diff options
4 files changed, 20 insertions, 6 deletions
diff --git a/src/main/java/org/traccar/api/ExtendedObjectResource.java b/src/main/java/org/traccar/api/ExtendedObjectResource.java index 6037118dd..e49f67bb9 100644 --- a/src/main/java/org/traccar/api/ExtendedObjectResource.java +++ b/src/main/java/org/traccar/api/ExtendedObjectResource.java @@ -44,7 +44,9 @@ public class ExtendedObjectResource<T extends BaseModel> extends BaseObjectResou var conditions = new LinkedList<Condition>(); if (all) { - permissionsService.checkAdmin(getUserId()); + if (!permissionsService.isAdmin(getUserId())) { + conditions.add(new Condition.Permission(User.class, getUserId(), baseClass)); + } } else { if (userId == 0) { conditions.add(new Condition.Permission(User.class, getUserId(), baseClass)); diff --git a/src/main/java/org/traccar/api/SimpleObjectResource.java b/src/main/java/org/traccar/api/SimpleObjectResource.java index c61101077..15a496c5f 100644 --- a/src/main/java/org/traccar/api/SimpleObjectResource.java +++ b/src/main/java/org/traccar/api/SimpleObjectResource.java @@ -41,7 +41,9 @@ public class SimpleObjectResource<T extends BaseModel> extends BaseObjectResourc var conditions = new LinkedList<Condition>(); if (all) { - permissionsService.checkAdmin(getUserId()); + if (!permissionsService.isAdmin(getUserId())) { + conditions.add(new Condition.Permission(User.class, getUserId(), baseClass)); + } } else { if (userId == 0) { userId = getUserId(); diff --git a/src/main/java/org/traccar/api/security/PermissionsService.java b/src/main/java/org/traccar/api/security/PermissionsService.java index 4d5cd88ab..ac687fc1c 100644 --- a/src/main/java/org/traccar/api/security/PermissionsService.java +++ b/src/main/java/org/traccar/api/security/PermissionsService.java @@ -21,6 +21,7 @@ import org.traccar.model.Command; import org.traccar.model.Device; import org.traccar.model.Group; import org.traccar.model.GroupedModel; +import org.traccar.model.ManagedUser; import org.traccar.model.ScheduledModel; import org.traccar.model.Server; import org.traccar.model.User; @@ -60,9 +61,13 @@ public class PermissionsService { return user; } + public boolean isAdmin(long userId) throws StorageException { + return getUser(userId).getAdministrator(); + } + public void checkAdmin(long userId) throws StorageException, SecurityException { if (!getUser(userId).getAdministrator()) { - throw new SecurityException("Account is readonly"); + throw new SecurityException("Administrator access required"); } } @@ -118,7 +123,7 @@ public class PermissionsService { public void checkUser(long userId, long managedUserId) throws StorageException, SecurityException { if (userId != managedUserId && !getUser(userId).getAdministrator()) { if (!getUser(userId).getManager() - || storage.getPermissions(User.class, userId, User.class, managedUserId).isEmpty()) { + || storage.getPermissions(User.class, userId, ManagedUser.class, managedUserId).isEmpty()) { throw new SecurityException("User access denied"); } } @@ -129,7 +134,8 @@ public class PermissionsService { if (!getUser(userId).getAdministrator() && !(clazz.equals(User.class) && userId == objectId)) { var objects = storage.getObjects(clazz, new Request( new Columns.Include("id"), - new Condition.Permission(User.class, userId, clazz))); + new Condition.Permission( + User.class, userId, clazz.equals(User.class) ? ManagedUser.class : clazz))); boolean found = false; for (var object : objects) { if (object.getId() == objectId) { diff --git a/src/main/java/org/traccar/storage/DatabaseStorage.java b/src/main/java/org/traccar/storage/DatabaseStorage.java index e8966be8e..cd82448e1 100644 --- a/src/main/java/org/traccar/storage/DatabaseStorage.java +++ b/src/main/java/org/traccar/storage/DatabaseStorage.java @@ -128,9 +128,13 @@ public class DatabaseStorage extends Storage { conditions.add(new Condition.Equals( Permission.getKey(propertyClass), Permission.getKey(propertyClass), propertyId)); } - query.append(formatCondition(Condition.merge(conditions))); + Condition combinedCondition = Condition.merge(conditions); + query.append(formatCondition(combinedCondition)); try { QueryBuilder builder = QueryBuilder.create(dataSource, query.toString()); + for (Map.Entry<String, Object> variable : getConditionVariables(combinedCondition).entrySet()) { + builder.setValue(variable.getKey(), variable.getValue()); + } return builder.executePermissionsQuery(); } catch (SQLException e) { throw new StorageException(e); |