From 285478f1b25cc920dc3be25004aae7bc0bef4db6 Mon Sep 17 00:00:00 2001
From: Stephen Birarda <commit@birarda.com>
Date: Tue, 26 Jul 2016 10:23:09 -0700
Subject: [PATCH] don't repack the same permissions after kick

---
 .../src/DomainServerSettingsManager.cpp       | 36 +++++++++++++++----
 1 file changed, 30 insertions(+), 6 deletions(-)

diff --git a/domain-server/src/DomainServerSettingsManager.cpp b/domain-server/src/DomainServerSettingsManager.cpp
index 639098fdef..e85eebd309 100644
--- a/domain-server/src/DomainServerSettingsManager.cpp
+++ b/domain-server/src/DomainServerSettingsManager.cpp
@@ -633,9 +633,14 @@ void DomainServerSettingsManager::processNodeKickRequestPacket(QSharedPointer<Re
 
                 auto verifiedUsername = matchingNode->getPermissions().getVerifiedUserName();
 
+                bool hadExistingPermissions = false;
+
                 if (!verifiedUsername.isEmpty()) {
                     // if we have a verified user name for this user, we apply the kick to the username
 
+                    // check if there were already permissions
+                    hadExistingPermissions = havePermissionsForName(verifiedUsername);
+
                     // grab or create permissions for the given username
                     destinationPermissions = _agentPermissions[matchingNode->getPermissions().getKey()];
                 } else {
@@ -645,18 +650,37 @@ void DomainServerSettingsManager::processNodeKickRequestPacket(QSharedPointer<Re
                         ? matchingNode->getActiveSocket()->getAddress()
                         : matchingNode->getPublicSocket().getAddress();
 
-                    // grab or create permissions for the given IP address
                     NodePermissionsKey ipAddressKey(kickAddress.toString(), QUuid());
+
+                    // check if there were already permissions for the IP
+                    hadExistingPermissions = hasPermissionsForIP(kickAddress);
+
+                    // grab or create permissions for the given IP address
                     destinationPermissions = _ipPermissions[ipAddressKey];
                 }
 
-                // ensure that the connect permission is clear
-                destinationPermissions->clear(NodePermissions::Permission::canConnectToDomain);
+                // make sure we didn't already have existing permissions that disallowed connect
+                if (!hadExistingPermissions
+                    || destinationPermissions->can(NodePermissions::Permission::canConnectToDomain)) {
 
-                // we've changed permissions, time to store them to disk and emit our signal to say they have changed
-                packPermissions();
+                    qDebug() << "Removing connect permission for node" << uuidStringWithoutCurlyBraces(matchingNode->getUUID())
+                        << "after kick request";
 
-                emit updateNodePermissions();
+                    // ensure that the connect permission is clear
+                    destinationPermissions->clear(NodePermissions::Permission::canConnectToDomain);
+
+                    // we've changed permissions, time to store them to disk and emit our signal to say they have changed
+                    packPermissions();
+
+                    emit updateNodePermissions();
+                } else {
+                    qWarning() << "Received kick request for node" << uuidStringWithoutCurlyBraces(matchingNode->getUUID())
+                        << "that already did not have permission to connect";
+
+                    // in this case, though we don't expect the node to be connected to the domain, it is
+                    // emit updateNodePermissions so that the DomainGatekeeper kicks it out
+                    emit updateNodePermissions();
+                }
 
             } else {
                 qWarning() << "Node kick request received for unknown node. Refusing to process.";