aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAnton Tananaev <anton.tananaev@gmail.com>2015-06-27 10:50:40 +1200
committerAnton Tananaev <anton.tananaev@gmail.com>2015-06-27 10:50:40 +1200
commit136be53a084b84a0a764d0d326146fca241733f4 (patch)
treed8f4756ecbd1376a51d40bee085e595f6c64d8b3
parentdeea5b703fd83e699d62600d93b3e28ac71188a1 (diff)
downloadtrackermap-server-136be53a084b84a0a764d0d326146fca241733f4.tar.gz
trackermap-server-136be53a084b84a0a764d0d326146fca241733f4.tar.bz2
trackermap-server-136be53a084b84a0a764d0d326146fca241733f4.zip
Fix user security issue
-rw-r--r--src/org/traccar/http/UserServlet.java6
-rw-r--r--web/app/view/user/UserDialog.js4
-rw-r--r--web/app/view/user/UserDialogController.js6
3 files changed, 14 insertions, 2 deletions
diff --git a/src/org/traccar/http/UserServlet.java b/src/org/traccar/http/UserServlet.java
index f388326b0..19a70ac93 100644
--- a/src/org/traccar/http/UserServlet.java
+++ b/src/org/traccar/http/UserServlet.java
@@ -53,7 +53,11 @@ public class UserServlet extends BaseServlet {
private void update(HttpServletRequest req, HttpServletResponse resp) throws Exception {
User user = JsonConverter.objectFromJson(req.getReader(), new User());
- Context.getPermissionsManager().checkUser(getUserId(req), user.getId());
+ if (user.getAdmin()) {
+ Context.getPermissionsManager().checkAdmin(getUserId(req));
+ } else {
+ Context.getPermissionsManager().checkUser(getUserId(req), user.getId());
+ }
Context.getDataManager().updateUser(user);
sendResponse(resp.getWriter(), true);
}
diff --git a/web/app/view/user/UserDialog.js b/web/app/view/user/UserDialog.js
index 7b6dc4199..fba182eb1 100644
--- a/web/app/view/user/UserDialog.js
+++ b/web/app/view/user/UserDialog.js
@@ -50,7 +50,9 @@ Ext.define('Traccar.view.user.UserDialog', {
xtype: 'checkboxfield',
name: 'admin',
fieldLabel: strings.login_admin,
- allowBlank: false
+ allowBlank: false,
+ disabled: true,
+ reference: 'adminField'
}]
},
diff --git a/web/app/view/user/UserDialogController.js b/web/app/view/user/UserDialogController.js
index 1ec14c5e8..c5464225c 100644
--- a/web/app/view/user/UserDialogController.js
+++ b/web/app/view/user/UserDialogController.js
@@ -18,6 +18,12 @@ Ext.define('Traccar.view.user.UserDialogController', {
extend: 'Ext.app.ViewController',
alias: 'controller.userdialog',
+ init: function() {
+ if (Traccar.getApplication().getUser().get('admin')) {
+ this.lookupReference('adminField').setDisabled(false);
+ }
+ },
+
onSaveClick: function(button) {
var dialog = button.up('window').down('form');
dialog.updateRecord();