4 files changed, 20 insertions, 6 deletions

diff --git a/src/main/java/org/traccar/api/ExtendedObjectResource.java b/src/main/java/org/traccar/api/ExtendedObjectResource.java
index 6037118dd..e49f67bb9 100644
--- a/src/main/java/org/traccar/api/ExtendedObjectResource.java
+++ b/src/main/java/org/traccar/api/ExtendedObjectResource.java
@@ -44,7 +44,9 @@ public class ExtendedObjectResource<T extends BaseModel> extends BaseObjectResou
         var conditions = new LinkedList<Condition>();
 
         if (all) {
-            permissionsService.checkAdmin(getUserId());
+            if (!permissionsService.isAdmin(getUserId())) {
+                conditions.add(new Condition.Permission(User.class, getUserId(), baseClass));
+            }
         } else {
             if (userId == 0) {
                 conditions.add(new Condition.Permission(User.class, getUserId(), baseClass));
diff --git a/src/main/java/org/traccar/api/SimpleObjectResource.java b/src/main/java/org/traccar/api/SimpleObjectResource.java
index c61101077..15a496c5f 100644
--- a/src/main/java/org/traccar/api/SimpleObjectResource.java
+++ b/src/main/java/org/traccar/api/SimpleObjectResource.java
@@ -41,7 +41,9 @@ public class SimpleObjectResource<T extends BaseModel> extends BaseObjectResourc
         var conditions = new LinkedList<Condition>();
 
         if (all) {
-            permissionsService.checkAdmin(getUserId());
+            if (!permissionsService.isAdmin(getUserId())) {
+                conditions.add(new Condition.Permission(User.class, getUserId(), baseClass));
+            }
         } else {
             if (userId == 0) {
                 userId = getUserId();
diff --git a/src/main/java/org/traccar/api/security/PermissionsService.java b/src/main/java/org/traccar/api/security/PermissionsService.java
index 4d5cd88ab..ac687fc1c 100644
--- a/src/main/java/org/traccar/api/security/PermissionsService.java
+++ b/src/main/java/org/traccar/api/security/PermissionsService.java
@@ -21,6 +21,7 @@ import org.traccar.model.Command;
 import org.traccar.model.Device;
 import org.traccar.model.Group;
 import org.traccar.model.GroupedModel;
+import org.traccar.model.ManagedUser;
 import org.traccar.model.ScheduledModel;
 import org.traccar.model.Server;
 import org.traccar.model.User;
@@ -60,9 +61,13 @@ public class PermissionsService {
         return user;
     }
 
+    public boolean isAdmin(long userId) throws StorageException {
+        return getUser(userId).getAdministrator();
+    }
+
     public void checkAdmin(long userId) throws StorageException, SecurityException {
         if (!getUser(userId).getAdministrator()) {
-            throw new SecurityException("Account is readonly");
+            throw new SecurityException("Administrator access required");
         }
     }
 
@@ -118,7 +123,7 @@ public class PermissionsService {
     public void checkUser(long userId, long managedUserId) throws StorageException, SecurityException {
         if (userId != managedUserId && !getUser(userId).getAdministrator()) {
             if (!getUser(userId).getManager()
-                    || storage.getPermissions(User.class, userId, User.class, managedUserId).isEmpty()) {
+                    || storage.getPermissions(User.class, userId, ManagedUser.class, managedUserId).isEmpty()) {
                 throw new SecurityException("User access denied");
             }
         }
@@ -129,7 +134,8 @@ public class PermissionsService {
         if (!getUser(userId).getAdministrator() && !(clazz.equals(User.class) && userId == objectId)) {
             var objects = storage.getObjects(clazz, new Request(
                     new Columns.Include("id"),
-                    new Condition.Permission(User.class, userId, clazz)));
+                    new Condition.Permission(
+                            User.class, userId, clazz.equals(User.class) ? ManagedUser.class : clazz)));
             boolean found = false;
             for (var object : objects) {
                 if (object.getId() == objectId) {
diff --git a/src/main/java/org/traccar/storage/DatabaseStorage.java b/src/main/java/org/traccar/storage/DatabaseStorage.java
index e8966be8e..cd82448e1 100644
--- a/src/main/java/org/traccar/storage/DatabaseStorage.java
+++ b/src/main/java/org/traccar/storage/DatabaseStorage.java
@@ -128,9 +128,13 @@ public class DatabaseStorage extends Storage {
             conditions.add(new Condition.Equals(
                     Permission.getKey(propertyClass), Permission.getKey(propertyClass), propertyId));
         }
-        query.append(formatCondition(Condition.merge(conditions)));
+        Condition combinedCondition = Condition.merge(conditions);
+        query.append(formatCondition(combinedCondition));
         try {
             QueryBuilder builder = QueryBuilder.create(dataSource, query.toString());
+            for (Map.Entry<String, Object> variable : getConditionVariables(combinedCondition).entrySet()) {
+                builder.setValue(variable.getKey(), variable.getValue());
+            }
             return builder.executePermissionsQuery();
         } catch (SQLException e) {
             throw new StorageException(e);