aboutsummaryrefslogtreecommitdiff
path: root/src/org/traccar/api
diff options
context:
space:
mode:
authorAnton Tananaev <anton.tananaev@gmail.com>2018-10-12 14:55:58 +1300
committerAnton Tananaev <anton.tananaev@gmail.com>2018-10-12 14:57:47 +1300
commita1397ca05d9000b914b249b78997f7f3ebb14319 (patch)
tree0443717576d18d5ed262ef6fea8f5ed96760f037 /src/org/traccar/api
parent21d3d6aaa42557e0d6279165f89e6fabe53235c6 (diff)
downloadtraccar-server-a1397ca05d9000b914b249b78997f7f3ebb14319.tar.gz
traccar-server-a1397ca05d9000b914b249b78997f7f3ebb14319.tar.bz2
traccar-server-a1397ca05d9000b914b249b78997f7f3ebb14319.zip
Restrict access to computed attributes (AC-2018-10-8-1)
Diffstat (limited to 'src/org/traccar/api')
-rw-r--r--src/org/traccar/api/resource/AttributeResource.java29
1 files changed, 26 insertions, 3 deletions
diff --git a/src/org/traccar/api/resource/AttributeResource.java b/src/org/traccar/api/resource/AttributeResource.java
index 8f0bac473..d10ca4a72 100644
--- a/src/org/traccar/api/resource/AttributeResource.java
+++ b/src/org/traccar/api/resource/AttributeResource.java
@@ -1,6 +1,6 @@
/*
- * Copyright 2017 Anton Tananaev (anton@traccar.org)
- * Copyright 2017 Andrey Kunitsyn (andrey@traccar.org)
+ * Copyright 2017 - 2018 Anton Tananaev (anton@traccar.org)
+ * Copyright 2017 - 2018 Andrey Kunitsyn (andrey@traccar.org)
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -19,8 +19,11 @@ package org.traccar.api.resource;
import java.sql.SQLException;
import javax.ws.rs.Consumes;
+import javax.ws.rs.DELETE;
import javax.ws.rs.POST;
+import javax.ws.rs.PUT;
import javax.ws.rs.Path;
+import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.MediaType;
@@ -44,7 +47,7 @@ public class AttributeResource extends ExtendedObjectResource<Attribute> {
@POST
@Path("test")
public Response test(@QueryParam("deviceId") long deviceId, Attribute entity) throws SQLException {
- Context.getPermissionsManager().checkReadonly(getUserId());
+ Context.getPermissionsManager().checkAdmin(getUserId());
Context.getPermissionsManager().checkDevice(getUserId(), deviceId);
Position last = Context.getIdentityManager().getLastPosition(deviceId);
if (last != null) {
@@ -68,4 +71,24 @@ public class AttributeResource extends ExtendedObjectResource<Attribute> {
}
}
+ @POST
+ public Response add(Attribute entity) throws SQLException {
+ Context.getPermissionsManager().checkAdmin(getUserId());
+ return super.add(entity);
+ }
+
+ @Path("{id}")
+ @PUT
+ public Response update(Attribute entity) throws SQLException {
+ Context.getPermissionsManager().checkAdmin(getUserId());
+ return super.update(entity);
+ }
+
+ @Path("{id}")
+ @DELETE
+ public Response remove(@PathParam("id") long id) throws SQLException {
+ Context.getPermissionsManager().checkAdmin(getUserId());
+ return super.remove(id);
+ }
+
}