diff options
author | Anton Tananaev <anton@traccar.org> | 2022-12-04 10:38:38 -0800 |
---|---|---|
committer | Anton Tananaev <anton@traccar.org> | 2022-12-04 10:38:38 -0800 |
commit | b2f021bc447884d85c9fbcce93bb708d3702d1d8 (patch) | |
tree | 5164025b5a4d3ba9e35841d5c7056bc1ad570fae /src | |
parent | 2fcd5c8decf9f329c3e2325ce950d2b0493b29ab (diff) | |
download | trackermap-server-b2f021bc447884d85c9fbcce93bb708d3702d1d8.tar.gz trackermap-server-b2f021bc447884d85c9fbcce93bb708d3702d1d8.tar.bz2 trackermap-server-b2f021bc447884d85c9fbcce93bb708d3702d1d8.zip |
Improve permissions check
Diffstat (limited to 'src')
-rw-r--r-- | src/main/java/org/traccar/api/security/PermissionsService.java | 32 |
1 files changed, 21 insertions, 11 deletions
diff --git a/src/main/java/org/traccar/api/security/PermissionsService.java b/src/main/java/org/traccar/api/security/PermissionsService.java index 37bb6fd72..4421572d7 100644 --- a/src/main/java/org/traccar/api/security/PermissionsService.java +++ b/src/main/java/org/traccar/api/security/PermissionsService.java @@ -120,25 +120,35 @@ public class PermissionsService { } } - public void checkEdit(long userId, Object object, boolean addition) throws StorageException, SecurityException { + public void checkEdit(long userId, BaseModel object, boolean addition) throws StorageException, SecurityException { if (!getUser(userId).getAdministrator()) { checkEdit(userId, object.getClass(), addition); - boolean denied = false; if (object instanceof GroupedModel) { - long groupId = ((GroupedModel) object).getGroupId(); - if (groupId > 0) { - checkPermission(Group.class, userId, groupId); + GroupedModel after = ((GroupedModel) object); + if (after.getGroupId() > 0) { + GroupedModel before = null; + if (!addition) { + before = storage.getObject(after.getClass(), new Request( + new Columns.Include("groupId"), new Condition.Equals("id", object.getId()))); + } + if (before == null || before.getGroupId() != after.getGroupId()) { + checkPermission(Group.class, userId, after.getGroupId()); + } } } if (object instanceof ScheduledModel) { - long calendarId = ((ScheduledModel) object).getCalendarId(); - if (calendarId > 0) { - denied = storage.getPermissions(User.class, userId, Calendar.class, calendarId).isEmpty(); + ScheduledModel after = ((ScheduledModel) object); + if (after.getCalendarId() > 0) { + ScheduledModel before = null; + if (!addition) { + before = storage.getObject(after.getClass(), new Request( + new Columns.Include("calendarId"), new Condition.Equals("id", object.getId()))); + } + if (before == null || before.getCalendarId() != after.getCalendarId()) { + checkPermission(Calendar.class, userId, after.getCalendarId()); + } } } - if (denied) { - throw new SecurityException("Write access denied"); - } } } |