New user security check (fix #2589)

4 files changed, 20 insertions, 17 deletions

diff --git a/src/org/traccar/api/SecurityRequestFilter.java b/src/org/traccar/api/SecurityRequestFilter.java
index 3f2390754..ca3ebf04d 100644
--- a/src/org/traccar/api/SecurityRequestFilter.java
+++ b/src/org/traccar/api/SecurityRequestFilter.java
@@ -83,7 +83,7 @@ public class SecurityRequestFilter implements ContainerRequestFilter {
 
                 Long userId = (Long) request.getSession().getAttribute(SessionResource.USER_ID_KEY);
                 if (userId != null) {
-                    Context.getPermissionsManager().checkUser(userId);
+                    Context.getPermissionsManager().checkUserEnabled(userId);
                     Context.getStatisticsManager().registerRequest(userId);
                     securityContext = new UserSecurityContext(new UserPrincipal(userId));
                 }
diff --git a/src/org/traccar/api/resource/SessionResource.java b/src/org/traccar/api/resource/SessionResource.java
index 996865c4b..5f1c597d1 100644
--- a/src/org/traccar/api/resource/SessionResource.java
+++ b/src/org/traccar/api/resource/SessionResource.java
@@ -80,7 +80,7 @@ public class SessionResource extends BaseResource {
         }
 
         if (userId != null) {
-            Context.getPermissionsManager().checkUser(userId);
+            Context.getPermissionsManager().checkUserEnabled(userId);
             return Context.getPermissionsManager().getUser(userId);
         } else {
             throw new WebApplicationException(Response.status(Response.Status.NOT_FOUND).build());
diff --git a/src/org/traccar/api/resource/UserResource.java b/src/org/traccar/api/resource/UserResource.java
index a9edced25..ddbca6b0f 100644
--- a/src/org/traccar/api/resource/UserResource.java
+++ b/src/org/traccar/api/resource/UserResource.java
@@ -49,6 +49,7 @@ public class UserResource extends BaseResource {
     public Response add(User entity) throws SQLException {
         if (!Context.getPermissionsManager().isAdmin(getUserId())) {
             Context.getPermissionsManager().checkRegistration(getUserId());
+            Context.getPermissionsManager().checkUserUpdate(getUserId(), new User(), entity);
         }
         Context.getPermissionsManager().addUser(entity);
         if (Context.getNotificationManager() != null) {
@@ -60,19 +61,9 @@ public class UserResource extends BaseResource {
     @Path("{id}")
     @PUT
     public Response update(User entity) throws SQLException {
-        User old = Context.getPermissionsManager().getUser(entity.getId());
-        if (old.getExpirationTime() == null && entity.getExpirationTime() != null
-                || old.getExpirationTime() != null && !old.getExpirationTime().equals(entity.getExpirationTime())
-                || old.getAdmin() != entity.getAdmin()
-                || old.getReadonly() != entity.getReadonly()
-                || old.getDisabled() != entity.getDisabled()
-                || old.getDeviceLimit() != entity.getDeviceLimit()
-                || old.getToken() == null && entity.getToken() != null
-                || old.getToken() != null && !old.getToken().equals(entity.getToken())) {
-            Context.getPermissionsManager().checkAdmin(getUserId());
-        } else {
-            Context.getPermissionsManager().checkUser(getUserId(), entity.getId());
-        }
+        User before = Context.getPermissionsManager().getUser(entity.getId());
+        Context.getPermissionsManager().checkUser(getUserId(), entity.getId());
+        Context.getPermissionsManager().checkUserUpdate(getUserId(), before, entity);
         Context.getPermissionsManager().updateUser(entity);
         if (Context.getNotificationManager() != null) {
             Context.getNotificationManager().refresh();
diff --git a/src/org/traccar/database/PermissionsManager.java b/src/org/traccar/database/PermissionsManager.java
index 71633f6ef..078a5f935 100644
--- a/src/org/traccar/database/PermissionsManager.java
+++ b/src/org/traccar/database/PermissionsManager.java
@@ -29,6 +29,7 @@ import java.util.Collection;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Map;
+import java.util.Objects;
 import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
 
@@ -155,7 +156,7 @@ public class PermissionsManager {
         }
     }
 
-    public void checkUser(long userId) throws SecurityException {
+    public void checkUserEnabled(long userId) throws SecurityException {
         User user = getUser(userId);
         if (user.getDisabled()) {
             throw new SecurityException("Account is disabled");
@@ -165,6 +166,17 @@ public class PermissionsManager {
         }
     }
 
+    public void checkUserUpdate(long userId, User before, User after) throws SecurityException {
+        if (before.getAdmin() != after.getAdmin()
+                || before.getReadonly() != after.getReadonly()
+                || before.getDisabled() != after.getDisabled()
+                || before.getDeviceLimit() != after.getDeviceLimit()
+                || !Objects.equals(before.getExpirationTime(), after.getExpirationTime())
+                || !Objects.equals(before.getToken(), after.getToken())) {
+            checkAdmin(userId);
+        }
+    }
+
     public void checkUser(long userId, long otherUserId) throws SecurityException {
         if (userId != otherUserId) {
             checkAdmin(userId);
@@ -244,7 +256,7 @@ public class PermissionsManager {
     public User login(String email, String password) throws SQLException {
         User user = dataManager.login(email, password);
         if (user != null) {
-            checkUser(user.getId());
+            checkUserEnabled(user.getId());
             return users.get(user.getId());
         }
         return null;