Fix API access permissions

2 files changed, 26 insertions, 8 deletions

diff --git a/src/org/traccar/database/DataManager.java b/src/org/traccar/database/DataManager.java
index dd611d975..bab785a96 100644
--- a/src/org/traccar/database/DataManager.java
+++ b/src/org/traccar/database/DataManager.java
@@ -50,7 +50,7 @@ public class DataManager {
     private final Properties properties;
     
     private DataSource dataSource;
-
+    
     private final Map<String, Device> devices = new HashMap<String, Device>();
     private long devicesLastUpdate;
     private long devicesRefreshDelay;
@@ -231,6 +231,7 @@ public class DataManager {
         user.setId(QueryBuilder.create(dataSource, properties.getProperty("database.insertUser"))
                 .setObject(user)
                 .executeUpdate());
+        Context.getPermissionsManager().refresh();
     }
     
     public void updateUser(User user) throws SQLException {
@@ -243,12 +244,15 @@ public class DataManager {
                 .setObject(user)
                 .executeUpdate();
         }
+        
+        Context.getPermissionsManager().refresh();
     }
     
     public void removeUser(User user) throws SQLException {
         QueryBuilder.create(dataSource, properties.getProperty("database.deleteUser"))
                 .setObject(user)
                 .executeUpdate();
+        Context.getPermissionsManager().refresh();
     }
 
     public Collection<Permission> getPermissions() throws SQLException {
@@ -290,6 +294,7 @@ public class DataManager {
                 .setLong("userId", userId)
                 .setLong("deviceId", deviceId)
                 .executeUpdate();
+        Context.getPermissionsManager().refresh();
     }
 
     public Collection<Position> getPositions(long userId, long deviceId, Date from, Date to) throws SQLException {
diff --git a/src/org/traccar/database/PermissionsManager.java b/src/org/traccar/database/PermissionsManager.java
index e889afb06..f34fecb08 100644
--- a/src/org/traccar/database/PermissionsManager.java
+++ b/src/org/traccar/database/PermissionsManager.java
@@ -24,9 +24,12 @@ import java.util.Set;
 import org.traccar.Context;
 import org.traccar.helper.Log;
 import org.traccar.model.Permission;
+import org.traccar.model.User;
 
 public class PermissionsManager {
     
+    private final Map<Long, User> users = new HashMap<Long, User>();
+    
     private final Map<Long, Set<Long>> permissions = new HashMap<Long, Set<Long>>();
     
     private Set<Long> getNotNull(long userId) {
@@ -41,8 +44,12 @@ public class PermissionsManager {
     }
     
     public final void refresh() {
+        users.clear();
         permissions.clear();
         try {
+            for (User user : Context.getDataManager().getUsers()) {
+                users.put(user.getId(), user);
+            }
             for (Permission permission : Context.getDataManager().getPermissions()) {
                 getNotNull(permission.getUserId()).add(permission.getDeviceId());
             }
@@ -51,19 +58,25 @@ public class PermissionsManager {
         }
     }
     
+    public void checkAdmin(long userId) throws SecurityException {
+        if (!users.containsKey(userId) || !users.get(userId).getAdmin()) {
+            throw new SecurityException("Admin access required");
+        }
+    }
+    
+    public void checkUser(long userId, long otherUserId) throws SecurityException {
+        if (userId != otherUserId) {
+            checkAdmin(userId);
+        }
+    }
+    
     public Collection<Long> allowedDevices(long userId) {
         return getNotNull(userId);
     }
     
     public void checkDevice(long userId, long deviceId) throws SecurityException {
         if (getNotNull(userId).contains(deviceId)) {
-            throw new SecurityException();
-        }
-    }
-    
-    public void checkDevices(long userId, Collection<Long> devices) throws SecurityException {
-        if (getNotNull(userId).containsAll(devices)) {
-            throw new SecurityException();
+            throw new SecurityException("Device access denied");
         }
     }