aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorAnton Tananaev <anton.tananaev@gmail.com>2015-06-13 17:36:31 +1200
committerAnton Tananaev <anton.tananaev@gmail.com>2015-06-13 17:36:31 +1200
commitfc75fe4ab4f8ea9de58c41772fdd92c10c73f2bc (patch)
tree9418ef08d1b5d8858922b90e4c0b9e2f1747b2ee /src
parentbd4c32abced2bb654b64a2042668340167d6b191 (diff)
downloadtraccar-server-fc75fe4ab4f8ea9de58c41772fdd92c10c73f2bc.tar.gz
traccar-server-fc75fe4ab4f8ea9de58c41772fdd92c10c73f2bc.tar.bz2
traccar-server-fc75fe4ab4f8ea9de58c41772fdd92c10c73f2bc.zip
Fix API access permissions
Diffstat (limited to 'src')
-rw-r--r--src/org/traccar/database/DataManager.java7
-rw-r--r--src/org/traccar/database/PermissionsManager.java27
-rw-r--r--src/org/traccar/http/BaseServlet.java13
-rw-r--r--src/org/traccar/http/DeviceServlet.java14
-rw-r--r--src/org/traccar/http/PositionServlet.java8
-rw-r--r--src/org/traccar/http/ServerServlet.java5
-rw-r--r--src/org/traccar/http/UserServlet.java12
7 files changed, 58 insertions, 28 deletions
diff --git a/src/org/traccar/database/DataManager.java b/src/org/traccar/database/DataManager.java
index dd611d975..bab785a96 100644
--- a/src/org/traccar/database/DataManager.java
+++ b/src/org/traccar/database/DataManager.java
@@ -50,7 +50,7 @@ public class DataManager {
private final Properties properties;
private DataSource dataSource;
-
+
private final Map<String, Device> devices = new HashMap<String, Device>();
private long devicesLastUpdate;
private long devicesRefreshDelay;
@@ -231,6 +231,7 @@ public class DataManager {
user.setId(QueryBuilder.create(dataSource, properties.getProperty("database.insertUser"))
.setObject(user)
.executeUpdate());
+ Context.getPermissionsManager().refresh();
}
public void updateUser(User user) throws SQLException {
@@ -243,12 +244,15 @@ public class DataManager {
.setObject(user)
.executeUpdate();
}
+
+ Context.getPermissionsManager().refresh();
}
public void removeUser(User user) throws SQLException {
QueryBuilder.create(dataSource, properties.getProperty("database.deleteUser"))
.setObject(user)
.executeUpdate();
+ Context.getPermissionsManager().refresh();
}
public Collection<Permission> getPermissions() throws SQLException {
@@ -290,6 +294,7 @@ public class DataManager {
.setLong("userId", userId)
.setLong("deviceId", deviceId)
.executeUpdate();
+ Context.getPermissionsManager().refresh();
}
public Collection<Position> getPositions(long userId, long deviceId, Date from, Date to) throws SQLException {
diff --git a/src/org/traccar/database/PermissionsManager.java b/src/org/traccar/database/PermissionsManager.java
index e889afb06..f34fecb08 100644
--- a/src/org/traccar/database/PermissionsManager.java
+++ b/src/org/traccar/database/PermissionsManager.java
@@ -24,9 +24,12 @@ import java.util.Set;
import org.traccar.Context;
import org.traccar.helper.Log;
import org.traccar.model.Permission;
+import org.traccar.model.User;
public class PermissionsManager {
+ private final Map<Long, User> users = new HashMap<Long, User>();
+
private final Map<Long, Set<Long>> permissions = new HashMap<Long, Set<Long>>();
private Set<Long> getNotNull(long userId) {
@@ -41,8 +44,12 @@ public class PermissionsManager {
}
public final void refresh() {
+ users.clear();
permissions.clear();
try {
+ for (User user : Context.getDataManager().getUsers()) {
+ users.put(user.getId(), user);
+ }
for (Permission permission : Context.getDataManager().getPermissions()) {
getNotNull(permission.getUserId()).add(permission.getDeviceId());
}
@@ -51,19 +58,25 @@ public class PermissionsManager {
}
}
+ public void checkAdmin(long userId) throws SecurityException {
+ if (!users.containsKey(userId) || !users.get(userId).getAdmin()) {
+ throw new SecurityException("Admin access required");
+ }
+ }
+
+ public void checkUser(long userId, long otherUserId) throws SecurityException {
+ if (userId != otherUserId) {
+ checkAdmin(userId);
+ }
+ }
+
public Collection<Long> allowedDevices(long userId) {
return getNotNull(userId);
}
public void checkDevice(long userId, long deviceId) throws SecurityException {
if (getNotNull(userId).contains(deviceId)) {
- throw new SecurityException();
- }
- }
-
- public void checkDevices(long userId, Collection<Long> devices) throws SecurityException {
- if (getNotNull(userId).containsAll(devices)) {
- throw new SecurityException();
+ throw new SecurityException("Device access denied");
}
}
diff --git a/src/org/traccar/http/BaseServlet.java b/src/org/traccar/http/BaseServlet.java
index be4b41631..9dba2e647 100644
--- a/src/org/traccar/http/BaseServlet.java
+++ b/src/org/traccar/http/BaseServlet.java
@@ -25,7 +25,6 @@ import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-import javax.servlet.http.HttpSession;
import org.traccar.model.User;
public abstract class BaseServlet extends HttpServlet {
@@ -46,14 +45,20 @@ public abstract class BaseServlet extends HttpServlet {
protected abstract boolean handle(String command, HttpServletRequest req, HttpServletResponse resp) throws Exception;
- public long getUserId(HttpSession session) {
- User user = (User) session.getAttribute(USER_KEY);
+ public long getUserId(HttpServletRequest req) {
+ User user = (User) req.getSession().getAttribute(USER_KEY);
if (user == null) {
- throw new AccessControlException("User is not logged in");
+ throw new AccessControlException("User not logged in");
}
return user.getId();
}
+ public void securityCheck(boolean check) throws SecurityException {
+ if (!check) {
+ throw new SecurityException("Access denied");
+ }
+ }
+
public void sendResponse(Writer writer, boolean success) throws IOException {
JsonObjectBuilder result = Json.createObjectBuilder();
result.add("success", success);
diff --git a/src/org/traccar/http/DeviceServlet.java b/src/org/traccar/http/DeviceServlet.java
index 1387c2a13..1e8e1f047 100644
--- a/src/org/traccar/http/DeviceServlet.java
+++ b/src/org/traccar/http/DeviceServlet.java
@@ -40,25 +40,27 @@ public class DeviceServlet extends BaseServlet {
private void get(HttpServletRequest req, HttpServletResponse resp) throws Exception {
sendResponse(resp.getWriter(), JsonConverter.arrayToJson(
- Context.getDataManager().getDevices(getUserId(req.getSession()))));
+ Context.getDataManager().getDevices(getUserId(req))));
}
private void add(HttpServletRequest req, HttpServletResponse resp) throws Exception {
Device device = JsonConverter.objectFromJson(req.getReader(), new Device());
Context.getDataManager().addDevice(device);
- Context.getDataManager().linkDevice(getUserId(req.getSession()), device.getId());
+ Context.getDataManager().linkDevice(getUserId(req), device.getId());
sendResponse(resp.getWriter(), JsonConverter.objectToJson(device));
}
private void update(HttpServletRequest req, HttpServletResponse resp) throws Exception {
- Context.getDataManager().updateDevice(JsonConverter.objectFromJson(
- req.getReader(), new Device()));
+ Device device = JsonConverter.objectFromJson(req.getReader(), new Device());
+ Context.getPermissionsManager().checkDevice(getUserId(req), device.getId());
+ Context.getDataManager().updateDevice(device);
sendResponse(resp.getWriter(), true);
}
private void remove(HttpServletRequest req, HttpServletResponse resp) throws Exception {
- Context.getDataManager().removeDevice(JsonConverter.objectFromJson(
- req.getReader(), new Device()));
+ Device device = JsonConverter.objectFromJson(req.getReader(), new Device());
+ Context.getPermissionsManager().checkDevice(getUserId(req), device.getId());
+ Context.getDataManager().removeDevice(device);
sendResponse(resp.getWriter(), true);
}
diff --git a/src/org/traccar/http/PositionServlet.java b/src/org/traccar/http/PositionServlet.java
index e6348ec54..57b411a79 100644
--- a/src/org/traccar/http/PositionServlet.java
+++ b/src/org/traccar/http/PositionServlet.java
@@ -15,10 +15,9 @@
*/
package org.traccar.http;
-import org.traccar.Context;
-
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import org.traccar.Context;
public class PositionServlet extends BaseServlet {
@@ -31,10 +30,11 @@ public class PositionServlet extends BaseServlet {
}
private void get(HttpServletRequest req, HttpServletResponse resp) throws Exception {
+ long deviceId = Long.valueOf(req.getParameter("deviceId"));
+ Context.getPermissionsManager().checkDevice(getUserId(req), deviceId);
sendResponse(resp.getWriter(), JsonConverter.arrayToJson(
Context.getDataManager().getPositions(
- getUserId(req.getSession()),
- Long.valueOf(req.getParameter("deviceId")),
+ getUserId(req), deviceId,
JsonConverter.parseDate(req.getParameter("from")),
JsonConverter.parseDate(req.getParameter("to")))));
}
diff --git a/src/org/traccar/http/ServerServlet.java b/src/org/traccar/http/ServerServlet.java
index baac99084..d814769a8 100644
--- a/src/org/traccar/http/ServerServlet.java
+++ b/src/org/traccar/http/ServerServlet.java
@@ -40,8 +40,9 @@ public class ServerServlet extends BaseServlet {
}
private void update(HttpServletRequest req, HttpServletResponse resp) throws Exception {
- Context.getDataManager().updateServer(JsonConverter.objectFromJson(
- req.getReader(), new Server()));
+ Server server = JsonConverter.objectFromJson(req.getReader(), new Server());
+ Context.getPermissionsManager().checkAdmin(getUserId(req));
+ Context.getDataManager().updateServer(server);
sendResponse(resp.getWriter(), true);
}
diff --git a/src/org/traccar/http/UserServlet.java b/src/org/traccar/http/UserServlet.java
index 597b54a5c..f388326b0 100644
--- a/src/org/traccar/http/UserServlet.java
+++ b/src/org/traccar/http/UserServlet.java
@@ -39,25 +39,29 @@ public class UserServlet extends BaseServlet {
}
private void get(HttpServletRequest req, HttpServletResponse resp) throws Exception {
+ Context.getPermissionsManager().checkAdmin(getUserId(req));
sendResponse(resp.getWriter(), JsonConverter.arrayToJson(
Context.getDataManager().getUsers()));
}
private void add(HttpServletRequest req, HttpServletResponse resp) throws Exception {
User user = JsonConverter.objectFromJson(req.getReader(), new User());
+ Context.getPermissionsManager().checkUser(getUserId(req), user.getId());
Context.getDataManager().addUser(user);
sendResponse(resp.getWriter(), JsonConverter.objectToJson(user));
}
private void update(HttpServletRequest req, HttpServletResponse resp) throws Exception {
- Context.getDataManager().updateUser(JsonConverter.objectFromJson(
- req.getReader(), new User()));
+ User user = JsonConverter.objectFromJson(req.getReader(), new User());
+ Context.getPermissionsManager().checkUser(getUserId(req), user.getId());
+ Context.getDataManager().updateUser(user);
sendResponse(resp.getWriter(), true);
}
private void remove(HttpServletRequest req, HttpServletResponse resp) throws Exception {
- Context.getDataManager().removeUser(JsonConverter.objectFromJson(
- req.getReader(), new User()));
+ User user = JsonConverter.objectFromJson(req.getReader(), new User());
+ Context.getPermissionsManager().checkUser(getUserId(req), user.getId());
+ Context.getDataManager().removeUser(user);
sendResponse(resp.getWriter(), true);
}