From 2bb63a0b1c82c42c0d13614c5a67521130165368 Mon Sep 17 00:00:00 2001
From: Anton Tananaev <anton.tananaev@gmail.com>
Date: Sun, 20 Dec 2015 21:12:37 +1300
Subject: Check readonly and registration flags

---
 src/org/traccar/api/resource/DeviceResource.java |  3 +++
 src/org/traccar/api/resource/ServerResource.java |  1 +
 src/org/traccar/api/resource/UserResource.java   |  2 +-
 src/org/traccar/database/PermissionsManager.java | 22 +++++++++++++++++++++-
 4 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/src/org/traccar/api/resource/DeviceResource.java b/src/org/traccar/api/resource/DeviceResource.java
index a25201678..a4bfc1030 100644
--- a/src/org/traccar/api/resource/DeviceResource.java
+++ b/src/org/traccar/api/resource/DeviceResource.java
@@ -55,6 +55,7 @@ public class DeviceResource extends BaseResource {
 
     @POST
     public Response add(Device entity) throws SQLException {
+        Context.getPermissionsManager().checkReadonly(getUserId());
         Context.getDataManager().addDevice(entity);
         Context.getDataManager().linkDevice(getUserId(), entity.getId());
         Context.getPermissionsManager().refresh();
@@ -64,6 +65,7 @@ public class DeviceResource extends BaseResource {
     @Path("{id}")
     @PUT
     public Response update(@PathParam("id") long id, Device entity) throws SQLException {
+        Context.getPermissionsManager().checkReadonly(getUserId());
         Context.getPermissionsManager().checkDevice(getUserId(), id);
         Context.getDataManager().updateDevice(entity);
         return Response.ok(entity).build();
@@ -72,6 +74,7 @@ public class DeviceResource extends BaseResource {
     @Path("{id}")
     @DELETE
     public Response remove(@PathParam("id") long id) throws SQLException {
+        Context.getPermissionsManager().checkReadonly(getUserId());
         Context.getPermissionsManager().checkDevice(getUserId(), id);
         Context.getDataManager().removeDevice(id);
         Context.getPermissionsManager().refresh();
diff --git a/src/org/traccar/api/resource/ServerResource.java b/src/org/traccar/api/resource/ServerResource.java
index 54c04d21b..9e42687ab 100644
--- a/src/org/traccar/api/resource/ServerResource.java
+++ b/src/org/traccar/api/resource/ServerResource.java
@@ -44,6 +44,7 @@ public class ServerResource extends BaseResource {
     public Response update(Server entity) throws SQLException {
         Context.getPermissionsManager().checkAdmin(getUserId());
         Context.getDataManager().updateServer(entity);
+        Context.getPermissionsManager().refresh();
         return Response.ok(entity).build();
     }
 
diff --git a/src/org/traccar/api/resource/UserResource.java b/src/org/traccar/api/resource/UserResource.java
index bf4cb85c3..4d57d5b0c 100644
--- a/src/org/traccar/api/resource/UserResource.java
+++ b/src/org/traccar/api/resource/UserResource.java
@@ -47,7 +47,7 @@ public class UserResource extends BaseResource {
     @PermitAll
     @POST
     public Response add(User entity) throws SQLException {
-        Context.getPermissionsManager().checkUser(getUserId(), entity.getId());
+        Context.getPermissionsManager().checkRegistration(getUserId());
         Context.getDataManager().addUser(entity);
         Context.getPermissionsManager().refresh();
         return Response.ok(entity).build();
diff --git a/src/org/traccar/database/PermissionsManager.java b/src/org/traccar/database/PermissionsManager.java
index a38a29c32..b0f544a42 100644
--- a/src/org/traccar/database/PermissionsManager.java
+++ b/src/org/traccar/database/PermissionsManager.java
@@ -23,12 +23,15 @@ import java.util.Map;
 import java.util.Set;
 import org.traccar.helper.Log;
 import org.traccar.model.Permission;
+import org.traccar.model.Server;
 import org.traccar.model.User;
 
 public class PermissionsManager {
 
     private final DataManager dataManager;
 
+    private Server server;
+
     private final Map<Long, User> users = new HashMap<>();
 
     private final Map<Long, Set<Long>> permissions = new HashMap<>();
@@ -49,6 +52,7 @@ public class PermissionsManager {
         users.clear();
         permissions.clear();
         try {
+            server = dataManager.getServer();
             for (User user : dataManager.getUsers()) {
                 users.put(user.getId(), user);
             }
@@ -60,8 +64,12 @@ public class PermissionsManager {
         }
     }
 
+    private boolean isAdmin(long userId) {
+        return users.containsKey(userId) && users.get(userId).getAdmin();
+    }
+
     public void checkAdmin(long userId) throws SecurityException {
-        if (!users.containsKey(userId) || !users.get(userId).getAdmin()) {
+        if (!isAdmin(userId)) {
             throw new SecurityException("Admin access required");
         }
     }
@@ -82,4 +90,16 @@ public class PermissionsManager {
         }
     }
 
+    public void checkRegistration(long userId) {
+        if (!server.getRegistration() && !isAdmin(userId)) {
+            throw new SecurityException("Registration disabled");
+        }
+    }
+
+    public void checkReadonly(long userId) {
+        if (server.getReadonly() && !isAdmin(userId)) {
+            throw new SecurityException("Readonly user");
+        }
+    }
+
 }
-- 
cgit v1.2.3