diff options
author | Anton Tananaev <anton@traccar.org> | 2022-04-09 19:51:37 -0700 |
---|---|---|
committer | Anton Tananaev <anton@traccar.org> | 2022-04-09 19:51:37 -0700 |
commit | 5fe089626bd367241d3424a0b71dee87805673ca (patch) | |
tree | bd2c5e434b8f6d68c5f2c5dac72933bb1f8f78e9 | |
parent | dd8fa719d7726489e76944029d2aed214ba8a904 (diff) | |
download | trackermap-server-5fe089626bd367241d3424a0b71dee87805673ca.tar.gz trackermap-server-5fe089626bd367241d3424a0b71dee87805673ca.tar.bz2 trackermap-server-5fe089626bd367241d3424a0b71dee87805673ca.zip |
Fix nested permission check
-rw-r--r-- | src/main/java/org/traccar/api/security/PermissionsService.java | 26 |
1 files changed, 18 insertions, 8 deletions
diff --git a/src/main/java/org/traccar/api/security/PermissionsService.java b/src/main/java/org/traccar/api/security/PermissionsService.java index e39b8808f..c640f8d74 100644 --- a/src/main/java/org/traccar/api/security/PermissionsService.java +++ b/src/main/java/org/traccar/api/security/PermissionsService.java @@ -15,6 +15,7 @@ */ package org.traccar.api.security; +import org.traccar.model.BaseModel; import org.traccar.model.Calendar; import org.traccar.model.Command; import org.traccar.model.Device; @@ -99,8 +100,7 @@ public class PermissionsService { if (object instanceof GroupedModel) { long groupId = ((GroupedModel) object).getGroupId(); if (groupId > 0) { - denied = storage.getPermissions(User.class, userId, Group.class, groupId).isEmpty(); - // TODO TEST NESTED GROUP PERMISSION + checkPermission(Group.class, userId, groupId); } } if (object instanceof ScheduledModel) { @@ -124,12 +124,22 @@ public class PermissionsService { } } - public void checkPermission( - Class<?> clazz, long userId, long objectId) throws StorageException, SecurityException { - if (!getUser(userId).getAdministrator() - && storage.getPermissions(User.class, userId, clazz, objectId).isEmpty()) { - // TODO handle nested objects - throw new SecurityException(clazz.getSimpleName() + " access denied"); + public <T extends BaseModel> void checkPermission( + Class<T> clazz, long userId, long objectId) throws StorageException, SecurityException { + if (!getUser(userId).getAdministrator()) { + var objects = storage.getObjects(clazz, new Request( + new Columns.Include("id"), + new Condition.Permission(User.class, userId, clazz))); + boolean found = false; + for (var object : objects) { + if (object.getId() == objectId) { + found = true; + break; + } + } + if (!found) { + throw new SecurityException(clazz.getSimpleName() + " access denied"); + } } } |