diff options
author | Anton Tananaev <anton.tananaev@gmail.com> | 2016-11-23 02:28:11 +1300 |
---|---|---|
committer | Anton Tananaev <anton.tananaev@gmail.com> | 2016-11-23 10:29:03 +1300 |
commit | 18305737a6dac8fb45037f193736b0261f92ab9d (patch) | |
tree | ef51f18af2af991f05b639a2d41a164c9a04a50d /src/org/traccar/database | |
parent | cd121c173f7c3ef0a815583eccec1232968894b9 (diff) | |
download | traccar-server-18305737a6dac8fb45037f193736b0261f92ab9d.tar.gz traccar-server-18305737a6dac8fb45037f193736b0261f92ab9d.tar.bz2 traccar-server-18305737a6dac8fb45037f193736b0261f92ab9d.zip |
New user security check (fix #2589)
Diffstat (limited to 'src/org/traccar/database')
-rw-r--r-- | src/org/traccar/database/PermissionsManager.java | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/src/org/traccar/database/PermissionsManager.java b/src/org/traccar/database/PermissionsManager.java index 71633f6ef..078a5f935 100644 --- a/src/org/traccar/database/PermissionsManager.java +++ b/src/org/traccar/database/PermissionsManager.java @@ -29,6 +29,7 @@ import java.util.Collection; import java.util.HashMap; import java.util.HashSet; import java.util.Map; +import java.util.Objects; import java.util.Set; import java.util.concurrent.ConcurrentHashMap; @@ -155,7 +156,7 @@ public class PermissionsManager { } } - public void checkUser(long userId) throws SecurityException { + public void checkUserEnabled(long userId) throws SecurityException { User user = getUser(userId); if (user.getDisabled()) { throw new SecurityException("Account is disabled"); @@ -165,6 +166,17 @@ public class PermissionsManager { } } + public void checkUserUpdate(long userId, User before, User after) throws SecurityException { + if (before.getAdmin() != after.getAdmin() + || before.getReadonly() != after.getReadonly() + || before.getDisabled() != after.getDisabled() + || before.getDeviceLimit() != after.getDeviceLimit() + || !Objects.equals(before.getExpirationTime(), after.getExpirationTime()) + || !Objects.equals(before.getToken(), after.getToken())) { + checkAdmin(userId); + } + } + public void checkUser(long userId, long otherUserId) throws SecurityException { if (userId != otherUserId) { checkAdmin(userId); @@ -244,7 +256,7 @@ public class PermissionsManager { public User login(String email, String password) throws SQLException { User user = dataManager.login(email, password); if (user != null) { - checkUser(user.getId()); + checkUserEnabled(user.getId()); return users.get(user.getId()); } return null; |