From 18305737a6dac8fb45037f193736b0261f92ab9d Mon Sep 17 00:00:00 2001 From: Anton Tananaev Date: Wed, 23 Nov 2016 02:28:11 +1300 Subject: New user security check (fix #2589) --- src/org/traccar/api/SecurityRequestFilter.java | 2 +- src/org/traccar/api/resource/SessionResource.java | 2 +- src/org/traccar/api/resource/UserResource.java | 17 ++++------------- src/org/traccar/database/PermissionsManager.java | 16 ++++++++++++++-- 4 files changed, 20 insertions(+), 17 deletions(-) (limited to 'src/org') diff --git a/src/org/traccar/api/SecurityRequestFilter.java b/src/org/traccar/api/SecurityRequestFilter.java index 3f2390754..ca3ebf04d 100644 --- a/src/org/traccar/api/SecurityRequestFilter.java +++ b/src/org/traccar/api/SecurityRequestFilter.java @@ -83,7 +83,7 @@ public class SecurityRequestFilter implements ContainerRequestFilter { Long userId = (Long) request.getSession().getAttribute(SessionResource.USER_ID_KEY); if (userId != null) { - Context.getPermissionsManager().checkUser(userId); + Context.getPermissionsManager().checkUserEnabled(userId); Context.getStatisticsManager().registerRequest(userId); securityContext = new UserSecurityContext(new UserPrincipal(userId)); } diff --git a/src/org/traccar/api/resource/SessionResource.java b/src/org/traccar/api/resource/SessionResource.java index 996865c4b..5f1c597d1 100644 --- a/src/org/traccar/api/resource/SessionResource.java +++ b/src/org/traccar/api/resource/SessionResource.java @@ -80,7 +80,7 @@ public class SessionResource extends BaseResource { } if (userId != null) { - Context.getPermissionsManager().checkUser(userId); + Context.getPermissionsManager().checkUserEnabled(userId); return Context.getPermissionsManager().getUser(userId); } else { throw new WebApplicationException(Response.status(Response.Status.NOT_FOUND).build()); diff --git a/src/org/traccar/api/resource/UserResource.java b/src/org/traccar/api/resource/UserResource.java index a9edced25..ddbca6b0f 100644 --- a/src/org/traccar/api/resource/UserResource.java +++ b/src/org/traccar/api/resource/UserResource.java @@ -49,6 +49,7 @@ public class UserResource extends BaseResource { public Response add(User entity) throws SQLException { if (!Context.getPermissionsManager().isAdmin(getUserId())) { Context.getPermissionsManager().checkRegistration(getUserId()); + Context.getPermissionsManager().checkUserUpdate(getUserId(), new User(), entity); } Context.getPermissionsManager().addUser(entity); if (Context.getNotificationManager() != null) { @@ -60,19 +61,9 @@ public class UserResource extends BaseResource { @Path("{id}") @PUT public Response update(User entity) throws SQLException { - User old = Context.getPermissionsManager().getUser(entity.getId()); - if (old.getExpirationTime() == null && entity.getExpirationTime() != null - || old.getExpirationTime() != null && !old.getExpirationTime().equals(entity.getExpirationTime()) - || old.getAdmin() != entity.getAdmin() - || old.getReadonly() != entity.getReadonly() - || old.getDisabled() != entity.getDisabled() - || old.getDeviceLimit() != entity.getDeviceLimit() - || old.getToken() == null && entity.getToken() != null - || old.getToken() != null && !old.getToken().equals(entity.getToken())) { - Context.getPermissionsManager().checkAdmin(getUserId()); - } else { - Context.getPermissionsManager().checkUser(getUserId(), entity.getId()); - } + User before = Context.getPermissionsManager().getUser(entity.getId()); + Context.getPermissionsManager().checkUser(getUserId(), entity.getId()); + Context.getPermissionsManager().checkUserUpdate(getUserId(), before, entity); Context.getPermissionsManager().updateUser(entity); if (Context.getNotificationManager() != null) { Context.getNotificationManager().refresh(); diff --git a/src/org/traccar/database/PermissionsManager.java b/src/org/traccar/database/PermissionsManager.java index 71633f6ef..078a5f935 100644 --- a/src/org/traccar/database/PermissionsManager.java +++ b/src/org/traccar/database/PermissionsManager.java @@ -29,6 +29,7 @@ import java.util.Collection; import java.util.HashMap; import java.util.HashSet; import java.util.Map; +import java.util.Objects; import java.util.Set; import java.util.concurrent.ConcurrentHashMap; @@ -155,7 +156,7 @@ public class PermissionsManager { } } - public void checkUser(long userId) throws SecurityException { + public void checkUserEnabled(long userId) throws SecurityException { User user = getUser(userId); if (user.getDisabled()) { throw new SecurityException("Account is disabled"); @@ -165,6 +166,17 @@ public class PermissionsManager { } } + public void checkUserUpdate(long userId, User before, User after) throws SecurityException { + if (before.getAdmin() != after.getAdmin() + || before.getReadonly() != after.getReadonly() + || before.getDisabled() != after.getDisabled() + || before.getDeviceLimit() != after.getDeviceLimit() + || !Objects.equals(before.getExpirationTime(), after.getExpirationTime()) + || !Objects.equals(before.getToken(), after.getToken())) { + checkAdmin(userId); + } + } + public void checkUser(long userId, long otherUserId) throws SecurityException { if (userId != otherUserId) { checkAdmin(userId); @@ -244,7 +256,7 @@ public class PermissionsManager { public User login(String email, String password) throws SQLException { User user = dataManager.login(email, password); if (user != null) { - checkUser(user.getId()); + checkUserEnabled(user.getId()); return users.get(user.getId()); } return null; -- cgit v1.2.3