Resolve KASM-2238 "Feature/ freeze session"

common/rfb/SConnection.cxx

@@ -216,7 +216,7 @@ void SConnection::processSecurityMsg()
     bool done = ssecurity->processMsg(this);
     if (done) {
       state_ = RFBSTATE_QUERYING;
-      setAccessRights(ssecurity->getAccessRights());
+      //setAccessRights(ssecurity->getAccessRights());
       queryConnection(ssecurity->getUserName());
     }
   } catch (AuthFailureException& e) {

common/rfb/SConnection.h

@@ -144,7 +144,6 @@ namespace rfb {
     static const AccessRights AccessDefault;        // The default rights, INCLUDING FUTURE ONES
     static const AccessRights AccessNoQuery;        // Connect without local user accepting
     static const AccessRights AccessFull;           // All of the available AND FUTURE rights
-    virtual void setAccessRights(AccessRights ar) = 0;
 
     // Other methods
 

common/rfb/VNCSConnectionST.cxx

@@ -87,10 +87,16 @@ VNCSConnectionST::VNCSConnectionST(VNCServerST* server_, network::Socket *s,
     user[at - peerEndpoint.buf] = '\0';
   }
 
-  bool write, owner;
-  if (!getPerms(write, owner) || !write) {
+  bool read, write, owner;
+  if (!getPerms(read, write, owner)) {
+    accessRights &= ~(WRITER_PERMS | AccessView);
+  }
+  if (!write) {
     accessRights &= ~WRITER_PERMS;
   }
+  if (!read) {
+    accessRights &= ~AccessView;
+  }
 
   // Configure the socket
   setSocketTimeouts();
@@ -707,7 +713,13 @@ void VNCSConnectionST::pointerEvent(const Point& pos, int buttonMask, const bool
 {
   pointerEventTime = lastEventTime = time(0);
   server->lastUserInputTime = lastEventTime;
-  if (!(accessRights & AccessPtrEvents)) return;
+  if (!(accessRights & AccessPtrEvents)) {
+    // This particular event is lost, but it's a corner case - you removed write access
+    // from yourself, then added it back. The intended use is for multiple clients,
+    // where the leader removes and adds back access for others, not himself.
+    recheckPerms();
+    return;
+  }
   if (!rfb::Server::acceptPointerEvents) return;
   if (!server->pointerClient || server->pointerClient == this) {
     pointerEventPos = pos;
@@ -1105,11 +1117,12 @@ bool VNCSConnectionST::isShiftPressed()
   return false;
 }
 
-bool VNCSConnectionST::getPerms(bool &write, bool &owner) const
+bool VNCSConnectionST::getPerms(bool &read, bool &write, bool &owner) const
 {
   bool found = false;
   if (disablebasicauth) {
     // We're running without basicauth
+    read = true;
     write = true;
     return true;
   }
@@ -1118,8 +1131,14 @@ bool VNCSConnectionST::getPerms(bool &write, bool &owner) const
     unsigned i;
     for (i = 0; i < set->num; i++) {
       if (!strcmp(set->entries[i].user, user)) {
+        read = set->entries[i].read;
         write = set->entries[i].write;
         owner = set->entries[i].owner;
+
+        // Writer can always read
+        if (write)
+          read = true;
+
         found = true;
         break;
       }
@@ -1217,18 +1236,29 @@ void VNCSConnectionST::writeFramebufferUpdate()
   if (needsPermCheck) {
     needsPermCheck = false;
 
-    bool write, owner, ret;
-    ret = getPerms(write, owner);
+    bool read, write, owner, ret;
+    ret = getPerms(read, write, owner);
     if (!ret) {
       close("User was deleted");
       return;
-    } else if (!write) {
+    }
+
+    if (!write) {
       accessRights &= ~WRITER_PERMS;
     } else {
       accessRights |= WRITER_PERMS;
     }
+
+    if (!read) {
+      accessRights &= ~AccessView;
+    } else {
+      accessRights |= AccessView;
+    }
   }
 
+  if (!(accessRights & AccessView))
+    return;
+
   // Updates often consists of many small writes, and in continuous
   // mode, we will also have small fence messages around the update. We
   // need to aggregate these in order to not clog up TCP's congestion
@@ -1659,8 +1689,8 @@ bool VNCSConnectionST::checkOwnerConn() const
   std::list<VNCSConnectionST*>::const_iterator it;
 
   for (it = server->clients.begin(); it != server->clients.end(); it++) {
-    bool write, owner;
-    if ((*it)->getPerms(write, owner) && owner)
+    bool read, write, owner;
+    if ((*it)->getPerms(read, write, owner) && owner)
       return true;
   }
 

common/rfb/VNCSConnectionST.h

@@ -171,8 +171,8 @@ namespace rfb {
     virtual void handleFrameStats(rdr::U32 all, rdr::U32 render);
 
     bool is_owner() const {
-      bool write, owner;
-      if (getPerms(write, owner) && owner)
+      bool read, write, owner;
+      if (getPerms(read, write, owner) && owner)
         return true;
       return false;
     }
@@ -227,19 +227,6 @@ namespace rfb {
                (AccessPtrEvents | AccessKeyEvents);
     }
 
-    // setAccessRights() allows a security package to limit the access rights
-    // of a VNCSConnectioST to the server.  These access rights are applied
-    // such that the actual rights granted are the minimum of the server's
-    // default access settings and the connection's access settings.
-    virtual void setAccessRights(AccessRights ar) {
-        accessRights = ar;
-
-        bool write, owner;
-        if (!getPerms(write, owner) || !write)
-            accessRights &= ~WRITER_PERMS;
-        needsPermCheck = false;
-    }
-
     // Timer callbacks
     virtual bool handleTimeout(Timer* t);
 
@@ -247,7 +234,7 @@ namespace rfb {
 
     bool isShiftPressed();
 
-    bool getPerms(bool &write, bool &owner) const;
+    bool getPerms(bool &read, bool &write, bool &owner) const;
 
     bool checkOwnerConn() const;
 

common/rfb/VNCServerST.cxx

@@ -807,6 +807,9 @@ static void checkAPIMessages(network::GetAPIMessager *apimessager,
     const network::GetAPIMessager::action_data &act = apimessager->actionQueue[i];
 
     switch (act.action) {
+      case network::GetAPIMessager::NONE:
+        slog.info("Empty request (bug!)");
+      break;
       case network::GetAPIMessager::WANT_FRAME_STATS_SERVERONLY:
         trackingFrameStats = act.action;
       break;