GitHub user mike-jumper opened a pull request:
https://github.com/apache/incubator-guacamole-client/pull/34
GUACAMOLE-5: Fix non-admin access to sharing profiles.
This change fixes the following issues discovered after testing sharing
profiles in a production environment against non-admin users:
1. The tunnel beneath an active connection was only being exposed to admin
users, thus breaking the `.../api/session/tunnels/[UUID]/activeConnection`
resource for non-admins. Users should be able to see the data associated with
their own active connections.
2. As the above resource was written under the faulty assumption that the
active connection can always be retrieved (what if the extension does not
implement active connection tracking), a hard HTTP 500 was thrown when this
assumption failed. The resource should instead throw a nice HTTP 404.
3. The permission-restricted query for retrieving the sharing profile
identifiers associated with a particular connection was ambiguous with respect
to the `sharing_profile_id` column, which occurs in both the
`guacamole_sharing_profile` and `guacamole_sharing_profile_permission` tables.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/mike-jumper/incubator-guacamole-client
fix-non-admin
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/incubator-guacamole-client/pull/34.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #34
----
commit a5af6c00d249ffc7d5c50414541545e53cad3f4c
Author: Michael Jumper <[email protected]>
Date: 2016-07-25T21:10:54Z
GUACAMOLE-5: Throw clean "resource not found" if the active connection of a
tunnel cannot be determined.
commit 8fad01c65c350d10d2bb86dedcf4eb246d82b0c6
Author: Michael Jumper <[email protected]>
Date: 2016-07-25T21:20:03Z
GUACAMOLE-5: Include the sensitive information of an active connection if
the current user started that active connection.
commit f119b972301cb42f2c17ee7011452c05af0ab9bc
Author: Michael Jumper <[email protected]>
Date: 2016-07-25T21:25:53Z
GUACAMOLE-5: Column "sharing_profile_id" is ambiguous without the table
name.
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
