From 468e3b0aa03fbe69b4c590743cf9f6886ef99751 Mon Sep 17 00:00:00 2001
From: Anton Tananaev <anton.tananaev@gmail.com>
Date: Fri, 18 Nov 2016 00:16:55 +1300
Subject: Check account on every call

---
 src/org/traccar/api/SecurityRequestFilter.java   |  1 +
 src/org/traccar/database/PermissionsManager.java | 16 +++++++++++++---
 2 files changed, 14 insertions(+), 3 deletions(-)

(limited to 'src/org/traccar')

diff --git a/src/org/traccar/api/SecurityRequestFilter.java b/src/org/traccar/api/SecurityRequestFilter.java
index 598e4566d..be74a3607 100644
--- a/src/org/traccar/api/SecurityRequestFilter.java
+++ b/src/org/traccar/api/SecurityRequestFilter.java
@@ -80,6 +80,7 @@ public class SecurityRequestFilter implements ContainerRequestFilter {
 
             Long userId = (Long) request.getSession().getAttribute(SessionResource.USER_ID_KEY);
             if (userId != null) {
+                Context.getPermissionsManager().checkUser(userId);
                 Context.getStatisticsManager().registerRequest(userId);
                 securityContext = new UserSecurityContext(new UserPrincipal(userId));
             }
diff --git a/src/org/traccar/database/PermissionsManager.java b/src/org/traccar/database/PermissionsManager.java
index e620d5334..1c995a11d 100644
--- a/src/org/traccar/database/PermissionsManager.java
+++ b/src/org/traccar/database/PermissionsManager.java
@@ -146,7 +146,17 @@ public class PermissionsManager {
 
     public void checkReadonly(long userId) throws SecurityException {
         if (!isAdmin(userId) && (server.getReadonly() || isReadonly(userId))) {
-            throw new SecurityException("User is readonly");
+            throw new SecurityException("Account is readonly");
+        }
+    }
+
+    public void checkUser(long userId) throws SecurityException {
+        User user = getUser(userId);
+        if (user.getDisabled()) {
+            throw new SecurityException("Account is disabled");
+        }
+        if (user.getExpirationTime() != null && System.currentTimeMillis() > user.getExpirationTime().getTime()) {
+            throw new SecurityException("Account has expired");
         }
     }
 
@@ -217,8 +227,8 @@ public class PermissionsManager {
 
     public User login(String email, String password) throws SQLException {
         User user = dataManager.login(email, password);
-        if (user != null && !user.getDisabled() && (user.getExpirationTime() == null
-                || user.getExpirationTime().getTime() > System.currentTimeMillis())) {
+        if (user != null) {
+            checkUser(user.getId());
             return users.get(user.getId());
         }
         return null;
-- 
cgit v1.2.3