diff options
author | Anton Tananaev <anton.tananaev@gmail.com> | 2018-10-12 14:55:58 +1300 |
---|---|---|
committer | Anton Tananaev <anton.tananaev@gmail.com> | 2018-10-12 14:57:47 +1300 |
commit | a1397ca05d9000b914b249b78997f7f3ebb14319 (patch) | |
tree | 0443717576d18d5ed262ef6fea8f5ed96760f037 /src/org/traccar | |
parent | 21d3d6aaa42557e0d6279165f89e6fabe53235c6 (diff) | |
download | trackermap-server-a1397ca05d9000b914b249b78997f7f3ebb14319.tar.gz trackermap-server-a1397ca05d9000b914b249b78997f7f3ebb14319.tar.bz2 trackermap-server-a1397ca05d9000b914b249b78997f7f3ebb14319.zip |
Restrict access to computed attributes (AC-2018-10-8-1)
Diffstat (limited to 'src/org/traccar')
-rw-r--r-- | src/org/traccar/api/resource/AttributeResource.java | 29 |
1 files changed, 26 insertions, 3 deletions
diff --git a/src/org/traccar/api/resource/AttributeResource.java b/src/org/traccar/api/resource/AttributeResource.java index 8f0bac473..d10ca4a72 100644 --- a/src/org/traccar/api/resource/AttributeResource.java +++ b/src/org/traccar/api/resource/AttributeResource.java @@ -1,6 +1,6 @@ /* - * Copyright 2017 Anton Tananaev (anton@traccar.org) - * Copyright 2017 Andrey Kunitsyn (andrey@traccar.org) + * Copyright 2017 - 2018 Anton Tananaev (anton@traccar.org) + * Copyright 2017 - 2018 Andrey Kunitsyn (andrey@traccar.org) * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -19,8 +19,11 @@ package org.traccar.api.resource; import java.sql.SQLException; import javax.ws.rs.Consumes; +import javax.ws.rs.DELETE; import javax.ws.rs.POST; +import javax.ws.rs.PUT; import javax.ws.rs.Path; +import javax.ws.rs.PathParam; import javax.ws.rs.Produces; import javax.ws.rs.QueryParam; import javax.ws.rs.core.MediaType; @@ -44,7 +47,7 @@ public class AttributeResource extends ExtendedObjectResource<Attribute> { @POST @Path("test") public Response test(@QueryParam("deviceId") long deviceId, Attribute entity) throws SQLException { - Context.getPermissionsManager().checkReadonly(getUserId()); + Context.getPermissionsManager().checkAdmin(getUserId()); Context.getPermissionsManager().checkDevice(getUserId(), deviceId); Position last = Context.getIdentityManager().getLastPosition(deviceId); if (last != null) { @@ -68,4 +71,24 @@ public class AttributeResource extends ExtendedObjectResource<Attribute> { } } + @POST + public Response add(Attribute entity) throws SQLException { + Context.getPermissionsManager().checkAdmin(getUserId()); + return super.add(entity); + } + + @Path("{id}") + @PUT + public Response update(Attribute entity) throws SQLException { + Context.getPermissionsManager().checkAdmin(getUserId()); + return super.update(entity); + } + + @Path("{id}") + @DELETE + public Response remove(@PathParam("id") long id) throws SQLException { + Context.getPermissionsManager().checkAdmin(getUserId()); + return super.remove(id); + } + } |