From 18305737a6dac8fb45037f193736b0261f92ab9d Mon Sep 17 00:00:00 2001 From: Anton Tananaev Date: Wed, 23 Nov 2016 02:28:11 +1300 Subject: New user security check (fix #2589) --- src/org/traccar/api/SecurityRequestFilter.java | 2 +- src/org/traccar/api/resource/SessionResource.java | 2 +- src/org/traccar/api/resource/UserResource.java | 17 ++++------------- src/org/traccar/database/PermissionsManager.java | 16 ++++++++++++++-- 4 files changed, 20 insertions(+), 17 deletions(-) diff --git a/src/org/traccar/api/SecurityRequestFilter.java b/src/org/traccar/api/SecurityRequestFilter.java index 3f2390754..ca3ebf04d 100644 --- a/src/org/traccar/api/SecurityRequestFilter.java +++ b/src/org/traccar/api/SecurityRequestFilter.java @@ -83,7 +83,7 @@ public class SecurityRequestFilter implements ContainerRequestFilter { Long userId = (Long) request.getSession().getAttribute(SessionResource.USER_ID_KEY); if (userId != null) { - Context.getPermissionsManager().checkUser(userId); + Context.getPermissionsManager().checkUserEnabled(userId); Context.getStatisticsManager().registerRequest(userId); securityContext = new UserSecurityContext(new UserPrincipal(userId)); } diff --git a/src/org/traccar/api/resource/SessionResource.java b/src/org/traccar/api/resource/SessionResource.java index 996865c4b..5f1c597d1 100644 --- a/src/org/traccar/api/resource/SessionResource.java +++ b/src/org/traccar/api/resource/SessionResource.java @@ -80,7 +80,7 @@ public class SessionResource extends BaseResource { } if (userId != null) { - Context.getPermissionsManager().checkUser(userId); + Context.getPermissionsManager().checkUserEnabled(userId); return Context.getPermissionsManager().getUser(userId); } else { throw new WebApplicationException(Response.status(Response.Status.NOT_FOUND).build()); diff --git a/src/org/traccar/api/resource/UserResource.java b/src/org/traccar/api/resource/UserResource.java index a9edced25..ddbca6b0f 100644 --- a/src/org/traccar/api/resource/UserResource.java +++ b/src/org/traccar/api/resource/UserResource.java @@ -49,6 +49,7 @@ public class UserResource extends BaseResource { public Response add(User entity) throws SQLException { if (!Context.getPermissionsManager().isAdmin(getUserId())) { Context.getPermissionsManager().checkRegistration(getUserId()); + Context.getPermissionsManager().checkUserUpdate(getUserId(), new User(), entity); } Context.getPermissionsManager().addUser(entity); if (Context.getNotificationManager() != null) { @@ -60,19 +61,9 @@ public class UserResource extends BaseResource { @Path("{id}") @PUT public Response update(User entity) throws SQLException { - User old = Context.getPermissionsManager().getUser(entity.getId()); - if (old.getExpirationTime() == null && entity.getExpirationTime() != null - || old.getExpirationTime() != null && !old.getExpirationTime().equals(entity.getExpirationTime()) - || old.getAdmin() != entity.getAdmin() - || old.getReadonly() != entity.getReadonly() - || old.getDisabled() != entity.getDisabled() - || old.getDeviceLimit() != entity.getDeviceLimit() - || old.getToken() == null && entity.getToken() != null - || old.getToken() != null && !old.getToken().equals(entity.getToken())) { - Context.getPermissionsManager().checkAdmin(getUserId()); - } else { - Context.getPermissionsManager().checkUser(getUserId(), entity.getId()); - } + User before = Context.getPermissionsManager().getUser(entity.getId()); + Context.getPermissionsManager().checkUser(getUserId(), entity.getId()); + Context.getPermissionsManager().checkUserUpdate(getUserId(), before, entity); Context.getPermissionsManager().updateUser(entity); if (Context.getNotificationManager() != null) { Context.getNotificationManager().refresh(); diff --git a/src/org/traccar/database/PermissionsManager.java b/src/org/traccar/database/PermissionsManager.java index 71633f6ef..078a5f935 100644 --- a/src/org/traccar/database/PermissionsManager.java +++ b/src/org/traccar/database/PermissionsManager.java @@ -29,6 +29,7 @@ import java.util.Collection; import java.util.HashMap; import java.util.HashSet; import java.util.Map; +import java.util.Objects; import java.util.Set; import java.util.concurrent.ConcurrentHashMap; @@ -155,7 +156,7 @@ public class PermissionsManager { } } - public void checkUser(long userId) throws SecurityException { + public void checkUserEnabled(long userId) throws SecurityException { User user = getUser(userId); if (user.getDisabled()) { throw new SecurityException("Account is disabled"); @@ -165,6 +166,17 @@ public class PermissionsManager { } } + public void checkUserUpdate(long userId, User before, User after) throws SecurityException { + if (before.getAdmin() != after.getAdmin() + || before.getReadonly() != after.getReadonly() + || before.getDisabled() != after.getDisabled() + || before.getDeviceLimit() != after.getDeviceLimit() + || !Objects.equals(before.getExpirationTime(), after.getExpirationTime()) + || !Objects.equals(before.getToken(), after.getToken())) { + checkAdmin(userId); + } + } + public void checkUser(long userId, long otherUserId) throws SecurityException { if (userId != otherUserId) { checkAdmin(userId); @@ -244,7 +256,7 @@ public class PermissionsManager { public User login(String email, String password) throws SQLException { User user = dataManager.login(email, password); if (user != null) { - checkUser(user.getId()); + checkUserEnabled(user.getId()); return users.get(user.getId()); } return null; -- cgit v1.2.3 From 859cb5728ea26565d9e64fc2758f611071f74522 Mon Sep 17 00:00:00 2001 From: Turbovix Date: Tue, 22 Nov 2016 21:04:24 -0200 Subject: Update NotificationFormatter.java The URL that refers to the OpenStreetMaps website with the notifications received from the TRACCAR server now uses HTTPS, that is, a secure connection. --- src/org/traccar/notification/NotificationFormatter.java | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/src/org/traccar/notification/NotificationFormatter.java b/src/org/traccar/notification/NotificationFormatter.java index ae1a58d3a..059f532cf 100644 --- a/src/org/traccar/notification/NotificationFormatter.java +++ b/src/org/traccar/notification/NotificationFormatter.java @@ -47,46 +47,46 @@ public final class NotificationFormatter { public static final String TITLE_TEMPLATE_TYPE_DEVICE_MOVING = "%1$s: moving"; public static final String MESSAGE_TEMPLATE_TYPE_DEVICE_MOVING = "Device: %1$s%n" + "Moving%n" - + "Point: http://www.openstreetmap.org/?mlat=%3$f&mlon=%4$f#map=16/%3$f/%4$f%n" + + "Point: https://www.openstreetmap.org/?mlat=%3$f&mlon=%4$f#map=16/%3$f/%4$f%n" + "Time: %2$tc%n"; public static final String TITLE_TEMPLATE_TYPE_DEVICE_STOPPED = "%1$s: stopped"; public static final String MESSAGE_TEMPLATE_TYPE_DEVICE_STOPPED = "Device: %1$s%n" + "Stopped%n" - + "Point: http://www.openstreetmap.org/?mlat=%3$f&mlon=%4$f#map=16/%3$f/%4$f%n" + + "Point: https://www.openstreetmap.org/?mlat=%3$f&mlon=%4$f#map=16/%3$f/%4$f%n" + "Time: %2$tc%n"; public static final String TITLE_TEMPLATE_TYPE_DEVICE_OVERSPEED = "%1$s: exceeds the speed"; public static final String MESSAGE_TEMPLATE_TYPE_DEVICE_OVERSPEED = "Device: %1$s%n" + "Exceeds the speed: %5$s%n" - + "Point: http://www.openstreetmap.org/?mlat=%3$f&mlon=%4$f#map=16/%3$f/%4$f%n" + + "Point: https://www.openstreetmap.org/?mlat=%3$f&mlon=%4$f#map=16/%3$f/%4$f%n" + "Time: %2$tc%n"; public static final String TITLE_TEMPLATE_TYPE_GEOFENCE_ENTER = "%1$s: has entered geofence"; public static final String MESSAGE_TEMPLATE_TYPE_GEOFENCE_ENTER = "Device: %1$s%n" + "Has entered geofence: %5$s%n" - + "Point: http://www.openstreetmap.org/?mlat=%3$f&mlon=%4$f#map=16/%3$f/%4$f%n" + + "Point: https://www.openstreetmap.org/?mlat=%3$f&mlon=%4$f#map=16/%3$f/%4$f%n" + "Time: %2$tc%n"; public static final String TITLE_TEMPLATE_TYPE_GEOFENCE_EXIT = "%1$s: has exited geofence"; public static final String MESSAGE_TEMPLATE_TYPE_GEOFENCE_EXIT = "Device: %1$s%n" + "Has exited geofence: %5$s%n" - + "Point: http://www.openstreetmap.org/?mlat=%3$f&mlon=%4$f#map=16/%3$f/%4$f%n" + + "Point: https://www.openstreetmap.org/?mlat=%3$f&mlon=%4$f#map=16/%3$f/%4$f%n" + "Time: %2$tc%n"; public static final String TITLE_TEMPLATE_TYPE_ALARM = "%1$s: alarm!"; public static final String MESSAGE_TEMPLATE_TYPE_ALARM = "Device: %1$s%n" + "Alarm: %5$s%n" - + "Point: http://www.openstreetmap.org/?mlat=%3$f&mlon=%4$f#map=16/%3$f/%4$f%n" + + "Point: https://www.openstreetmap.org/?mlat=%3$f&mlon=%4$f#map=16/%3$f/%4$f%n" + "Time: %2$tc%n"; public static final String TITLE_TEMPLATE_TYPE_IGNITION_ON = "%1$s: ignition ON"; public static final String MESSAGE_TEMPLATE_TYPE_IGNITION_ON = "Device: %1$s%n" + "Ignition ON%n" - + "Point: http://www.openstreetmap.org/?mlat=%3$f&mlon=%4$f#map=16/%3$f/%4$f%n" + + "Point: https://www.openstreetmap.org/?mlat=%3$f&mlon=%4$f#map=16/%3$f/%4$f%n" + "Time: %2$tc%n"; public static final String TITLE_TEMPLATE_TYPE_IGNITION_OFF = "%1$s: ignition OFF"; public static final String MESSAGE_TEMPLATE_TYPE_IGNITION_OFF = "Device: %1$s%n" + "Ignition OFF%n" - + "Point: http://www.openstreetmap.org/?mlat=%3$f&mlon=%4$f#map=16/%3$f/%4$f%n" + + "Point: https://www.openstreetmap.org/?mlat=%3$f&mlon=%4$f#map=16/%3$f/%4$f%n" + "Time: %2$tc%n"; public static String formatTitle(long userId, Event event, Position position) { -- cgit v1.2.3