Make permissions resources more strict

author: Abyss777 <abyss@fox5.ru> 2017-07-20 10:05:33 +0500
committer: Abyss777 <abyss@fox5.ru> 2017-07-20 10:05:33 +0500
commit: 0d5a1b36c704f3a79eceb2a1f19894f0438eb1b0 (patch)
tree: d2bc54bd9671948c5444e8ab313d99021469a295 /src/org/traccar
parent: afb9a199f57824ec06c993b6028c35b616f64885 (diff)
download: trackermap-server-0d5a1b36c704f3a79eceb2a1f19894f0438eb1b0.tar.gz
trackermap-server-0d5a1b36c704f3a79eceb2a1f19894f0438eb1b0.tar.bz2
trackermap-server-0d5a1b36c704f3a79eceb2a1f19894f0438eb1b0.zip
3 files changed, 18 insertions, 0 deletions
diff --git a/src/org/traccar/api/resource/DeviceResource.java b/src/org/traccar/api/resource/DeviceResource.java
index 41a8970e2..0f7579bae 100644
--- a/src/org/traccar/api/resource/DeviceResource.java
+++ b/src/org/traccar/api/resource/DeviceResource.java
@@ -125,6 +125,9 @@ public class DeviceResource extends BaseResource {
     @POST
     public Response add(Map<String, Long> entity) throws SQLException {
         Context.getPermissionsManager().checkReadonly(getUserId());
+        if (entity.size() != 2) {
+            throw new IllegalArgumentException();
+        }
         for (String key : entity.keySet()) {
             Context.getPermissionsManager().checkPermission(key.replace("Id", ""), getUserId(), entity.get(key));
         }
@@ -140,6 +143,9 @@ public class DeviceResource extends BaseResource {
         for (String key : entity.keySet()) {
             Context.getPermissionsManager().checkPermission(key.replace("Id", ""), getUserId(), entity.get(key));
         }
+        if (entity.size() != 2) {
+            throw new IllegalArgumentException();
+        }
         Context.getDataManager().linkObject(entity, false);
         Context.getPermissionsManager().refreshPermissions(entity);
         return Response.noContent().build();
diff --git a/src/org/traccar/api/resource/GroupResource.java b/src/org/traccar/api/resource/GroupResource.java
index 97b6d671d..0d9572332 100644
--- a/src/org/traccar/api/resource/GroupResource.java
+++ b/src/org/traccar/api/resource/GroupResource.java
@@ -97,6 +97,9 @@ public class GroupResource extends BaseResource {
     @POST
     public Response add(Map<String, Long> entity) throws SQLException {
         Context.getPermissionsManager().checkReadonly(getUserId());
+        if (entity.size() != 2) {
+            throw new IllegalArgumentException();
+        }
         for (String key : entity.keySet()) {
             Context.getPermissionsManager().checkPermission(key.replace("Id", ""), getUserId(), entity.get(key));
         }
@@ -109,6 +112,9 @@ public class GroupResource extends BaseResource {
     @DELETE
     public Response remove(Map<String, Long> entity) throws SQLException {
         Context.getPermissionsManager().checkReadonly(getUserId());
+        if (entity.size() != 2) {
+            throw new IllegalArgumentException();
+        }
         for (String key : entity.keySet()) {
             Context.getPermissionsManager().checkPermission(key.replace("Id", ""), getUserId(), entity.get(key));
         }
diff --git a/src/org/traccar/api/resource/PermissionsResource.java b/src/org/traccar/api/resource/PermissionsResource.java
index ac7acb93f..e22ffae36 100644
--- a/src/org/traccar/api/resource/PermissionsResource.java
+++ b/src/org/traccar/api/resource/PermissionsResource.java
@@ -39,6 +39,9 @@ public class PermissionsResource  extends BaseResource {
     @POST
     public Response add(Map<String, Long> entity) throws SQLException {
         Context.getPermissionsManager().checkReadonly(getUserId());
+        if (entity.size() != 2) {
+            throw new IllegalArgumentException();
+        }
         for (String key : entity.keySet()) {
             Context.getPermissionsManager().checkPermission(key.replace("Id", ""), getUserId(), entity.get(key));
         }
@@ -51,6 +54,9 @@ public class PermissionsResource  extends BaseResource {
     @DELETE
     public Response remove(Map<String, Long> entity) throws SQLException {
         Context.getPermissionsManager().checkReadonly(getUserId());
+        if (entity.size() != 2) {
+            throw new IllegalArgumentException();
+        }
         for (String key : entity.keySet()) {
             Context.getPermissionsManager().checkPermission(key.replace("Id", ""), getUserId(), entity.get(key));
         }
author	Abyss777 <abyss@fox5.ru>	2017-07-20 10:05:33 +0500
committer	Abyss777 <abyss@fox5.ru>	2017-07-20 10:05:33 +0500
commit	0d5a1b36c704f3a79eceb2a1f19894f0438eb1b0 (patch)
tree	d2bc54bd9671948c5444e8ab313d99021469a295 /src/org/traccar
parent	afb9a199f57824ec06c993b6028c35b616f64885 (diff)
download	trackermap-server-0d5a1b36c704f3a79eceb2a1f19894f0438eb1b0.tar.gz trackermap-server-0d5a1b36c704f3a79eceb2a1f19894f0438eb1b0.tar.bz2 trackermap-server-0d5a1b36c704f3a79eceb2a1f19894f0438eb1b0.zip