aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/main/java/org/traccar/api/resource/PermissionsResource.java17
1 files changed, 16 insertions, 1 deletions
diff --git a/src/main/java/org/traccar/api/resource/PermissionsResource.java b/src/main/java/org/traccar/api/resource/PermissionsResource.java
index 15c298094..db16bf941 100644
--- a/src/main/java/org/traccar/api/resource/PermissionsResource.java
+++ b/src/main/java/org/traccar/api/resource/PermissionsResource.java
@@ -26,6 +26,7 @@ import javax.ws.rs.DELETE;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
+import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
@@ -66,6 +67,7 @@ public class PermissionsResource extends BaseResource {
@POST
public Response add(List<LinkedHashMap<String, Long>> entities) throws SQLException, ClassNotFoundException {
Context.getPermissionsManager().checkReadonly(getUserId());
+ checkPermissionTypes(entities);
for (LinkedHashMap<String, Long> entity: entities) {
Permission permission = new Permission(entity);
checkPermission(permission, true);
@@ -74,13 +76,25 @@ public class PermissionsResource extends BaseResource {
LogAction.link(getUserId(), permission.getOwnerClass(), permission.getOwnerId(),
permission.getPropertyClass(), permission.getPropertyId());
}
- // we assume all permissions are of same type so we use the first one for refreshing
if (!entities.isEmpty()) {
Context.getPermissionsManager().refreshPermissions(new Permission(entities.get(0)));
}
return Response.noContent().build();
}
+ private void checkPermissionTypes(List<LinkedHashMap<String, Long>> entities) throws ClassNotFoundException {
+ if (!entities.isEmpty()) {
+ Permission first = new Permission(entities.get(0));
+ for (LinkedHashMap<String, Long> entity: entities) {
+ Permission permission = new Permission(entity);
+ if (!first.getOwnerClass().equals(permission.getOwnerClass())
+ || !first.getPropertyClass().equals(permission.getPropertyClass())) {
+ throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).build());
+ }
+ }
+ }
+ }
+
@DELETE
public Response remove(LinkedHashMap<String, Long> entity) throws SQLException, ClassNotFoundException {
return remove(Collections.singletonList(entity));
@@ -90,6 +104,7 @@ public class PermissionsResource extends BaseResource {
@Path("bulk")
public Response remove(List<LinkedHashMap<String, Long>> entities) throws SQLException, ClassNotFoundException {
Context.getPermissionsManager().checkReadonly(getUserId());
+ checkPermissionTypes(entities);
for (LinkedHashMap<String, Long> entity: entities) {
Permission permission = new Permission(entity);
checkPermission(permission, false);