aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/main/java/org/traccar/api/security/PermissionsService.java32
1 files changed, 21 insertions, 11 deletions
diff --git a/src/main/java/org/traccar/api/security/PermissionsService.java b/src/main/java/org/traccar/api/security/PermissionsService.java
index 37bb6fd72..4421572d7 100644
--- a/src/main/java/org/traccar/api/security/PermissionsService.java
+++ b/src/main/java/org/traccar/api/security/PermissionsService.java
@@ -120,25 +120,35 @@ public class PermissionsService {
}
}
- public void checkEdit(long userId, Object object, boolean addition) throws StorageException, SecurityException {
+ public void checkEdit(long userId, BaseModel object, boolean addition) throws StorageException, SecurityException {
if (!getUser(userId).getAdministrator()) {
checkEdit(userId, object.getClass(), addition);
- boolean denied = false;
if (object instanceof GroupedModel) {
- long groupId = ((GroupedModel) object).getGroupId();
- if (groupId > 0) {
- checkPermission(Group.class, userId, groupId);
+ GroupedModel after = ((GroupedModel) object);
+ if (after.getGroupId() > 0) {
+ GroupedModel before = null;
+ if (!addition) {
+ before = storage.getObject(after.getClass(), new Request(
+ new Columns.Include("groupId"), new Condition.Equals("id", object.getId())));
+ }
+ if (before == null || before.getGroupId() != after.getGroupId()) {
+ checkPermission(Group.class, userId, after.getGroupId());
+ }
}
}
if (object instanceof ScheduledModel) {
- long calendarId = ((ScheduledModel) object).getCalendarId();
- if (calendarId > 0) {
- denied = storage.getPermissions(User.class, userId, Calendar.class, calendarId).isEmpty();
+ ScheduledModel after = ((ScheduledModel) object);
+ if (after.getCalendarId() > 0) {
+ ScheduledModel before = null;
+ if (!addition) {
+ before = storage.getObject(after.getClass(), new Request(
+ new Columns.Include("calendarId"), new Condition.Equals("id", object.getId())));
+ }
+ if (before == null || before.getCalendarId() != after.getCalendarId()) {
+ checkPermission(Calendar.class, userId, after.getCalendarId());
+ }
}
}
- if (denied) {
- throw new SecurityException("Write access denied");
- }
}
}