aboutsummaryrefslogtreecommitdiff
path: root/src/main
diff options
context:
space:
mode:
authorAnton Tananaev <anton@traccar.org>2022-04-09 19:51:37 -0700
committerAnton Tananaev <anton@traccar.org>2022-04-09 19:51:37 -0700
commit5fe089626bd367241d3424a0b71dee87805673ca (patch)
treebd2c5e434b8f6d68c5f2c5dac72933bb1f8f78e9 /src/main
parentdd8fa719d7726489e76944029d2aed214ba8a904 (diff)
downloadtrackermap-server-5fe089626bd367241d3424a0b71dee87805673ca.tar.gz
trackermap-server-5fe089626bd367241d3424a0b71dee87805673ca.tar.bz2
trackermap-server-5fe089626bd367241d3424a0b71dee87805673ca.zip
Fix nested permission check
Diffstat (limited to 'src/main')
-rw-r--r--src/main/java/org/traccar/api/security/PermissionsService.java26
1 files changed, 18 insertions, 8 deletions
diff --git a/src/main/java/org/traccar/api/security/PermissionsService.java b/src/main/java/org/traccar/api/security/PermissionsService.java
index e39b8808f..c640f8d74 100644
--- a/src/main/java/org/traccar/api/security/PermissionsService.java
+++ b/src/main/java/org/traccar/api/security/PermissionsService.java
@@ -15,6 +15,7 @@
*/
package org.traccar.api.security;
+import org.traccar.model.BaseModel;
import org.traccar.model.Calendar;
import org.traccar.model.Command;
import org.traccar.model.Device;
@@ -99,8 +100,7 @@ public class PermissionsService {
if (object instanceof GroupedModel) {
long groupId = ((GroupedModel) object).getGroupId();
if (groupId > 0) {
- denied = storage.getPermissions(User.class, userId, Group.class, groupId).isEmpty();
- // TODO TEST NESTED GROUP PERMISSION
+ checkPermission(Group.class, userId, groupId);
}
}
if (object instanceof ScheduledModel) {
@@ -124,12 +124,22 @@ public class PermissionsService {
}
}
- public void checkPermission(
- Class<?> clazz, long userId, long objectId) throws StorageException, SecurityException {
- if (!getUser(userId).getAdministrator()
- && storage.getPermissions(User.class, userId, clazz, objectId).isEmpty()) {
- // TODO handle nested objects
- throw new SecurityException(clazz.getSimpleName() + " access denied");
+ public <T extends BaseModel> void checkPermission(
+ Class<T> clazz, long userId, long objectId) throws StorageException, SecurityException {
+ if (!getUser(userId).getAdministrator()) {
+ var objects = storage.getObjects(clazz, new Request(
+ new Columns.Include("id"),
+ new Condition.Permission(User.class, userId, clazz)));
+ boolean found = false;
+ for (var object : objects) {
+ if (object.getId() == objectId) {
+ found = true;
+ break;
+ }
+ }
+ if (!found) {
+ throw new SecurityException(clazz.getSimpleName() + " access denied");
+ }
}
}