Github user mike-jumper commented on a diff in the pull request:
https://github.com/apache/guacamole-client/pull/301#discussion_r196234222
--- Diff:
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/activeconnection/ActiveConnectionService.java
---
@@ -111,20 +113,19 @@ public TrackedActiveConnection
retrieveObject(ModeledAuthenticatedUser user,
public void deleteObject(ModeledAuthenticatedUser user, String
identifier)
throws GuacamoleException {
- // Only administrators may delete active connections
- if (!user.getUser().isAdministrator())
- throw new GuacamoleSecurityException("Permission denied.");
-
- // Close connection, if it exists (and we have permission)
+ // Close connection, if it exists and we have permission
ActiveConnection activeConnection = retrieveObject(user,
identifier);
- if (activeConnection != null) {
+ if (activeConnection != null
+ && hasObjectPermissions(user, identifier,
ObjectPermission.Type.DELETE)) {
// Close connection if not already closed
GuacamoleTunnel tunnel = activeConnection.getTunnel();
if (tunnel != null && tunnel.isOpen())
tunnel.close();
}
+ else
+ throw new GuacamoleSecurityException("Permission denied.");
--- End diff --
This technically goes against [the definition of `deleteObject()` on the
interface](https://github.com/apache/guacamole-client/blob/984ab48ce8dbbb5b9949ce1f5e5f774168b4830b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/DirectoryObjectService.java#L103-L104)
which states (emphasis added):
> Deletes the object having the given identifier. **If no such object
exists, this function has no effect.**
The `GuacamoleSecurityException` should only be thrown if permission is
denied to delete the object. If no such object exists at all, the function
should silently do nothing.
---
