From 136be53a084b84a0a764d0d326146fca241733f4 Mon Sep 17 00:00:00 2001
From: Anton Tananaev <anton.tananaev@gmail.com>
Date: Sat, 27 Jun 2015 10:50:40 +1200
Subject: Fix user security issue

---
 src/org/traccar/http/UserServlet.java     | 6 +++++-
 web/app/view/user/UserDialog.js           | 4 +++-
 web/app/view/user/UserDialogController.js | 6 ++++++
 3 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/src/org/traccar/http/UserServlet.java b/src/org/traccar/http/UserServlet.java
index f388326b0..19a70ac93 100644
--- a/src/org/traccar/http/UserServlet.java
+++ b/src/org/traccar/http/UserServlet.java
@@ -53,7 +53,11 @@ public class UserServlet extends BaseServlet {
     
     private void update(HttpServletRequest req, HttpServletResponse resp) throws Exception {
         User user = JsonConverter.objectFromJson(req.getReader(), new User());
-        Context.getPermissionsManager().checkUser(getUserId(req), user.getId());
+        if (user.getAdmin()) {
+            Context.getPermissionsManager().checkAdmin(getUserId(req));
+        } else {
+            Context.getPermissionsManager().checkUser(getUserId(req), user.getId());
+        }
         Context.getDataManager().updateUser(user);
         sendResponse(resp.getWriter(), true);
     }
diff --git a/web/app/view/user/UserDialog.js b/web/app/view/user/UserDialog.js
index 7b6dc4199..fba182eb1 100644
--- a/web/app/view/user/UserDialog.js
+++ b/web/app/view/user/UserDialog.js
@@ -50,7 +50,9 @@ Ext.define('Traccar.view.user.UserDialog', {
             xtype: 'checkboxfield',
             name: 'admin',
             fieldLabel: strings.login_admin,
-            allowBlank: false
+            allowBlank: false,
+            disabled: true,
+            reference: 'adminField'
         }]
     },
 
diff --git a/web/app/view/user/UserDialogController.js b/web/app/view/user/UserDialogController.js
index 1ec14c5e8..c5464225c 100644
--- a/web/app/view/user/UserDialogController.js
+++ b/web/app/view/user/UserDialogController.js
@@ -18,6 +18,12 @@ Ext.define('Traccar.view.user.UserDialogController', {
     extend: 'Ext.app.ViewController',
     alias: 'controller.userdialog',
 
+    init: function() {
+        if (Traccar.getApplication().getUser().get('admin')) {
+            this.lookupReference('adminField').setDisabled(false);
+        }
+    },
+
     onSaveClick: function(button) {
         var dialog = button.up('window').down('form');
         dialog.updateRecord();
-- 
cgit v1.2.3