tkuhlengel commented on code in PR #1170:
URL: https://github.com/apache/guacamole-client/pull/1170#discussion_r3119013898
##########
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledAuthenticatedUser.java:
##########
@@ -170,11 +169,21 @@ public String getIdentifier() {
public void setIdentifier(String identifier) {
user.setIdentifier(identifier);
}
-
+
+
+ /**
+ * Expands a user's groups through the parents in database group hierarchy
+ * so that parent groups of external groups (e.g. SAML/SSO group claims)
+ * are included. This also covers the user's own direct
+ * DB memberships (via entity_id) and skeleton users with null entity_id.
+ *
+ * @return
+ * The set of effective groups for this user, whether inherited or
+ * direct.
+ */
@Override
public Set<String> getEffectiveUserGroups() {
- return Sets.union(user.getEffectiveUserGroups(),
- super.getEffectiveUserGroups());
+ return user.expandEffectiveGroups(super.getEffectiveUserGroups());
Review Comment:
I think `ModeledAuthenticatedUser` doesn't have access to `entityService`.
It's injected in `ModeledPermissions`, which `ModeledUser` inherits from. The
thin `expandEffectiveGroups()` wrapper keeps the service access encapsulated
without changing any permissions or inheritance.
To call `entityService` directly here I'd need to either inject it into
`ModeledAuthenticatedUser` or add a getter method on `ModeledUser`.
I can try to go that route if you want. The wrapper
`user.expandEffectiveGroups()` seemed like the most compact option.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
