1 files changed, 32 insertions, 1 deletions

diff --git a/src/main/java/org/traccar/api/security/PermissionsService.java b/src/main/java/org/traccar/api/security/PermissionsService.java
index c70414b2a..f39ded2b7 100644
--- a/src/main/java/org/traccar/api/security/PermissionsService.java
+++ b/src/main/java/org/traccar/api/security/PermissionsService.java
@@ -57,7 +57,7 @@ public class PermissionsService {
     }
 
     public User getUser(long userId) throws StorageException {
-        if (user == null) {
+        if (user == null && userId > 0) {
             user = storage.getObject(
                     User.class, new Request(new Columns.All(), new Condition.Equals("id", "id", userId)));
         }
@@ -74,6 +74,12 @@ public class PermissionsService {
         }
     }
 
+    public void checkManager(long userId) throws StorageException, SecurityException {
+        if (!getUser(userId).getAdministrator() && getUser(userId).getUserLimit() == 0) {
+            throw new SecurityException("Manager access required");
+        }
+    }
+
     public interface CheckRestrictionCallback {
         boolean denied(UserRestrictions userRestrictions);
     }
@@ -137,6 +143,31 @@ public class PermissionsService {
         }
     }
 
+    public void checkUserUpdate(long userId, User before, User after) throws StorageException, SecurityException {
+        if (before.getAdministrator() != after.getAdministrator()
+                || before.getDeviceLimit() != after.getDeviceLimit()
+                || before.getUserLimit() != after.getUserLimit()) {
+            checkAdmin(userId);
+        }
+        User user = getUser(userId);
+        if (user != null && user.getExpirationTime() != null
+                && (after.getExpirationTime() == null
+                || user.getExpirationTime().compareTo(after.getExpirationTime()) < 0)) {
+            checkAdmin(userId);
+        }
+        if (before.getReadonly() != after.getReadonly()
+                || before.getDeviceReadonly() != after.getDeviceReadonly()
+                || before.getDisabled() != after.getDisabled()
+                || before.getLimitCommands() != after.getLimitCommands()
+                || before.getDisableReports() != after.getDisableReports()) {
+            if (userId == after.getId()) {
+                checkAdmin(userId);
+            } else {
+                checkUser(userId, after.getId());
+            }
+        }
+    }
+
     public <T extends BaseModel> void checkPermission(
             Class<T> clazz, long userId, long objectId) throws StorageException, SecurityException {
         if (!getUser(userId).getAdministrator() && !(clazz.equals(User.class) && userId == objectId)) {