Fix user security issue

author: Anton Tananaev <anton.tananaev@gmail.com> 2015-06-27 10:50:40 +1200
committer: Anton Tananaev <anton.tananaev@gmail.com> 2015-06-27 10:50:40 +1200
commit: 136be53a084b84a0a764d0d326146fca241733f4 (patch)
tree: d8f4756ecbd1376a51d40bee085e595f6c64d8b3 /src
parent: deea5b703fd83e699d62600d93b3e28ac71188a1 (diff)
download: trackermap-server-136be53a084b84a0a764d0d326146fca241733f4.tar.gz
trackermap-server-136be53a084b84a0a764d0d326146fca241733f4.tar.bz2
trackermap-server-136be53a084b84a0a764d0d326146fca241733f4.zip
1 files changed, 5 insertions, 1 deletions
diff --git a/src/org/traccar/http/UserServlet.java b/src/org/traccar/http/UserServlet.java
index f388326b0..19a70ac93 100644
--- a/src/org/traccar/http/UserServlet.java
+++ b/src/org/traccar/http/UserServlet.java
@@ -53,7 +53,11 @@ public class UserServlet extends BaseServlet {
     
     private void update(HttpServletRequest req, HttpServletResponse resp) throws Exception {
         User user = JsonConverter.objectFromJson(req.getReader(), new User());
-        Context.getPermissionsManager().checkUser(getUserId(req), user.getId());
+        if (user.getAdmin()) {
+            Context.getPermissionsManager().checkAdmin(getUserId(req));
+        } else {
+            Context.getPermissionsManager().checkUser(getUserId(req), user.getId());
+        }
         Context.getDataManager().updateUser(user);
         sendResponse(resp.getWriter(), true);
     }
author	Anton Tananaev <anton.tananaev@gmail.com>	2015-06-27 10:50:40 +1200
committer	Anton Tananaev <anton.tananaev@gmail.com>	2015-06-27 10:50:40 +1200
commit	136be53a084b84a0a764d0d326146fca241733f4 (patch)
tree	d8f4756ecbd1376a51d40bee085e595f6c64d8b3 /src
parent	deea5b703fd83e699d62600d93b3e28ac71188a1 (diff)
download	trackermap-server-136be53a084b84a0a764d0d326146fca241733f4.tar.gz trackermap-server-136be53a084b84a0a764d0d326146fca241733f4.tar.bz2 trackermap-server-136be53a084b84a0a764d0d326146fca241733f4.zip