
@@ -315,7 +324,7 @@ angular.module('rest').factory('PermissionSet', [function definePermissionSet()
* @param {String} type
* The permission to search for, as defined by
* PermissionSet.ObjectPermissionType.
- *
+ *
* @param {String} identifier
* The identifier of the user to which the permission applies.
*
@@ -327,6 +336,27 @@ angular.module('rest').factory('PermissionSet', [function definePermissionSet()
};
/**
+ * Returns whether the given permission is granted for the user group having
+ * the given identifier.
+ *
+ * @param {PermissionSet|Object} permSet
+ * The permission set to check.
+ *
+ * @param {String} type
+ * The permission to search for, as defined by
+ * PermissionSet.ObjectPermissionType.
+ *
+ * @param {String} identifier
+ * The identifier of the user group to which the permission applies.
+ *
+ * @returns {Boolean}
+ * true if the permission is present (granted), false otherwise.
+ */
+ PermissionSet.hasUserGroupPermission = function hasUserGroupPermission(permSet, type, identifier) {
+ return hasPermission(permSet.userGroupPermissions, type, identifier);
+ };
+
+ /**
* Returns whether the given permission is granted at the system level.
*
* @param {PermissionSet|Object} permSet
@@ -733,6 +763,54 @@ angular.module('rest').factory('PermissionSet', [function definePermissionSet()
return removeObjectPermission(permSet.userPermissions, type, identifier);
};
+ /**
+ * Adds the given user group permission applying to the user group with the
+ * given identifier to the given permission set, if not already present. If
+ * the permission is already present, this function has no effect.
+ *
+ * @param {PermissionSet} permSet
+ * The permission set to modify.
+ *
+ * @param {String} type
+ * The permission to add, as defined by
+ * PermissionSet.ObjectPermissionType.
+ *
+ * @param {String} identifier
+ * The identifier of the user group to which the permission applies.
+ *
+ * @returns {Boolean}
+ * true if the permission was added, false if the permission was
+ * already present in the given permission set.
+ */
+ PermissionSet.addUserGroupPermission = function addUserGroupPermission(permSet, type, identifier) {
+ permSet.userGroupPermissions = permSet.userGroupPermissions || {};
+ return addObjectPermission(permSet.userGroupPermissions, type, identifier);
+ };
+
+ /**
+ * Removes the given user group permission applying to the user group with
+ * the given identifier from the given permission set, if present. If the
+ * permission is not present, this function has no effect.
+ *
+ * @param {PermissionSet} permSet
+ * The permission set to modify.
+ *
+ * @param {String} type
+ * The permission to remove, as defined by
+ * PermissionSet.ObjectPermissionType.
+ *
+ * @param {String} identifier
+ * The identifier of the user group to whom the permission applies.
+ *
+ * @returns {Boolean}
+ * true if the permission was removed, false if the permission was not
+ * present in the given permission set.
+ */
+ PermissionSet.removeUserGroupPermission = function removeUserGroupPermission(permSet, type, identifier) {
+ permSet.userGroupPermissions = permSet.userGroupPermissions || {};
+ return removeObjectPermission(permSet.userGroupPermissions, type, identifier);
+ };
+
return PermissionSet;
}]);
\ No newline at end of file