From 468e3b0aa03fbe69b4c590743cf9f6886ef99751 Mon Sep 17 00:00:00 2001 From: Anton Tananaev Date: Fri, 18 Nov 2016 00:16:55 +1300 Subject: Check account on every call --- src/org/traccar/api/SecurityRequestFilter.java | 1 + src/org/traccar/database/PermissionsManager.java | 16 +++++++++++++--- 2 files changed, 14 insertions(+), 3 deletions(-) (limited to 'src/org/traccar') diff --git a/src/org/traccar/api/SecurityRequestFilter.java b/src/org/traccar/api/SecurityRequestFilter.java index 598e4566d..be74a3607 100644 --- a/src/org/traccar/api/SecurityRequestFilter.java +++ b/src/org/traccar/api/SecurityRequestFilter.java @@ -80,6 +80,7 @@ public class SecurityRequestFilter implements ContainerRequestFilter { Long userId = (Long) request.getSession().getAttribute(SessionResource.USER_ID_KEY); if (userId != null) { + Context.getPermissionsManager().checkUser(userId); Context.getStatisticsManager().registerRequest(userId); securityContext = new UserSecurityContext(new UserPrincipal(userId)); } diff --git a/src/org/traccar/database/PermissionsManager.java b/src/org/traccar/database/PermissionsManager.java index e620d5334..1c995a11d 100644 --- a/src/org/traccar/database/PermissionsManager.java +++ b/src/org/traccar/database/PermissionsManager.java @@ -146,7 +146,17 @@ public class PermissionsManager { public void checkReadonly(long userId) throws SecurityException { if (!isAdmin(userId) && (server.getReadonly() || isReadonly(userId))) { - throw new SecurityException("User is readonly"); + throw new SecurityException("Account is readonly"); + } + } + + public void checkUser(long userId) throws SecurityException { + User user = getUser(userId); + if (user.getDisabled()) { + throw new SecurityException("Account is disabled"); + } + if (user.getExpirationTime() != null && System.currentTimeMillis() > user.getExpirationTime().getTime()) { + throw new SecurityException("Account has expired"); } } @@ -217,8 +227,8 @@ public class PermissionsManager { public User login(String email, String password) throws SQLException { User user = dataManager.login(email, password); - if (user != null && !user.getDisabled() && (user.getExpirationTime() == null - || user.getExpirationTime().getTime() > System.currentTimeMillis())) { + if (user != null) { + checkUser(user.getId()); return users.get(user.getId()); } return null; -- cgit v1.2.3