From a1397ca05d9000b914b249b78997f7f3ebb14319 Mon Sep 17 00:00:00 2001
From: Anton Tananaev <anton.tananaev@gmail.com>
Date: Fri, 12 Oct 2018 14:55:58 +1300
Subject: Restrict access to computed attributes (AC-2018-10-8-1)

---
 .../traccar/api/resource/AttributeResource.java    | 29 +++++++++++++++++++---
 1 file changed, 26 insertions(+), 3 deletions(-)

diff --git a/src/org/traccar/api/resource/AttributeResource.java b/src/org/traccar/api/resource/AttributeResource.java
index 8f0bac473..d10ca4a72 100644
--- a/src/org/traccar/api/resource/AttributeResource.java
+++ b/src/org/traccar/api/resource/AttributeResource.java
@@ -1,6 +1,6 @@
 /*
- * Copyright 2017 Anton Tananaev (anton@traccar.org)
- * Copyright 2017 Andrey Kunitsyn (andrey@traccar.org)
+ * Copyright 2017 - 2018 Anton Tananaev (anton@traccar.org)
+ * Copyright 2017 - 2018 Andrey Kunitsyn (andrey@traccar.org)
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -19,8 +19,11 @@ package org.traccar.api.resource;
 import java.sql.SQLException;
 
 import javax.ws.rs.Consumes;
+import javax.ws.rs.DELETE;
 import javax.ws.rs.POST;
+import javax.ws.rs.PUT;
 import javax.ws.rs.Path;
+import javax.ws.rs.PathParam;
 import javax.ws.rs.Produces;
 import javax.ws.rs.QueryParam;
 import javax.ws.rs.core.MediaType;
@@ -44,7 +47,7 @@ public class AttributeResource extends ExtendedObjectResource<Attribute> {
     @POST
     @Path("test")
     public Response test(@QueryParam("deviceId") long deviceId, Attribute entity) throws SQLException {
-        Context.getPermissionsManager().checkReadonly(getUserId());
+        Context.getPermissionsManager().checkAdmin(getUserId());
         Context.getPermissionsManager().checkDevice(getUserId(), deviceId);
         Position last = Context.getIdentityManager().getLastPosition(deviceId);
         if (last != null) {
@@ -68,4 +71,24 @@ public class AttributeResource extends ExtendedObjectResource<Attribute> {
         }
     }
 
+    @POST
+    public Response add(Attribute entity) throws SQLException {
+        Context.getPermissionsManager().checkAdmin(getUserId());
+        return super.add(entity);
+    }
+
+    @Path("{id}")
+    @PUT
+    public Response update(Attribute entity) throws SQLException {
+        Context.getPermissionsManager().checkAdmin(getUserId());
+        return super.update(entity);
+    }
+
+    @Path("{id}")
+    @DELETE
+    public Response remove(@PathParam("id") long id) throws SQLException {
+        Context.getPermissionsManager().checkAdmin(getUserId());
+        return super.remove(id);
+    }
+
 }
-- 
cgit v1.2.3