diff options
Diffstat (limited to 'src/main/java/org/traccar/api/security')
-rw-r--r-- | src/main/java/org/traccar/api/security/PermissionsService.java | 33 |
1 files changed, 32 insertions, 1 deletions
diff --git a/src/main/java/org/traccar/api/security/PermissionsService.java b/src/main/java/org/traccar/api/security/PermissionsService.java index c70414b2a..f39ded2b7 100644 --- a/src/main/java/org/traccar/api/security/PermissionsService.java +++ b/src/main/java/org/traccar/api/security/PermissionsService.java @@ -57,7 +57,7 @@ public class PermissionsService { } public User getUser(long userId) throws StorageException { - if (user == null) { + if (user == null && userId > 0) { user = storage.getObject( User.class, new Request(new Columns.All(), new Condition.Equals("id", "id", userId))); } @@ -74,6 +74,12 @@ public class PermissionsService { } } + public void checkManager(long userId) throws StorageException, SecurityException { + if (!getUser(userId).getAdministrator() && getUser(userId).getUserLimit() == 0) { + throw new SecurityException("Manager access required"); + } + } + public interface CheckRestrictionCallback { boolean denied(UserRestrictions userRestrictions); } @@ -137,6 +143,31 @@ public class PermissionsService { } } + public void checkUserUpdate(long userId, User before, User after) throws StorageException, SecurityException { + if (before.getAdministrator() != after.getAdministrator() + || before.getDeviceLimit() != after.getDeviceLimit() + || before.getUserLimit() != after.getUserLimit()) { + checkAdmin(userId); + } + User user = getUser(userId); + if (user != null && user.getExpirationTime() != null + && (after.getExpirationTime() == null + || user.getExpirationTime().compareTo(after.getExpirationTime()) < 0)) { + checkAdmin(userId); + } + if (before.getReadonly() != after.getReadonly() + || before.getDeviceReadonly() != after.getDeviceReadonly() + || before.getDisabled() != after.getDisabled() + || before.getLimitCommands() != after.getLimitCommands() + || before.getDisableReports() != after.getDisableReports()) { + if (userId == after.getId()) { + checkAdmin(userId); + } else { + checkUser(userId, after.getId()); + } + } + } + public <T extends BaseModel> void checkPermission( Class<T> clazz, long userId, long objectId) throws StorageException, SecurityException { if (!getUser(userId).getAdministrator() && !(clazz.equals(User.class) && userId == objectId)) { |