On Wed, Dec 27, 2017 at 4:03 AM, feifei0814a <870487...@qq.com> wrote:
> I installed guacacmole in my vm-computer whose system is Centos7 and I can > log in and connect to appointed computers with mysql database. Now, I am > using python flask framework to add users and connections through api auth. > I can change any users' permission through the original API,it looks like > http://192.168.20.137:8080/guacamole/api/session/data/ > mysql/users/seu_test/permissions/?token=283B83044A770DE379D25780674B99 > 225801C2DC5A03DCF358E349DCF5738E8E So, any person who knows the api can > change his permission, and it is very dangerous to my python web program. No, this is incorrect. Users cannot change their own permissions unless they actually have permission to do so. Guacamole enforces all permissions, including permissions which dictate whether a particular user account can be modified by the current user. As long as you don't grant your users admin permissions, they will not have admin permissions. See: http://guacamole.apache.org/doc/gug/jdbc-auth.html#jdbc-auth-schema-permissions - Mike
