diff options
| author | Anton Tananaev <anton.tananaev@gmail.com> | 2016-11-23 02:28:11 +1300 |
|---|---|---|
| committer | Anton Tananaev <anton.tananaev@gmail.com> | 2016-11-23 10:29:03 +1300 |
| commit | 18305737a6dac8fb45037f193736b0261f92ab9d (patch) | |
| tree | ef51f18af2af991f05b639a2d41a164c9a04a50d /src/org/traccar/api/resource | |
| parent | cd121c173f7c3ef0a815583eccec1232968894b9 (diff) | |
| download | trackermap-server-18305737a6dac8fb45037f193736b0261f92ab9d.tar.gz trackermap-server-18305737a6dac8fb45037f193736b0261f92ab9d.tar.bz2 trackermap-server-18305737a6dac8fb45037f193736b0261f92ab9d.zip | |
New user security check (fix #2589)
Diffstat (limited to 'src/org/traccar/api/resource')
| -rw-r--r-- | src/org/traccar/api/resource/SessionResource.java | 2 | ||||
| -rw-r--r-- | src/org/traccar/api/resource/UserResource.java | 17 |
2 files changed, 5 insertions, 14 deletions
diff --git a/src/org/traccar/api/resource/SessionResource.java b/src/org/traccar/api/resource/SessionResource.java index 996865c4b..5f1c597d1 100644 --- a/src/org/traccar/api/resource/SessionResource.java +++ b/src/org/traccar/api/resource/SessionResource.java @@ -80,7 +80,7 @@ public class SessionResource extends BaseResource { } if (userId != null) { - Context.getPermissionsManager().checkUser(userId); + Context.getPermissionsManager().checkUserEnabled(userId); return Context.getPermissionsManager().getUser(userId); } else { throw new WebApplicationException(Response.status(Response.Status.NOT_FOUND).build()); diff --git a/src/org/traccar/api/resource/UserResource.java b/src/org/traccar/api/resource/UserResource.java index a9edced25..ddbca6b0f 100644 --- a/src/org/traccar/api/resource/UserResource.java +++ b/src/org/traccar/api/resource/UserResource.java @@ -49,6 +49,7 @@ public class UserResource extends BaseResource { public Response add(User entity) throws SQLException { if (!Context.getPermissionsManager().isAdmin(getUserId())) { Context.getPermissionsManager().checkRegistration(getUserId()); + Context.getPermissionsManager().checkUserUpdate(getUserId(), new User(), entity); } Context.getPermissionsManager().addUser(entity); if (Context.getNotificationManager() != null) { @@ -60,19 +61,9 @@ public class UserResource extends BaseResource { @Path("{id}") @PUT public Response update(User entity) throws SQLException { - User old = Context.getPermissionsManager().getUser(entity.getId()); - if (old.getExpirationTime() == null && entity.getExpirationTime() != null - || old.getExpirationTime() != null && !old.getExpirationTime().equals(entity.getExpirationTime()) - || old.getAdmin() != entity.getAdmin() - || old.getReadonly() != entity.getReadonly() - || old.getDisabled() != entity.getDisabled() - || old.getDeviceLimit() != entity.getDeviceLimit() - || old.getToken() == null && entity.getToken() != null - || old.getToken() != null && !old.getToken().equals(entity.getToken())) { - Context.getPermissionsManager().checkAdmin(getUserId()); - } else { - Context.getPermissionsManager().checkUser(getUserId(), entity.getId()); - } + User before = Context.getPermissionsManager().getUser(entity.getId()); + Context.getPermissionsManager().checkUser(getUserId(), entity.getId()); + Context.getPermissionsManager().checkUserUpdate(getUserId(), before, entity); Context.getPermissionsManager().updateUser(entity); if (Context.getNotificationManager() != null) { Context.getNotificationManager().refresh(); |