diff options
author | Anton Tananaev <anton.tananaev@gmail.com> | 2015-06-27 10:50:40 +1200 |
---|---|---|
committer | Anton Tananaev <anton.tananaev@gmail.com> | 2015-06-27 10:50:40 +1200 |
commit | 136be53a084b84a0a764d0d326146fca241733f4 (patch) | |
tree | d8f4756ecbd1376a51d40bee085e595f6c64d8b3 | |
parent | deea5b703fd83e699d62600d93b3e28ac71188a1 (diff) | |
download | trackermap-server-136be53a084b84a0a764d0d326146fca241733f4.tar.gz trackermap-server-136be53a084b84a0a764d0d326146fca241733f4.tar.bz2 trackermap-server-136be53a084b84a0a764d0d326146fca241733f4.zip |
Fix user security issue
-rw-r--r-- | src/org/traccar/http/UserServlet.java | 6 | ||||
-rw-r--r-- | web/app/view/user/UserDialog.js | 4 | ||||
-rw-r--r-- | web/app/view/user/UserDialogController.js | 6 |
3 files changed, 14 insertions, 2 deletions
diff --git a/src/org/traccar/http/UserServlet.java b/src/org/traccar/http/UserServlet.java index f388326b0..19a70ac93 100644 --- a/src/org/traccar/http/UserServlet.java +++ b/src/org/traccar/http/UserServlet.java @@ -53,7 +53,11 @@ public class UserServlet extends BaseServlet { private void update(HttpServletRequest req, HttpServletResponse resp) throws Exception { User user = JsonConverter.objectFromJson(req.getReader(), new User()); - Context.getPermissionsManager().checkUser(getUserId(req), user.getId()); + if (user.getAdmin()) { + Context.getPermissionsManager().checkAdmin(getUserId(req)); + } else { + Context.getPermissionsManager().checkUser(getUserId(req), user.getId()); + } Context.getDataManager().updateUser(user); sendResponse(resp.getWriter(), true); } diff --git a/web/app/view/user/UserDialog.js b/web/app/view/user/UserDialog.js index 7b6dc4199..fba182eb1 100644 --- a/web/app/view/user/UserDialog.js +++ b/web/app/view/user/UserDialog.js @@ -50,7 +50,9 @@ Ext.define('Traccar.view.user.UserDialog', { xtype: 'checkboxfield', name: 'admin', fieldLabel: strings.login_admin, - allowBlank: false + allowBlank: false, + disabled: true, + reference: 'adminField' }] }, diff --git a/web/app/view/user/UserDialogController.js b/web/app/view/user/UserDialogController.js index 1ec14c5e8..c5464225c 100644 --- a/web/app/view/user/UserDialogController.js +++ b/web/app/view/user/UserDialogController.js @@ -18,6 +18,12 @@ Ext.define('Traccar.view.user.UserDialogController', { extend: 'Ext.app.ViewController', alias: 'controller.userdialog', + init: function() { + if (Traccar.getApplication().getUser().get('admin')) { + this.lookupReference('adminField').setDisabled(false); + } + }, + onSaveClick: function(button) { var dialog = button.up('window').down('form'); dialog.updateRecord(); |