aboutsummaryrefslogtreecommitdiff
path: root/src/org/traccar/api/resource
diff options
context:
space:
mode:
authorAnton Tananaev <anton.tananaev@gmail.com>2016-11-23 02:28:11 +1300
committerAnton Tananaev <anton.tananaev@gmail.com>2016-11-23 10:29:03 +1300
commit18305737a6dac8fb45037f193736b0261f92ab9d (patch)
treeef51f18af2af991f05b639a2d41a164c9a04a50d /src/org/traccar/api/resource
parentcd121c173f7c3ef0a815583eccec1232968894b9 (diff)
downloadtraccar-server-18305737a6dac8fb45037f193736b0261f92ab9d.tar.gz
traccar-server-18305737a6dac8fb45037f193736b0261f92ab9d.tar.bz2
traccar-server-18305737a6dac8fb45037f193736b0261f92ab9d.zip
New user security check (fix #2589)
Diffstat (limited to 'src/org/traccar/api/resource')
-rw-r--r--src/org/traccar/api/resource/SessionResource.java2
-rw-r--r--src/org/traccar/api/resource/UserResource.java17
2 files changed, 5 insertions, 14 deletions
diff --git a/src/org/traccar/api/resource/SessionResource.java b/src/org/traccar/api/resource/SessionResource.java
index 996865c4b..5f1c597d1 100644
--- a/src/org/traccar/api/resource/SessionResource.java
+++ b/src/org/traccar/api/resource/SessionResource.java
@@ -80,7 +80,7 @@ public class SessionResource extends BaseResource {
}
if (userId != null) {
- Context.getPermissionsManager().checkUser(userId);
+ Context.getPermissionsManager().checkUserEnabled(userId);
return Context.getPermissionsManager().getUser(userId);
} else {
throw new WebApplicationException(Response.status(Response.Status.NOT_FOUND).build());
diff --git a/src/org/traccar/api/resource/UserResource.java b/src/org/traccar/api/resource/UserResource.java
index a9edced25..ddbca6b0f 100644
--- a/src/org/traccar/api/resource/UserResource.java
+++ b/src/org/traccar/api/resource/UserResource.java
@@ -49,6 +49,7 @@ public class UserResource extends BaseResource {
public Response add(User entity) throws SQLException {
if (!Context.getPermissionsManager().isAdmin(getUserId())) {
Context.getPermissionsManager().checkRegistration(getUserId());
+ Context.getPermissionsManager().checkUserUpdate(getUserId(), new User(), entity);
}
Context.getPermissionsManager().addUser(entity);
if (Context.getNotificationManager() != null) {
@@ -60,19 +61,9 @@ public class UserResource extends BaseResource {
@Path("{id}")
@PUT
public Response update(User entity) throws SQLException {
- User old = Context.getPermissionsManager().getUser(entity.getId());
- if (old.getExpirationTime() == null && entity.getExpirationTime() != null
- || old.getExpirationTime() != null && !old.getExpirationTime().equals(entity.getExpirationTime())
- || old.getAdmin() != entity.getAdmin()
- || old.getReadonly() != entity.getReadonly()
- || old.getDisabled() != entity.getDisabled()
- || old.getDeviceLimit() != entity.getDeviceLimit()
- || old.getToken() == null && entity.getToken() != null
- || old.getToken() != null && !old.getToken().equals(entity.getToken())) {
- Context.getPermissionsManager().checkAdmin(getUserId());
- } else {
- Context.getPermissionsManager().checkUser(getUserId(), entity.getId());
- }
+ User before = Context.getPermissionsManager().getUser(entity.getId());
+ Context.getPermissionsManager().checkUser(getUserId(), entity.getId());
+ Context.getPermissionsManager().checkUserUpdate(getUserId(), before, entity);
Context.getPermissionsManager().updateUser(entity);
if (Context.getNotificationManager() != null) {
Context.getNotificationManager().refresh();