diff options
author | Iván Ávalos <avalos@disroot.org> | 2024-08-03 20:52:00 -0600 |
---|---|---|
committer | Iván Ávalos <avalos@disroot.org> | 2024-08-03 20:52:00 -0600 |
commit | 55f6d92c09a5b1d8566b53633d07be3d31010d3b (patch) | |
tree | b86bed801b0bbadb72c7e839296dae1d28b12bbb /src/main/java/org/traccar/api/BaseObjectResource.java | |
parent | c04ad7d48331253c095fc123ded1b00f6ff871d3 (diff) | |
parent | 2788174193def918a3a1a5be3bbed24c9613323f (diff) | |
download | trackermap-server-55f6d92c09a5b1d8566b53633d07be3d31010d3b.tar.gz trackermap-server-55f6d92c09a5b1d8566b53633d07be3d31010d3b.tar.bz2 trackermap-server-55f6d92c09a5b1d8566b53633d07be3d31010d3b.zip |
Merge tag 'tags/v6.3'
Diffstat (limited to 'src/main/java/org/traccar/api/BaseObjectResource.java')
-rw-r--r-- | src/main/java/org/traccar/api/BaseObjectResource.java | 18 |
1 files changed, 10 insertions, 8 deletions
diff --git a/src/main/java/org/traccar/api/BaseObjectResource.java b/src/main/java/org/traccar/api/BaseObjectResource.java index 2a801221b..e35850e1f 100644 --- a/src/main/java/org/traccar/api/BaseObjectResource.java +++ b/src/main/java/org/traccar/api/BaseObjectResource.java @@ -68,7 +68,7 @@ public abstract class BaseObjectResource<T extends BaseModel> extends BaseResour @POST public Response add(T entity) throws Exception { - permissionsService.checkEdit(getUserId(), entity, true); + permissionsService.checkEdit(getUserId(), entity, true, false); entity.setId(storage.addObject(entity, new Request(new Columns.Exclude("id")))); LogAction.create(getUserId(), entity); @@ -86,25 +86,27 @@ public abstract class BaseObjectResource<T extends BaseModel> extends BaseResour @Path("{id}") @PUT public Response update(T entity) throws Exception { - permissionsService.checkEdit(getUserId(), entity, false); permissionsService.checkPermission(baseClass, getUserId(), entity.getId()); - if (entity instanceof User) { + boolean skipReadonly = false; + if (entity instanceof User after) { User before = storage.getObject(User.class, new Request( new Columns.All(), new Condition.Equals("id", entity.getId()))); permissionsService.checkUserUpdate(getUserId(), before, (User) entity); - } else if (entity instanceof Group) { - Group group = (Group) entity; + skipReadonly = permissionsService.getUser(getUserId()) + .compare(after, "notificationTokens", "termsAccepted"); + } else if (entity instanceof Group group) { if (group.getId() == group.getGroupId()) { throw new IllegalArgumentException("Cycle in group hierarchy"); } } + permissionsService.checkEdit(getUserId(), entity, false, skipReadonly); + storage.updateObject(entity, new Request( new Columns.Exclude("id"), new Condition.Equals("id", entity.getId()))); - if (entity instanceof User) { - User user = (User) entity; + if (entity instanceof User user) { if (user.getHashedPassword() != null) { storage.updateObject(entity, new Request( new Columns.Include("hashedPassword", "salt"), @@ -120,8 +122,8 @@ public abstract class BaseObjectResource<T extends BaseModel> extends BaseResour @Path("{id}") @DELETE public Response remove(@PathParam("id") long id) throws Exception { - permissionsService.checkEdit(getUserId(), baseClass, false); permissionsService.checkPermission(baseClass, getUserId(), id); + permissionsService.checkEdit(getUserId(), baseClass, false, false); storage.removeObject(baseClass, new Request(new Condition.Equals("id", id))); cacheManager.invalidateObject(true, baseClass, id, ObjectOperation.DELETE); |