Fix nested permission check

author: Anton Tananaev <anton@traccar.org> 2022-04-09 19:51:37 -0700
committer: Anton Tananaev <anton@traccar.org> 2022-04-09 19:51:37 -0700
commit: 5fe089626bd367241d3424a0b71dee87805673ca (patch)
tree: bd2c5e434b8f6d68c5f2c5dac72933bb1f8f78e9 /src/main/java/org/traccar
parent: dd8fa719d7726489e76944029d2aed214ba8a904 (diff)
download: trackermap-server-5fe089626bd367241d3424a0b71dee87805673ca.tar.gz
trackermap-server-5fe089626bd367241d3424a0b71dee87805673ca.tar.bz2
trackermap-server-5fe089626bd367241d3424a0b71dee87805673ca.zip
1 files changed, 18 insertions, 8 deletions
diff --git a/src/main/java/org/traccar/api/security/PermissionsService.java b/src/main/java/org/traccar/api/security/PermissionsService.java
index e39b8808f..c640f8d74 100644
--- a/src/main/java/org/traccar/api/security/PermissionsService.java
+++ b/src/main/java/org/traccar/api/security/PermissionsService.java
@@ -15,6 +15,7 @@
  */
 package org.traccar.api.security;
 
+import org.traccar.model.BaseModel;
 import org.traccar.model.Calendar;
 import org.traccar.model.Command;
 import org.traccar.model.Device;
@@ -99,8 +100,7 @@ public class PermissionsService {
             if (object instanceof GroupedModel) {
                 long groupId = ((GroupedModel) object).getGroupId();
                 if (groupId > 0) {
-                    denied = storage.getPermissions(User.class, userId, Group.class, groupId).isEmpty();
-                    // TODO TEST NESTED GROUP PERMISSION
+                    checkPermission(Group.class, userId, groupId);
                 }
             }
             if (object instanceof ScheduledModel) {
@@ -124,12 +124,22 @@ public class PermissionsService {
         }
     }
 
-    public void checkPermission(
-            Class<?> clazz, long userId, long objectId) throws StorageException, SecurityException {
-        if (!getUser(userId).getAdministrator()
-                && storage.getPermissions(User.class, userId, clazz, objectId).isEmpty()) {
-            // TODO handle nested objects
-            throw new SecurityException(clazz.getSimpleName() + " access denied");
+    public <T extends BaseModel> void checkPermission(
+            Class<T> clazz, long userId, long objectId) throws StorageException, SecurityException {
+        if (!getUser(userId).getAdministrator()) {
+            var objects = storage.getObjects(clazz, new Request(
+                    new Columns.Include("id"),
+                    new Condition.Permission(User.class, userId, clazz)));
+            boolean found = false;
+            for (var object : objects) {
+                if (object.getId() == objectId) {
+                    found = true;
+                    break;
+                }
+            }
+            if (!found) {
+                throw new SecurityException(clazz.getSimpleName() + " access denied");
+            }
         }
     }
author	Anton Tananaev <anton@traccar.org>	2022-04-09 19:51:37 -0700
committer	Anton Tananaev <anton@traccar.org>	2022-04-09 19:51:37 -0700
commit	5fe089626bd367241d3424a0b71dee87805673ca (patch)
tree	bd2c5e434b8f6d68c5f2c5dac72933bb1f8f78e9 /src/main/java/org/traccar
parent	dd8fa719d7726489e76944029d2aed214ba8a904 (diff)
download	trackermap-server-5fe089626bd367241d3424a0b71dee87805673ca.tar.gz trackermap-server-5fe089626bd367241d3424a0b71dee87805673ca.tar.bz2 trackermap-server-5fe089626bd367241d3424a0b71dee87805673ca.zip