aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/main/java/org/traccar/api/ExtendedObjectResource.java4
-rw-r--r--src/main/java/org/traccar/api/SimpleObjectResource.java4
-rw-r--r--src/main/java/org/traccar/api/security/PermissionsService.java12
-rw-r--r--src/main/java/org/traccar/storage/DatabaseStorage.java6
4 files changed, 20 insertions, 6 deletions
diff --git a/src/main/java/org/traccar/api/ExtendedObjectResource.java b/src/main/java/org/traccar/api/ExtendedObjectResource.java
index 6037118dd..e49f67bb9 100644
--- a/src/main/java/org/traccar/api/ExtendedObjectResource.java
+++ b/src/main/java/org/traccar/api/ExtendedObjectResource.java
@@ -44,7 +44,9 @@ public class ExtendedObjectResource<T extends BaseModel> extends BaseObjectResou
var conditions = new LinkedList<Condition>();
if (all) {
- permissionsService.checkAdmin(getUserId());
+ if (!permissionsService.isAdmin(getUserId())) {
+ conditions.add(new Condition.Permission(User.class, getUserId(), baseClass));
+ }
} else {
if (userId == 0) {
conditions.add(new Condition.Permission(User.class, getUserId(), baseClass));
diff --git a/src/main/java/org/traccar/api/SimpleObjectResource.java b/src/main/java/org/traccar/api/SimpleObjectResource.java
index c61101077..15a496c5f 100644
--- a/src/main/java/org/traccar/api/SimpleObjectResource.java
+++ b/src/main/java/org/traccar/api/SimpleObjectResource.java
@@ -41,7 +41,9 @@ public class SimpleObjectResource<T extends BaseModel> extends BaseObjectResourc
var conditions = new LinkedList<Condition>();
if (all) {
- permissionsService.checkAdmin(getUserId());
+ if (!permissionsService.isAdmin(getUserId())) {
+ conditions.add(new Condition.Permission(User.class, getUserId(), baseClass));
+ }
} else {
if (userId == 0) {
userId = getUserId();
diff --git a/src/main/java/org/traccar/api/security/PermissionsService.java b/src/main/java/org/traccar/api/security/PermissionsService.java
index 4d5cd88ab..ac687fc1c 100644
--- a/src/main/java/org/traccar/api/security/PermissionsService.java
+++ b/src/main/java/org/traccar/api/security/PermissionsService.java
@@ -21,6 +21,7 @@ import org.traccar.model.Command;
import org.traccar.model.Device;
import org.traccar.model.Group;
import org.traccar.model.GroupedModel;
+import org.traccar.model.ManagedUser;
import org.traccar.model.ScheduledModel;
import org.traccar.model.Server;
import org.traccar.model.User;
@@ -60,9 +61,13 @@ public class PermissionsService {
return user;
}
+ public boolean isAdmin(long userId) throws StorageException {
+ return getUser(userId).getAdministrator();
+ }
+
public void checkAdmin(long userId) throws StorageException, SecurityException {
if (!getUser(userId).getAdministrator()) {
- throw new SecurityException("Account is readonly");
+ throw new SecurityException("Administrator access required");
}
}
@@ -118,7 +123,7 @@ public class PermissionsService {
public void checkUser(long userId, long managedUserId) throws StorageException, SecurityException {
if (userId != managedUserId && !getUser(userId).getAdministrator()) {
if (!getUser(userId).getManager()
- || storage.getPermissions(User.class, userId, User.class, managedUserId).isEmpty()) {
+ || storage.getPermissions(User.class, userId, ManagedUser.class, managedUserId).isEmpty()) {
throw new SecurityException("User access denied");
}
}
@@ -129,7 +134,8 @@ public class PermissionsService {
if (!getUser(userId).getAdministrator() && !(clazz.equals(User.class) && userId == objectId)) {
var objects = storage.getObjects(clazz, new Request(
new Columns.Include("id"),
- new Condition.Permission(User.class, userId, clazz)));
+ new Condition.Permission(
+ User.class, userId, clazz.equals(User.class) ? ManagedUser.class : clazz)));
boolean found = false;
for (var object : objects) {
if (object.getId() == objectId) {
diff --git a/src/main/java/org/traccar/storage/DatabaseStorage.java b/src/main/java/org/traccar/storage/DatabaseStorage.java
index e8966be8e..cd82448e1 100644
--- a/src/main/java/org/traccar/storage/DatabaseStorage.java
+++ b/src/main/java/org/traccar/storage/DatabaseStorage.java
@@ -128,9 +128,13 @@ public class DatabaseStorage extends Storage {
conditions.add(new Condition.Equals(
Permission.getKey(propertyClass), Permission.getKey(propertyClass), propertyId));
}
- query.append(formatCondition(Condition.merge(conditions)));
+ Condition combinedCondition = Condition.merge(conditions);
+ query.append(formatCondition(combinedCondition));
try {
QueryBuilder builder = QueryBuilder.create(dataSource, query.toString());
+ for (Map.Entry<String, Object> variable : getConditionVariables(combinedCondition).entrySet()) {
+ builder.setValue(variable.getKey(), variable.getValue());
+ }
return builder.executePermissionsQuery();
} catch (SQLException e) {
throw new StorageException(e);