From fc75fe4ab4f8ea9de58c41772fdd92c10c73f2bc Mon Sep 17 00:00:00 2001 From: Anton Tananaev Date: Sat, 13 Jun 2015 17:36:31 +1200 Subject: Fix API access permissions --- src/org/traccar/database/DataManager.java | 7 +++++- src/org/traccar/database/PermissionsManager.java | 27 ++++++++++++++++++------ src/org/traccar/http/BaseServlet.java | 13 ++++++++---- src/org/traccar/http/DeviceServlet.java | 14 ++++++------ src/org/traccar/http/PositionServlet.java | 8 +++---- src/org/traccar/http/ServerServlet.java | 5 +++-- src/org/traccar/http/UserServlet.java | 12 +++++++---- 7 files changed, 58 insertions(+), 28 deletions(-) (limited to 'src/org/traccar') diff --git a/src/org/traccar/database/DataManager.java b/src/org/traccar/database/DataManager.java index dd611d975..bab785a96 100644 --- a/src/org/traccar/database/DataManager.java +++ b/src/org/traccar/database/DataManager.java @@ -50,7 +50,7 @@ public class DataManager { private final Properties properties; private DataSource dataSource; - + private final Map devices = new HashMap(); private long devicesLastUpdate; private long devicesRefreshDelay; @@ -231,6 +231,7 @@ public class DataManager { user.setId(QueryBuilder.create(dataSource, properties.getProperty("database.insertUser")) .setObject(user) .executeUpdate()); + Context.getPermissionsManager().refresh(); } public void updateUser(User user) throws SQLException { @@ -243,12 +244,15 @@ public class DataManager { .setObject(user) .executeUpdate(); } + + Context.getPermissionsManager().refresh(); } public void removeUser(User user) throws SQLException { QueryBuilder.create(dataSource, properties.getProperty("database.deleteUser")) .setObject(user) .executeUpdate(); + Context.getPermissionsManager().refresh(); } public Collection getPermissions() throws SQLException { @@ -290,6 +294,7 @@ public class DataManager { .setLong("userId", userId) .setLong("deviceId", deviceId) .executeUpdate(); + Context.getPermissionsManager().refresh(); } public Collection getPositions(long userId, long deviceId, Date from, Date to) throws SQLException { diff --git a/src/org/traccar/database/PermissionsManager.java b/src/org/traccar/database/PermissionsManager.java index e889afb06..f34fecb08 100644 --- a/src/org/traccar/database/PermissionsManager.java +++ b/src/org/traccar/database/PermissionsManager.java @@ -24,9 +24,12 @@ import java.util.Set; import org.traccar.Context; import org.traccar.helper.Log; import org.traccar.model.Permission; +import org.traccar.model.User; public class PermissionsManager { + private final Map users = new HashMap(); + private final Map> permissions = new HashMap>(); private Set getNotNull(long userId) { @@ -41,8 +44,12 @@ public class PermissionsManager { } public final void refresh() { + users.clear(); permissions.clear(); try { + for (User user : Context.getDataManager().getUsers()) { + users.put(user.getId(), user); + } for (Permission permission : Context.getDataManager().getPermissions()) { getNotNull(permission.getUserId()).add(permission.getDeviceId()); } @@ -51,19 +58,25 @@ public class PermissionsManager { } } + public void checkAdmin(long userId) throws SecurityException { + if (!users.containsKey(userId) || !users.get(userId).getAdmin()) { + throw new SecurityException("Admin access required"); + } + } + + public void checkUser(long userId, long otherUserId) throws SecurityException { + if (userId != otherUserId) { + checkAdmin(userId); + } + } + public Collection allowedDevices(long userId) { return getNotNull(userId); } public void checkDevice(long userId, long deviceId) throws SecurityException { if (getNotNull(userId).contains(deviceId)) { - throw new SecurityException(); - } - } - - public void checkDevices(long userId, Collection devices) throws SecurityException { - if (getNotNull(userId).containsAll(devices)) { - throw new SecurityException(); + throw new SecurityException("Device access denied"); } } diff --git a/src/org/traccar/http/BaseServlet.java b/src/org/traccar/http/BaseServlet.java index be4b41631..9dba2e647 100644 --- a/src/org/traccar/http/BaseServlet.java +++ b/src/org/traccar/http/BaseServlet.java @@ -25,7 +25,6 @@ import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import javax.servlet.http.HttpSession; import org.traccar.model.User; public abstract class BaseServlet extends HttpServlet { @@ -46,14 +45,20 @@ public abstract class BaseServlet extends HttpServlet { protected abstract boolean handle(String command, HttpServletRequest req, HttpServletResponse resp) throws Exception; - public long getUserId(HttpSession session) { - User user = (User) session.getAttribute(USER_KEY); + public long getUserId(HttpServletRequest req) { + User user = (User) req.getSession().getAttribute(USER_KEY); if (user == null) { - throw new AccessControlException("User is not logged in"); + throw new AccessControlException("User not logged in"); } return user.getId(); } + public void securityCheck(boolean check) throws SecurityException { + if (!check) { + throw new SecurityException("Access denied"); + } + } + public void sendResponse(Writer writer, boolean success) throws IOException { JsonObjectBuilder result = Json.createObjectBuilder(); result.add("success", success); diff --git a/src/org/traccar/http/DeviceServlet.java b/src/org/traccar/http/DeviceServlet.java index 1387c2a13..1e8e1f047 100644 --- a/src/org/traccar/http/DeviceServlet.java +++ b/src/org/traccar/http/DeviceServlet.java @@ -40,25 +40,27 @@ public class DeviceServlet extends BaseServlet { private void get(HttpServletRequest req, HttpServletResponse resp) throws Exception { sendResponse(resp.getWriter(), JsonConverter.arrayToJson( - Context.getDataManager().getDevices(getUserId(req.getSession())))); + Context.getDataManager().getDevices(getUserId(req)))); } private void add(HttpServletRequest req, HttpServletResponse resp) throws Exception { Device device = JsonConverter.objectFromJson(req.getReader(), new Device()); Context.getDataManager().addDevice(device); - Context.getDataManager().linkDevice(getUserId(req.getSession()), device.getId()); + Context.getDataManager().linkDevice(getUserId(req), device.getId()); sendResponse(resp.getWriter(), JsonConverter.objectToJson(device)); } private void update(HttpServletRequest req, HttpServletResponse resp) throws Exception { - Context.getDataManager().updateDevice(JsonConverter.objectFromJson( - req.getReader(), new Device())); + Device device = JsonConverter.objectFromJson(req.getReader(), new Device()); + Context.getPermissionsManager().checkDevice(getUserId(req), device.getId()); + Context.getDataManager().updateDevice(device); sendResponse(resp.getWriter(), true); } private void remove(HttpServletRequest req, HttpServletResponse resp) throws Exception { - Context.getDataManager().removeDevice(JsonConverter.objectFromJson( - req.getReader(), new Device())); + Device device = JsonConverter.objectFromJson(req.getReader(), new Device()); + Context.getPermissionsManager().checkDevice(getUserId(req), device.getId()); + Context.getDataManager().removeDevice(device); sendResponse(resp.getWriter(), true); } diff --git a/src/org/traccar/http/PositionServlet.java b/src/org/traccar/http/PositionServlet.java index e6348ec54..57b411a79 100644 --- a/src/org/traccar/http/PositionServlet.java +++ b/src/org/traccar/http/PositionServlet.java @@ -15,10 +15,9 @@ */ package org.traccar.http; -import org.traccar.Context; - import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.traccar.Context; public class PositionServlet extends BaseServlet { @@ -31,10 +30,11 @@ public class PositionServlet extends BaseServlet { } private void get(HttpServletRequest req, HttpServletResponse resp) throws Exception { + long deviceId = Long.valueOf(req.getParameter("deviceId")); + Context.getPermissionsManager().checkDevice(getUserId(req), deviceId); sendResponse(resp.getWriter(), JsonConverter.arrayToJson( Context.getDataManager().getPositions( - getUserId(req.getSession()), - Long.valueOf(req.getParameter("deviceId")), + getUserId(req), deviceId, JsonConverter.parseDate(req.getParameter("from")), JsonConverter.parseDate(req.getParameter("to"))))); } diff --git a/src/org/traccar/http/ServerServlet.java b/src/org/traccar/http/ServerServlet.java index baac99084..d814769a8 100644 --- a/src/org/traccar/http/ServerServlet.java +++ b/src/org/traccar/http/ServerServlet.java @@ -40,8 +40,9 @@ public class ServerServlet extends BaseServlet { } private void update(HttpServletRequest req, HttpServletResponse resp) throws Exception { - Context.getDataManager().updateServer(JsonConverter.objectFromJson( - req.getReader(), new Server())); + Server server = JsonConverter.objectFromJson(req.getReader(), new Server()); + Context.getPermissionsManager().checkAdmin(getUserId(req)); + Context.getDataManager().updateServer(server); sendResponse(resp.getWriter(), true); } diff --git a/src/org/traccar/http/UserServlet.java b/src/org/traccar/http/UserServlet.java index 597b54a5c..f388326b0 100644 --- a/src/org/traccar/http/UserServlet.java +++ b/src/org/traccar/http/UserServlet.java @@ -39,25 +39,29 @@ public class UserServlet extends BaseServlet { } private void get(HttpServletRequest req, HttpServletResponse resp) throws Exception { + Context.getPermissionsManager().checkAdmin(getUserId(req)); sendResponse(resp.getWriter(), JsonConverter.arrayToJson( Context.getDataManager().getUsers())); } private void add(HttpServletRequest req, HttpServletResponse resp) throws Exception { User user = JsonConverter.objectFromJson(req.getReader(), new User()); + Context.getPermissionsManager().checkUser(getUserId(req), user.getId()); Context.getDataManager().addUser(user); sendResponse(resp.getWriter(), JsonConverter.objectToJson(user)); } private void update(HttpServletRequest req, HttpServletResponse resp) throws Exception { - Context.getDataManager().updateUser(JsonConverter.objectFromJson( - req.getReader(), new User())); + User user = JsonConverter.objectFromJson(req.getReader(), new User()); + Context.getPermissionsManager().checkUser(getUserId(req), user.getId()); + Context.getDataManager().updateUser(user); sendResponse(resp.getWriter(), true); } private void remove(HttpServletRequest req, HttpServletResponse resp) throws Exception { - Context.getDataManager().removeUser(JsonConverter.objectFromJson( - req.getReader(), new User())); + User user = JsonConverter.objectFromJson(req.getReader(), new User()); + Context.getPermissionsManager().checkUser(getUserId(req), user.getId()); + Context.getDataManager().removeUser(user); sendResponse(resp.getWriter(), true); } -- cgit v1.2.3