Fix API access permissions

5 files changed, 32 insertions, 20 deletions

diff --git a/src/org/traccar/http/BaseServlet.java b/src/org/traccar/http/BaseServlet.java
index be4b41631..9dba2e647 100644
--- a/src/org/traccar/http/BaseServlet.java
+++ b/src/org/traccar/http/BaseServlet.java
@@ -25,7 +25,6 @@ import javax.servlet.ServletException;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-import javax.servlet.http.HttpSession;
 import org.traccar.model.User;
 
 public abstract class BaseServlet extends HttpServlet {
@@ -46,14 +45,20 @@ public abstract class BaseServlet extends HttpServlet {
     
     protected abstract boolean handle(String command, HttpServletRequest req, HttpServletResponse resp) throws Exception;
     
-    public long getUserId(HttpSession session) {
-        User user = (User) session.getAttribute(USER_KEY);
+    public long getUserId(HttpServletRequest req) {
+        User user = (User) req.getSession().getAttribute(USER_KEY);
         if (user == null) {
-            throw new AccessControlException("User is not logged in");
+            throw new AccessControlException("User not logged in");
         }
         return user.getId();
     }
     
+    public void securityCheck(boolean check) throws SecurityException {
+        if (!check) {
+            throw new SecurityException("Access denied");
+        }
+    }
+    
     public void sendResponse(Writer writer, boolean success) throws IOException {
         JsonObjectBuilder result = Json.createObjectBuilder();
         result.add("success", success);
diff --git a/src/org/traccar/http/DeviceServlet.java b/src/org/traccar/http/DeviceServlet.java
index 1387c2a13..1e8e1f047 100644
--- a/src/org/traccar/http/DeviceServlet.java
+++ b/src/org/traccar/http/DeviceServlet.java
@@ -40,25 +40,27 @@ public class DeviceServlet extends BaseServlet {
     
     private void get(HttpServletRequest req, HttpServletResponse resp) throws Exception {
         sendResponse(resp.getWriter(), JsonConverter.arrayToJson(
-                    Context.getDataManager().getDevices(getUserId(req.getSession()))));
+                    Context.getDataManager().getDevices(getUserId(req))));
     }
     
     private void add(HttpServletRequest req, HttpServletResponse resp) throws Exception {
         Device device = JsonConverter.objectFromJson(req.getReader(), new Device());
         Context.getDataManager().addDevice(device);
-        Context.getDataManager().linkDevice(getUserId(req.getSession()), device.getId());
+        Context.getDataManager().linkDevice(getUserId(req), device.getId());
         sendResponse(resp.getWriter(), JsonConverter.objectToJson(device));
     }
     
     private void update(HttpServletRequest req, HttpServletResponse resp) throws Exception {
-        Context.getDataManager().updateDevice(JsonConverter.objectFromJson(
-                req.getReader(), new Device()));
+        Device device = JsonConverter.objectFromJson(req.getReader(), new Device());
+        Context.getPermissionsManager().checkDevice(getUserId(req), device.getId());
+        Context.getDataManager().updateDevice(device);
         sendResponse(resp.getWriter(), true);
     }
     
     private void remove(HttpServletRequest req, HttpServletResponse resp) throws Exception {
-        Context.getDataManager().removeDevice(JsonConverter.objectFromJson(
-                req.getReader(), new Device()));
+        Device device = JsonConverter.objectFromJson(req.getReader(), new Device());
+        Context.getPermissionsManager().checkDevice(getUserId(req), device.getId());
+        Context.getDataManager().removeDevice(device);
         sendResponse(resp.getWriter(), true);
     }
 
diff --git a/src/org/traccar/http/PositionServlet.java b/src/org/traccar/http/PositionServlet.java
index e6348ec54..57b411a79 100644
--- a/src/org/traccar/http/PositionServlet.java
+++ b/src/org/traccar/http/PositionServlet.java
@@ -15,10 +15,9 @@
  */
 package org.traccar.http;
 
-import org.traccar.Context;
-
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import org.traccar.Context;
 
 public class PositionServlet extends BaseServlet {
 
@@ -31,10 +30,11 @@ public class PositionServlet extends BaseServlet {
     }
     
     private void get(HttpServletRequest req, HttpServletResponse resp) throws Exception {
+        long deviceId = Long.valueOf(req.getParameter("deviceId"));
+        Context.getPermissionsManager().checkDevice(getUserId(req), deviceId);
         sendResponse(resp.getWriter(), JsonConverter.arrayToJson(
                     Context.getDataManager().getPositions(
-                            getUserId(req.getSession()),
-                            Long.valueOf(req.getParameter("deviceId")),
+                            getUserId(req), deviceId,
                             JsonConverter.parseDate(req.getParameter("from")),
                             JsonConverter.parseDate(req.getParameter("to")))));
     }
diff --git a/src/org/traccar/http/ServerServlet.java b/src/org/traccar/http/ServerServlet.java
index baac99084..d814769a8 100644
--- a/src/org/traccar/http/ServerServlet.java
+++ b/src/org/traccar/http/ServerServlet.java
@@ -40,8 +40,9 @@ public class ServerServlet extends BaseServlet {
     }
     
     private void update(HttpServletRequest req, HttpServletResponse resp) throws Exception {
-        Context.getDataManager().updateServer(JsonConverter.objectFromJson(
-                req.getReader(), new Server()));
+        Server server = JsonConverter.objectFromJson(req.getReader(), new Server());
+        Context.getPermissionsManager().checkAdmin(getUserId(req));
+        Context.getDataManager().updateServer(server);
         sendResponse(resp.getWriter(), true);
     }
 
diff --git a/src/org/traccar/http/UserServlet.java b/src/org/traccar/http/UserServlet.java
index 597b54a5c..f388326b0 100644
--- a/src/org/traccar/http/UserServlet.java
+++ b/src/org/traccar/http/UserServlet.java
@@ -39,25 +39,29 @@ public class UserServlet extends BaseServlet {
     }
     
     private void get(HttpServletRequest req, HttpServletResponse resp) throws Exception {
+        Context.getPermissionsManager().checkAdmin(getUserId(req));
         sendResponse(resp.getWriter(), JsonConverter.arrayToJson(
                     Context.getDataManager().getUsers()));
     }
     
     private void add(HttpServletRequest req, HttpServletResponse resp) throws Exception {
         User user = JsonConverter.objectFromJson(req.getReader(), new User());
+        Context.getPermissionsManager().checkUser(getUserId(req), user.getId());
         Context.getDataManager().addUser(user);
         sendResponse(resp.getWriter(), JsonConverter.objectToJson(user));
     }
     
     private void update(HttpServletRequest req, HttpServletResponse resp) throws Exception {
-        Context.getDataManager().updateUser(JsonConverter.objectFromJson(
-                req.getReader(), new User()));
+        User user = JsonConverter.objectFromJson(req.getReader(), new User());
+        Context.getPermissionsManager().checkUser(getUserId(req), user.getId());
+        Context.getDataManager().updateUser(user);
         sendResponse(resp.getWriter(), true);
     }
     
     private void remove(HttpServletRequest req, HttpServletResponse resp) throws Exception {
-        Context.getDataManager().removeUser(JsonConverter.objectFromJson(
-                req.getReader(), new User()));
+        User user = JsonConverter.objectFromJson(req.getReader(), new User());
+        Context.getPermissionsManager().checkUser(getUserId(req), user.getId());
+        Context.getDataManager().removeUser(user);
         sendResponse(resp.getWriter(), true);
     }