jmuehlner commented on code in PR #751:
URL: https://github.com/apache/guacamole-client/pull/751#discussion_r957906023
##########
guacamole/src/main/java/org/apache/guacamole/rest/user/UserResource.java:
##########
@@ -145,9 +150,51 @@ public UserHistoryResource getUserHistory()
@Override
public void updateObject(APIUser modifiedObject) throws GuacamoleException
{
- // A user may not use this endpoint to modify himself
- if
(userContext.self().getIdentifier().equals(modifiedObject.getUsername()))
- throw new GuacamoleSecurityException("Permission denied.");
+ User currentUser = userContext.self();
+
+ // A user may not use this endpoint to modify themself, except in the
case
+ // that they are modifying one of the user attributes explicitly
exposed
+ // in the user preferences form
+ if (currentUser.getIdentifier().equals(modifiedObject.getUsername())) {
+
+ // A user may not use this endpoint to update their password
+ if (currentUser.getPassword() != null)
+ throw new GuacamoleSecurityException(
+ "Permission denied. The password update endpoint must"
+ + " be used to change the current user's password.");
+
+ // All attributes exposed in the preferences forms
+ Set<String> preferenceAttributes = (
+ userContext.getUserPreferenceAttributes().stream()
+ .flatMap(form -> form.getFields().stream().map(
+ field -> field.getName())))
+ .collect(Collectors.toSet());
+
+ // Go through every attribute value and check if it's changed
+ Iterator<String> keyIterator =
modifiedObject.getAttributes().keySet().iterator();
+ while(keyIterator.hasNext()) {
+
+ String key = keyIterator.next();
+ String newValue = modifiedObject.getAttributes().get(key);
+
+ // If it's not a preference attribute, editing is not allowed
+ if (!preferenceAttributes.contains(key)) {
+
+ String currentValue = currentUser.getAttributes().get(key);
+
+ // If the value of the attribute has been modified
+ if (
+ !(currentValue == null && newValue == null) && (
+ (currentValue == null && newValue != null) ||
+ !currentValue.equals(newValue)
+ )
+ )
+ throw new GuacamoleSecurityException(
+ "Permission denied. Only user preference
attributes"
+ + " can be modified for the current user.");
+ }
+ }
+ }
Review Comment:
Ah yes, that would be much simpler. I've updated it to leverage
`filterAttributes()`.
As to your question about the existing call filtering out the attributes -
it doesn't, because the preference attributes for the KSM extension are also
included in the regular user attributes.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
