aboutsummaryrefslogtreecommitdiff
path: root/src/org/traccar/database
diff options
context:
space:
mode:
authorAnton Tananaev <anton.tananaev@gmail.com>2016-11-23 02:28:11 +1300
committerAnton Tananaev <anton.tananaev@gmail.com>2016-11-23 10:29:03 +1300
commit18305737a6dac8fb45037f193736b0261f92ab9d (patch)
treeef51f18af2af991f05b639a2d41a164c9a04a50d /src/org/traccar/database
parentcd121c173f7c3ef0a815583eccec1232968894b9 (diff)
downloadtraccar-server-18305737a6dac8fb45037f193736b0261f92ab9d.tar.gz
traccar-server-18305737a6dac8fb45037f193736b0261f92ab9d.tar.bz2
traccar-server-18305737a6dac8fb45037f193736b0261f92ab9d.zip
New user security check (fix #2589)
Diffstat (limited to 'src/org/traccar/database')
-rw-r--r--src/org/traccar/database/PermissionsManager.java16
1 files changed, 14 insertions, 2 deletions
diff --git a/src/org/traccar/database/PermissionsManager.java b/src/org/traccar/database/PermissionsManager.java
index 71633f6ef..078a5f935 100644
--- a/src/org/traccar/database/PermissionsManager.java
+++ b/src/org/traccar/database/PermissionsManager.java
@@ -29,6 +29,7 @@ import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
+import java.util.Objects;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
@@ -155,7 +156,7 @@ public class PermissionsManager {
}
}
- public void checkUser(long userId) throws SecurityException {
+ public void checkUserEnabled(long userId) throws SecurityException {
User user = getUser(userId);
if (user.getDisabled()) {
throw new SecurityException("Account is disabled");
@@ -165,6 +166,17 @@ public class PermissionsManager {
}
}
+ public void checkUserUpdate(long userId, User before, User after) throws SecurityException {
+ if (before.getAdmin() != after.getAdmin()
+ || before.getReadonly() != after.getReadonly()
+ || before.getDisabled() != after.getDisabled()
+ || before.getDeviceLimit() != after.getDeviceLimit()
+ || !Objects.equals(before.getExpirationTime(), after.getExpirationTime())
+ || !Objects.equals(before.getToken(), after.getToken())) {
+ checkAdmin(userId);
+ }
+ }
+
public void checkUser(long userId, long otherUserId) throws SecurityException {
if (userId != otherUserId) {
checkAdmin(userId);
@@ -244,7 +256,7 @@ public class PermissionsManager {
public User login(String email, String password) throws SQLException {
User user = dataManager.login(email, password);
if (user != null) {
- checkUser(user.getId());
+ checkUserEnabled(user.getId());
return users.get(user.getId());
}
return null;