aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAnton Tananaev <anton.tananaev@gmail.com>2015-12-20 14:40:15 +1300
committerAnton Tananaev <anton.tananaev@gmail.com>2015-12-20 14:40:15 +1300
commit3eff91673944f202e0aebe20faa925011568b685 (patch)
tree8b3db829d90ca73faa132463eff8661a7335936f
parent4d29679dec4508d28af7651cdfd130e5a218b387 (diff)
downloadtrackermap-server-3eff91673944f202e0aebe20faa925011568b685.tar.gz
trackermap-server-3eff91673944f202e0aebe20faa925011568b685.tar.bz2
trackermap-server-3eff91673944f202e0aebe20faa925011568b685.zip
Check permissions for REST API calls
Diffstat
-rw-r--r--src/org/traccar/api/BaseResource.java14
-rw-r--r--src/org/traccar/api/ResourceErrorHandler.java16
-rw-r--r--src/org/traccar/api/resource/CommandResource.java2
-rw-r--r--src/org/traccar/api/resource/DeviceResource.java52
-rw-r--r--src/org/traccar/api/resource/PermissionResource.java25
-rw-r--r--src/org/traccar/api/resource/PositionResource.java13
-rw-r--r--src/org/traccar/api/resource/ServerResource.java20
-rw-r--r--src/org/traccar/api/resource/SessionResource.java35
-rw-r--r--src/org/traccar/api/resource/UserResource.java49
9 files changed, 105 insertions, 121 deletions
diff --git a/src/org/traccar/api/BaseResource.java b/src/org/traccar/api/BaseResource.java
index 5a05c6732..368df7166 100644
--- a/src/org/traccar/api/BaseResource.java
+++ b/src/org/traccar/api/BaseResource.java
@@ -15,5 +15,19 @@
*/
package org.traccar.api;
+import javax.ws.rs.core.SecurityContext;
+
public class BaseResource {
+
+ @javax.ws.rs.core.Context
+ private SecurityContext securityContext;
+
+ protected SecurityContext getSecurityContext() {
+ return securityContext;
+ }
+
+ protected long getUserId() {
+ return ((UserPrincipal) securityContext.getUserPrincipal()).getUserId();
+ }
+
}
diff --git a/src/org/traccar/api/ResourceErrorHandler.java b/src/org/traccar/api/ResourceErrorHandler.java
index e2f4dce10..be63aad09 100644
--- a/src/org/traccar/api/ResourceErrorHandler.java
+++ b/src/org/traccar/api/ResourceErrorHandler.java
@@ -23,21 +23,21 @@ import javax.ws.rs.ext.ExceptionMapper;
import java.util.HashMap;
import java.util.Map;
-public class ResourceErrorHandler implements ExceptionMapper<WebApplicationException> {
+public class ResourceErrorHandler implements ExceptionMapper<Exception> {
private static final String KEY_MESSAGE = "message";
private static final String KEY_DETAILS = "details";
@Override
- public Response toResponse(WebApplicationException e) {
+ public Response toResponse(Exception e) {
Map<String, String> error = new HashMap<>();
- Throwable cause = e.getCause();
- if (cause != null) {
- error.put(KEY_MESSAGE, cause.getMessage());
- error.put(KEY_DETAILS, Log.exceptionStack(cause));
- return Response.status(Response.Status.BAD_REQUEST).entity(error).build();
+ if (e instanceof WebApplicationException) {
+ WebApplicationException webApplicationException = (WebApplicationException) e;
+ return Response.status(webApplicationException.getResponse().getStatus()).entity(error).build();
} else {
- return Response.status(e.getResponse().getStatus()).entity(error).build();
+ error.put(KEY_MESSAGE, e.getMessage());
+ error.put(KEY_DETAILS, Log.exceptionStack(e));
+ return Response.status(Response.Status.BAD_REQUEST).entity(error).build();
}
}
diff --git a/src/org/traccar/api/resource/CommandResource.java b/src/org/traccar/api/resource/CommandResource.java
index fa0755143..3cd39d182 100644
--- a/src/org/traccar/api/resource/CommandResource.java
+++ b/src/org/traccar/api/resource/CommandResource.java
@@ -25,6 +25,7 @@ import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
+import javax.ws.rs.core.SecurityContext;
@Path("commands")
@Produces(MediaType.APPLICATION_JSON)
@@ -33,6 +34,7 @@ public class CommandResource extends BaseResource {
@POST
public Response add(Command entity) {
+ Context.getPermissionsManager().checkDevice(getUserId(), entity.getDeviceId());
Context.getConnectionManager().getActiveDevice(entity.getDeviceId()).sendCommand(entity);
return Response.ok(entity).build();
}
diff --git a/src/org/traccar/api/resource/DeviceResource.java b/src/org/traccar/api/resource/DeviceResource.java
index 00b77e16c..a25201678 100644
--- a/src/org/traccar/api/resource/DeviceResource.java
+++ b/src/org/traccar/api/resource/DeviceResource.java
@@ -28,7 +28,7 @@ import javax.ws.rs.PUT;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
-import javax.ws.rs.WebApplicationException;
+import javax.ws.rs.QueryParam;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import org.traccar.model.Device;
@@ -39,45 +39,43 @@ import org.traccar.model.Device;
public class DeviceResource extends BaseResource {
@GET
- public Collection<Device> get() {
- try {
+ public Collection<Device> get(
+ @QueryParam("all") boolean all, @QueryParam("userId") long userId) throws SQLException {
+ if (all) {
+ Context.getPermissionsManager().checkAdmin(getUserId());
return Context.getDataManager().getAllDevices();
- } catch (SQLException e) {
- throw new WebApplicationException(e);
+ } else {
+ if (userId == 0) {
+ userId = getUserId();
+ }
+ Context.getPermissionsManager().checkUser(getUserId(), userId);
+ return Context.getDataManager().getDevices(userId);
}
}
@POST
- public Response add(Device entity) {
- try {
- Context.getDataManager().addDevice(entity);
- return Response.ok(entity).build();
- } catch (SQLException e) {
- throw new WebApplicationException(e);
- }
+ public Response add(Device entity) throws SQLException {
+ Context.getDataManager().addDevice(entity);
+ Context.getDataManager().linkDevice(getUserId(), entity.getId());
+ Context.getPermissionsManager().refresh();
+ return Response.ok(entity).build();
}
@Path("{id}")
@PUT
- public Response update(@PathParam("id") long id, Device entity) {
- try {
- entity.setId(id);
- Context.getDataManager().updateDevice(entity);
- return Response.ok(entity).build();
- } catch (SQLException e) {
- throw new WebApplicationException(e);
- }
+ public Response update(@PathParam("id") long id, Device entity) throws SQLException {
+ Context.getPermissionsManager().checkDevice(getUserId(), id);
+ Context.getDataManager().updateDevice(entity);
+ return Response.ok(entity).build();
}
@Path("{id}")
@DELETE
- public Response remove(@PathParam("id") long id) {
- try {
- Context.getDataManager().removeDevice(id);
- return Response.noContent().build();
- } catch (SQLException e) {
- throw new WebApplicationException(e);
- }
+ public Response remove(@PathParam("id") long id) throws SQLException {
+ Context.getPermissionsManager().checkDevice(getUserId(), id);
+ Context.getDataManager().removeDevice(id);
+ Context.getPermissionsManager().refresh();
+ return Response.noContent().build();
}
}
diff --git a/src/org/traccar/api/resource/PermissionResource.java b/src/org/traccar/api/resource/PermissionResource.java
index 84be6be0e..50deb77c2 100644
--- a/src/org/traccar/api/resource/PermissionResource.java
+++ b/src/org/traccar/api/resource/PermissionResource.java
@@ -24,7 +24,6 @@ import javax.ws.rs.DELETE;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
-import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import java.sql.SQLException;
@@ -35,23 +34,19 @@ import java.sql.SQLException;
public class PermissionResource extends BaseResource {
@POST
- public Response add(Permission entity) {
- try {
- Context.getDataManager().linkDevice(entity.getUserId(), entity.getDeviceId());
- return Response.ok(entity).build();
- } catch (SQLException e) {
- throw new WebApplicationException(e);
- }
+ public Response add(Permission entity) throws SQLException {
+ Context.getPermissionsManager().checkAdmin(getUserId());
+ Context.getDataManager().linkDevice(entity.getUserId(), entity.getDeviceId());
+ Context.getPermissionsManager().refresh();
+ return Response.ok(entity).build();
}
@DELETE
- public Response remove(Permission entity) {
- try {
- Context.getDataManager().unlinkDevice(entity.getUserId(), entity.getDeviceId());
- return Response.noContent().build();
- } catch (SQLException e) {
- throw new WebApplicationException(e);
- }
+ public Response remove(Permission entity) throws SQLException {
+ Context.getPermissionsManager().checkAdmin(getUserId());
+ Context.getDataManager().unlinkDevice(entity.getUserId(), entity.getDeviceId());
+ Context.getPermissionsManager().refresh();
+ return Response.noContent().build();
}
}
diff --git a/src/org/traccar/api/resource/PositionResource.java b/src/org/traccar/api/resource/PositionResource.java
index e2c405d96..ec6925b3a 100644
--- a/src/org/traccar/api/resource/PositionResource.java
+++ b/src/org/traccar/api/resource/PositionResource.java
@@ -25,7 +25,6 @@ import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
-import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.MediaType;
import java.sql.SQLException;
import java.util.Collection;
@@ -37,13 +36,11 @@ public class PositionResource extends BaseResource {
@GET
public Collection<Position> get(
- @QueryParam("deviceId") long deviceId, @QueryParam("from") String from, @QueryParam("to") String to) {
- try {
- return Context.getDataManager().getPositions(
- deviceId, JsonConverter.parseDate(from), JsonConverter.parseDate(to));
- } catch (SQLException e) {
- throw new WebApplicationException(e);
- }
+ @QueryParam("deviceId") long deviceId, @QueryParam("from") String from, @QueryParam("to") String to)
+ throws SQLException {
+ Context.getPermissionsManager().checkDevice(getUserId(), deviceId);
+ return Context.getDataManager().getPositions(
+ deviceId, JsonConverter.parseDate(from), JsonConverter.parseDate(to));
}
}
diff --git a/src/org/traccar/api/resource/ServerResource.java b/src/org/traccar/api/resource/ServerResource.java
index 36f7f14c3..54c04d21b 100644
--- a/src/org/traccar/api/resource/ServerResource.java
+++ b/src/org/traccar/api/resource/ServerResource.java
@@ -25,7 +25,6 @@ import javax.ws.rs.GET;
import javax.ws.rs.PUT;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
-import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import java.sql.SQLException;
@@ -37,22 +36,15 @@ public class ServerResource extends BaseResource {
@PermitAll
@GET
- public Server get() {
- try {
- return Context.getDataManager().getServer();
- } catch (SQLException e) {
- throw new WebApplicationException(e);
- }
+ public Server get() throws SQLException {
+ return Context.getDataManager().getServer();
}
@PUT
- public Response update(Server entity) {
- try {
- Context.getDataManager().updateServer(entity);
- return Response.ok(entity).build();
- } catch (SQLException e) {
- throw new WebApplicationException(e);
- }
+ public Response update(Server entity) throws SQLException {
+ Context.getPermissionsManager().checkAdmin(getUserId());
+ Context.getDataManager().updateServer(entity);
+ return Response.ok(entity).build();
}
}
diff --git a/src/org/traccar/api/resource/SessionResource.java b/src/org/traccar/api/resource/SessionResource.java
index 554b6760e..745088a4d 100644
--- a/src/org/traccar/api/resource/SessionResource.java
+++ b/src/org/traccar/api/resource/SessionResource.java
@@ -45,32 +45,25 @@ public class SessionResource extends BaseResource {
@PermitAll
@GET
- public User get() {
- try {
- Long userId = (Long) request.getSession().getAttribute(USER_ID_KEY);
- if (userId != null) {
- return Context.getDataManager().getUser(userId);
- } else {
- throw new WebApplicationException(Response.status(Response.Status.NOT_FOUND).build());
- }
- } catch (SQLException e) {
- throw new WebApplicationException(e);
+ public User get() throws SQLException {
+ Long userId = (Long) request.getSession().getAttribute(USER_ID_KEY);
+ if (userId != null) {
+ return Context.getDataManager().getUser(userId);
+ } else {
+ throw new WebApplicationException(Response.status(Response.Status.NOT_FOUND).build());
}
}
@PermitAll
@POST
- public User add(@FormParam("email") String email, @FormParam("password") String password) {
- try {
- User user = Context.getDataManager().login(email, password);
- if (user != null) {
- request.getSession().setAttribute(USER_ID_KEY, user.getId());
- return user;
- } else {
- throw new WebApplicationException(Response.status(Response.Status.UNAUTHORIZED).build());
- }
- } catch (SQLException e) {
- throw new WebApplicationException(e);
+ public User add(
+ @FormParam("email") String email, @FormParam("password") String password) throws SQLException {
+ User user = Context.getDataManager().login(email, password);
+ if (user != null) {
+ request.getSession().setAttribute(USER_ID_KEY, user.getId());
+ return user;
+ } else {
+ throw new WebApplicationException(Response.status(Response.Status.UNAUTHORIZED).build());
}
}
diff --git a/src/org/traccar/api/resource/UserResource.java b/src/org/traccar/api/resource/UserResource.java
index ac81ba865..bf4cb85c3 100644
--- a/src/org/traccar/api/resource/UserResource.java
+++ b/src/org/traccar/api/resource/UserResource.java
@@ -26,7 +26,6 @@ import javax.ws.rs.PUT;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
-import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
@@ -40,46 +39,40 @@ import org.traccar.model.User;
public class UserResource extends BaseResource {
@GET
- public Collection<User> get() {
- try {
- return Context.getDataManager().getUsers();
- } catch (SQLException e) {
- throw new WebApplicationException(e);
- }
+ public Collection<User> get() throws SQLException {
+ Context.getPermissionsManager().checkAdmin(getUserId());
+ return Context.getDataManager().getUsers();
}
@PermitAll
@POST
- public Response add(User entity) {
- try {
- Context.getDataManager().addUser(entity);
- return Response.ok(entity).build();
- } catch (SQLException e) {
- throw new WebApplicationException(e);
- }
+ public Response add(User entity) throws SQLException {
+ Context.getPermissionsManager().checkUser(getUserId(), entity.getId());
+ Context.getDataManager().addUser(entity);
+ Context.getPermissionsManager().refresh();
+ return Response.ok(entity).build();
}
@Path("{id}")
@PUT
- public Response update(@PathParam("id") long id, User entity) {
- try {
- entity.setId(id);
- Context.getDataManager().updateUser(entity);
- return Response.ok(entity).build();
- } catch (SQLException e) {
- throw new WebApplicationException(e);
+ public Response update(@PathParam("id") long id, User entity) throws SQLException {
+ if (entity.getAdmin()) {
+ Context.getPermissionsManager().checkAdmin(getUserId());
+ } else {
+ Context.getPermissionsManager().checkUser(getUserId(), entity.getId());
}
+ Context.getDataManager().updateUser(entity);
+ Context.getPermissionsManager().refresh();
+ return Response.ok(entity).build();
}
@Path("{id}")
@DELETE
- public Response remove(@PathParam("id") long id) {
- try {
- Context.getDataManager().removeUser(id);
- return Response.noContent().build();
- } catch (SQLException e) {
- throw new WebApplicationException(e);
- }
+ public Response remove(@PathParam("id") long id) throws SQLException {
+ Context.getPermissionsManager().checkUser(getUserId(), id);
+ Context.getDataManager().removeUser(id);
+ Context.getPermissionsManager().refresh();
+ return Response.noContent().build();
}
}
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-26 20:42:04 +0000