diff options
author | Anton Tananaev <anton@traccar.org> | 2024-06-09 07:02:05 -0700 |
---|---|---|
committer | Anton Tananaev <anton@traccar.org> | 2024-06-09 07:02:05 -0700 |
commit | 2147ecb2d9fe0fb49b3f03dc650bc363e72e3fd2 (patch) | |
tree | a983700dd72bf78be4f9258c76c098670cf2634e /src/main/java/org/traccar/api | |
parent | 03b9b90b50d82dcb41a79b95c26efcbd82a73fea (diff) | |
download | trackermap-server-2147ecb2d9fe0fb49b3f03dc650bc363e72e3fd2.tar.gz trackermap-server-2147ecb2d9fe0fb49b3f03dc650bc363e72e3fd2.tar.bz2 trackermap-server-2147ecb2d9fe0fb49b3f03dc650bc363e72e3fd2.zip |
Allow some readonly updates
Diffstat (limited to 'src/main/java/org/traccar/api')
3 files changed, 17 insertions, 8 deletions
diff --git a/src/main/java/org/traccar/api/BaseObjectResource.java b/src/main/java/org/traccar/api/BaseObjectResource.java index 2a801221b..3c97dd1f8 100644 --- a/src/main/java/org/traccar/api/BaseObjectResource.java +++ b/src/main/java/org/traccar/api/BaseObjectResource.java @@ -68,7 +68,7 @@ public abstract class BaseObjectResource<T extends BaseModel> extends BaseResour @POST public Response add(T entity) throws Exception { - permissionsService.checkEdit(getUserId(), entity, true); + permissionsService.checkEdit(getUserId(), entity, true, false); entity.setId(storage.addObject(entity, new Request(new Columns.Exclude("id")))); LogAction.create(getUserId(), entity); @@ -86,13 +86,16 @@ public abstract class BaseObjectResource<T extends BaseModel> extends BaseResour @Path("{id}") @PUT public Response update(T entity) throws Exception { - permissionsService.checkEdit(getUserId(), entity, false); permissionsService.checkPermission(baseClass, getUserId(), entity.getId()); + boolean skipReadonly = false; if (entity instanceof User) { + User after = (User) entity; User before = storage.getObject(User.class, new Request( new Columns.All(), new Condition.Equals("id", entity.getId()))); permissionsService.checkUserUpdate(getUserId(), before, (User) entity); + skipReadonly = permissionsService.getUser(getUserId()) + .compare(after, "notificationTokens", "termsAccepted"); } else if (entity instanceof Group) { Group group = (Group) entity; if (group.getId() == group.getGroupId()) { @@ -100,6 +103,8 @@ public abstract class BaseObjectResource<T extends BaseModel> extends BaseResour } } + permissionsService.checkEdit(getUserId(), entity, false, skipReadonly); + storage.updateObject(entity, new Request( new Columns.Exclude("id"), new Condition.Equals("id", entity.getId()))); @@ -120,8 +125,8 @@ public abstract class BaseObjectResource<T extends BaseModel> extends BaseResour @Path("{id}") @DELETE public Response remove(@PathParam("id") long id) throws Exception { - permissionsService.checkEdit(getUserId(), baseClass, false); permissionsService.checkPermission(baseClass, getUserId(), id); + permissionsService.checkEdit(getUserId(), baseClass, false, false); storage.removeObject(baseClass, new Request(new Condition.Equals("id", id))); cacheManager.invalidateObject(true, baseClass, id, ObjectOperation.DELETE); diff --git a/src/main/java/org/traccar/api/resource/DeviceResource.java b/src/main/java/org/traccar/api/resource/DeviceResource.java index 971c29c60..61d96669e 100644 --- a/src/main/java/org/traccar/api/resource/DeviceResource.java +++ b/src/main/java/org/traccar/api/resource/DeviceResource.java @@ -137,8 +137,8 @@ public class DeviceResource extends BaseObjectResource<Device> { @Path("{id}/accumulators") @PUT public Response updateAccumulators(DeviceAccumulators entity) throws Exception { - permissionsService.checkEdit(getUserId(), Device.class, false); permissionsService.checkPermission(Device.class, getUserId(), entity.getDeviceId()); + permissionsService.checkEdit(getUserId(), Device.class, false, false); Position position = storage.getObject(Position.class, new Request( new Columns.All(), new Condition.LatestPositions(entity.getDeviceId()))); diff --git a/src/main/java/org/traccar/api/security/PermissionsService.java b/src/main/java/org/traccar/api/security/PermissionsService.java index d60bbafb8..d4a6fba1a 100644 --- a/src/main/java/org/traccar/api/security/PermissionsService.java +++ b/src/main/java/org/traccar/api/security/PermissionsService.java @@ -98,10 +98,12 @@ public class PermissionsService { } } - public void checkEdit(long userId, Class<?> clazz, boolean addition) throws StorageException, SecurityException { + public void checkEdit( + long userId, Class<?> clazz, boolean addition, boolean skipReadonly) + throws StorageException, SecurityException { if (!getUser(userId).getAdministrator()) { boolean denied = false; - if (getServer().getReadonly() || getUser(userId).getReadonly()) { + if (!skipReadonly && (getServer().getReadonly() || getUser(userId).getReadonly())) { denied = true; } else if (clazz.equals(Device.class)) { denied = getServer().getDeviceReadonly() || getUser(userId).getDeviceReadonly() @@ -121,9 +123,11 @@ public class PermissionsService { } } - public void checkEdit(long userId, BaseModel object, boolean addition) throws StorageException, SecurityException { + public void checkEdit( + long userId, BaseModel object, boolean addition, boolean skipReadonly) + throws StorageException, SecurityException { if (!getUser(userId).getAdministrator()) { - checkEdit(userId, object.getClass(), addition); + checkEdit(userId, object.getClass(), addition, skipReadonly); if (object instanceof GroupedModel) { GroupedModel after = ((GroupedModel) object); if (after.getGroupId() > 0) { |