Fix API access permissions

author: Anton Tananaev <anton.tananaev@gmail.com> 2015-06-13 17:36:31 +1200
committer: Anton Tananaev <anton.tananaev@gmail.com> 2015-06-13 17:36:31 +1200
commit: fc75fe4ab4f8ea9de58c41772fdd92c10c73f2bc (patch)
tree: 9418ef08d1b5d8858922b90e4c0b9e2f1747b2ee /src/org/traccar/database/PermissionsManager.java
parent: bd4c32abced2bb654b64a2042668340167d6b191 (diff)
download: trackermap-server-fc75fe4ab4f8ea9de58c41772fdd92c10c73f2bc.tar.gz
trackermap-server-fc75fe4ab4f8ea9de58c41772fdd92c10c73f2bc.tar.bz2
trackermap-server-fc75fe4ab4f8ea9de58c41772fdd92c10c73f2bc.zip
1 files changed, 20 insertions, 7 deletions
diff --git a/src/org/traccar/database/PermissionsManager.java b/src/org/traccar/database/PermissionsManager.java
index e889afb06..f34fecb08 100644
--- a/src/org/traccar/database/PermissionsManager.java
+++ b/src/org/traccar/database/PermissionsManager.java
@@ -24,9 +24,12 @@ import java.util.Set;
 import org.traccar.Context;
 import org.traccar.helper.Log;
 import org.traccar.model.Permission;
+import org.traccar.model.User;
 
 public class PermissionsManager {
     
+    private final Map<Long, User> users = new HashMap<Long, User>();
+    
     private final Map<Long, Set<Long>> permissions = new HashMap<Long, Set<Long>>();
     
     private Set<Long> getNotNull(long userId) {
@@ -41,8 +44,12 @@ public class PermissionsManager {
     }
     
     public final void refresh() {
+        users.clear();
         permissions.clear();
         try {
+            for (User user : Context.getDataManager().getUsers()) {
+                users.put(user.getId(), user);
+            }
             for (Permission permission : Context.getDataManager().getPermissions()) {
                 getNotNull(permission.getUserId()).add(permission.getDeviceId());
             }
@@ -51,19 +58,25 @@ public class PermissionsManager {
         }
     }
     
+    public void checkAdmin(long userId) throws SecurityException {
+        if (!users.containsKey(userId) || !users.get(userId).getAdmin()) {
+            throw new SecurityException("Admin access required");
+        }
+    }
+    
+    public void checkUser(long userId, long otherUserId) throws SecurityException {
+        if (userId != otherUserId) {
+            checkAdmin(userId);
+        }
+    }
+    
     public Collection<Long> allowedDevices(long userId) {
         return getNotNull(userId);
     }
     
     public void checkDevice(long userId, long deviceId) throws SecurityException {
         if (getNotNull(userId).contains(deviceId)) {
-            throw new SecurityException();
-        }
-    }
-    
-    public void checkDevices(long userId, Collection<Long> devices) throws SecurityException {
-        if (getNotNull(userId).containsAll(devices)) {
-            throw new SecurityException();
+            throw new SecurityException("Device access denied");
         }
     }
author	Anton Tananaev <anton.tananaev@gmail.com>	2015-06-13 17:36:31 +1200
committer	Anton Tananaev <anton.tananaev@gmail.com>	2015-06-13 17:36:31 +1200
commit	fc75fe4ab4f8ea9de58c41772fdd92c10c73f2bc (patch)
tree	9418ef08d1b5d8858922b90e4c0b9e2f1747b2ee /src/org/traccar/database/PermissionsManager.java
parent	bd4c32abced2bb654b64a2042668340167d6b191 (diff)
download	trackermap-server-fc75fe4ab4f8ea9de58c41772fdd92c10c73f2bc.tar.gz trackermap-server-fc75fe4ab4f8ea9de58c41772fdd92c10c73f2bc.tar.bz2 trackermap-server-fc75fe4ab4f8ea9de58c41772fdd92c10c73f2bc.zip