Fix API access permissions

1 files changed, 9 insertions, 4 deletions

diff --git a/src/org/traccar/http/BaseServlet.java b/src/org/traccar/http/BaseServlet.java
index be4b41631..9dba2e647 100644
--- a/src/org/traccar/http/BaseServlet.java
+++ b/src/org/traccar/http/BaseServlet.java
@@ -25,7 +25,6 @@ import javax.servlet.ServletException;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-import javax.servlet.http.HttpSession;
 import org.traccar.model.User;
 
 public abstract class BaseServlet extends HttpServlet {
@@ -46,14 +45,20 @@ public abstract class BaseServlet extends HttpServlet {
     
     protected abstract boolean handle(String command, HttpServletRequest req, HttpServletResponse resp) throws Exception;
     
-    public long getUserId(HttpSession session) {
-        User user = (User) session.getAttribute(USER_KEY);
+    public long getUserId(HttpServletRequest req) {
+        User user = (User) req.getSession().getAttribute(USER_KEY);
         if (user == null) {
-            throw new AccessControlException("User is not logged in");
+            throw new AccessControlException("User not logged in");
         }
         return user.getId();
     }
     
+    public void securityCheck(boolean check) throws SecurityException {
+        if (!check) {
+            throw new SecurityException("Access denied");
+        }
+    }
+    
     public void sendResponse(Writer writer, boolean success) throws IOException {
         JsonObjectBuilder result = Json.createObjectBuilder();
         result.add("success", success);