diff options
author | Anton Tananaev <anton.tananaev@gmail.com> | 2015-06-27 10:50:40 +1200 |
---|---|---|
committer | Anton Tananaev <anton.tananaev@gmail.com> | 2015-06-27 10:50:40 +1200 |
commit | 136be53a084b84a0a764d0d326146fca241733f4 (patch) | |
tree | d8f4756ecbd1376a51d40bee085e595f6c64d8b3 /src/org/traccar/http | |
parent | deea5b703fd83e699d62600d93b3e28ac71188a1 (diff) | |
download | trackermap-server-136be53a084b84a0a764d0d326146fca241733f4.tar.gz trackermap-server-136be53a084b84a0a764d0d326146fca241733f4.tar.bz2 trackermap-server-136be53a084b84a0a764d0d326146fca241733f4.zip |
Fix user security issue
Diffstat (limited to 'src/org/traccar/http')
-rw-r--r-- | src/org/traccar/http/UserServlet.java | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/src/org/traccar/http/UserServlet.java b/src/org/traccar/http/UserServlet.java index f388326b0..19a70ac93 100644 --- a/src/org/traccar/http/UserServlet.java +++ b/src/org/traccar/http/UserServlet.java @@ -53,7 +53,11 @@ public class UserServlet extends BaseServlet { private void update(HttpServletRequest req, HttpServletResponse resp) throws Exception { User user = JsonConverter.objectFromJson(req.getReader(), new User()); - Context.getPermissionsManager().checkUser(getUserId(req), user.getId()); + if (user.getAdmin()) { + Context.getPermissionsManager().checkAdmin(getUserId(req)); + } else { + Context.getPermissionsManager().checkUser(getUserId(req), user.getId()); + } Context.getDataManager().updateUser(user); sendResponse(resp.getWriter(), true); } |