From 3eff91673944f202e0aebe20faa925011568b685 Mon Sep 17 00:00:00 2001 From: Anton Tananaev Date: Sun, 20 Dec 2015 14:40:15 +1300 Subject: Check permissions for REST API calls --- src/org/traccar/api/BaseResource.java | 14 ++++++ src/org/traccar/api/ResourceErrorHandler.java | 16 +++---- src/org/traccar/api/resource/CommandResource.java | 2 + src/org/traccar/api/resource/DeviceResource.java | 52 +++++++++++----------- .../traccar/api/resource/PermissionResource.java | 25 +++++------ src/org/traccar/api/resource/PositionResource.java | 13 +++--- src/org/traccar/api/resource/ServerResource.java | 20 +++------ src/org/traccar/api/resource/SessionResource.java | 35 ++++++--------- src/org/traccar/api/resource/UserResource.java | 49 +++++++++----------- 9 files changed, 105 insertions(+), 121 deletions(-) diff --git a/src/org/traccar/api/BaseResource.java b/src/org/traccar/api/BaseResource.java index 5a05c6732..368df7166 100644 --- a/src/org/traccar/api/BaseResource.java +++ b/src/org/traccar/api/BaseResource.java @@ -15,5 +15,19 @@ */ package org.traccar.api; +import javax.ws.rs.core.SecurityContext; + public class BaseResource { + + @javax.ws.rs.core.Context + private SecurityContext securityContext; + + protected SecurityContext getSecurityContext() { + return securityContext; + } + + protected long getUserId() { + return ((UserPrincipal) securityContext.getUserPrincipal()).getUserId(); + } + } diff --git a/src/org/traccar/api/ResourceErrorHandler.java b/src/org/traccar/api/ResourceErrorHandler.java index e2f4dce10..be63aad09 100644 --- a/src/org/traccar/api/ResourceErrorHandler.java +++ b/src/org/traccar/api/ResourceErrorHandler.java @@ -23,21 +23,21 @@ import javax.ws.rs.ext.ExceptionMapper; import java.util.HashMap; import java.util.Map; -public class ResourceErrorHandler implements ExceptionMapper { +public class ResourceErrorHandler implements ExceptionMapper { private static final String KEY_MESSAGE = "message"; private static final String KEY_DETAILS = "details"; @Override - public Response toResponse(WebApplicationException e) { + public Response toResponse(Exception e) { Map error = new HashMap<>(); - Throwable cause = e.getCause(); - if (cause != null) { - error.put(KEY_MESSAGE, cause.getMessage()); - error.put(KEY_DETAILS, Log.exceptionStack(cause)); - return Response.status(Response.Status.BAD_REQUEST).entity(error).build(); + if (e instanceof WebApplicationException) { + WebApplicationException webApplicationException = (WebApplicationException) e; + return Response.status(webApplicationException.getResponse().getStatus()).entity(error).build(); } else { - return Response.status(e.getResponse().getStatus()).entity(error).build(); + error.put(KEY_MESSAGE, e.getMessage()); + error.put(KEY_DETAILS, Log.exceptionStack(e)); + return Response.status(Response.Status.BAD_REQUEST).entity(error).build(); } } diff --git a/src/org/traccar/api/resource/CommandResource.java b/src/org/traccar/api/resource/CommandResource.java index fa0755143..3cd39d182 100644 --- a/src/org/traccar/api/resource/CommandResource.java +++ b/src/org/traccar/api/resource/CommandResource.java @@ -25,6 +25,7 @@ import javax.ws.rs.Path; import javax.ws.rs.Produces; import javax.ws.rs.core.MediaType; import javax.ws.rs.core.Response; +import javax.ws.rs.core.SecurityContext; @Path("commands") @Produces(MediaType.APPLICATION_JSON) @@ -33,6 +34,7 @@ public class CommandResource extends BaseResource { @POST public Response add(Command entity) { + Context.getPermissionsManager().checkDevice(getUserId(), entity.getDeviceId()); Context.getConnectionManager().getActiveDevice(entity.getDeviceId()).sendCommand(entity); return Response.ok(entity).build(); } diff --git a/src/org/traccar/api/resource/DeviceResource.java b/src/org/traccar/api/resource/DeviceResource.java index 00b77e16c..a25201678 100644 --- a/src/org/traccar/api/resource/DeviceResource.java +++ b/src/org/traccar/api/resource/DeviceResource.java @@ -28,7 +28,7 @@ import javax.ws.rs.PUT; import javax.ws.rs.Path; import javax.ws.rs.PathParam; import javax.ws.rs.Produces; -import javax.ws.rs.WebApplicationException; +import javax.ws.rs.QueryParam; import javax.ws.rs.core.MediaType; import javax.ws.rs.core.Response; import org.traccar.model.Device; @@ -39,45 +39,43 @@ import org.traccar.model.Device; public class DeviceResource extends BaseResource { @GET - public Collection get() { - try { + public Collection get( + @QueryParam("all") boolean all, @QueryParam("userId") long userId) throws SQLException { + if (all) { + Context.getPermissionsManager().checkAdmin(getUserId()); return Context.getDataManager().getAllDevices(); - } catch (SQLException e) { - throw new WebApplicationException(e); + } else { + if (userId == 0) { + userId = getUserId(); + } + Context.getPermissionsManager().checkUser(getUserId(), userId); + return Context.getDataManager().getDevices(userId); } } @POST - public Response add(Device entity) { - try { - Context.getDataManager().addDevice(entity); - return Response.ok(entity).build(); - } catch (SQLException e) { - throw new WebApplicationException(e); - } + public Response add(Device entity) throws SQLException { + Context.getDataManager().addDevice(entity); + Context.getDataManager().linkDevice(getUserId(), entity.getId()); + Context.getPermissionsManager().refresh(); + return Response.ok(entity).build(); } @Path("{id}") @PUT - public Response update(@PathParam("id") long id, Device entity) { - try { - entity.setId(id); - Context.getDataManager().updateDevice(entity); - return Response.ok(entity).build(); - } catch (SQLException e) { - throw new WebApplicationException(e); - } + public Response update(@PathParam("id") long id, Device entity) throws SQLException { + Context.getPermissionsManager().checkDevice(getUserId(), id); + Context.getDataManager().updateDevice(entity); + return Response.ok(entity).build(); } @Path("{id}") @DELETE - public Response remove(@PathParam("id") long id) { - try { - Context.getDataManager().removeDevice(id); - return Response.noContent().build(); - } catch (SQLException e) { - throw new WebApplicationException(e); - } + public Response remove(@PathParam("id") long id) throws SQLException { + Context.getPermissionsManager().checkDevice(getUserId(), id); + Context.getDataManager().removeDevice(id); + Context.getPermissionsManager().refresh(); + return Response.noContent().build(); } } diff --git a/src/org/traccar/api/resource/PermissionResource.java b/src/org/traccar/api/resource/PermissionResource.java index 84be6be0e..50deb77c2 100644 --- a/src/org/traccar/api/resource/PermissionResource.java +++ b/src/org/traccar/api/resource/PermissionResource.java @@ -24,7 +24,6 @@ import javax.ws.rs.DELETE; import javax.ws.rs.POST; import javax.ws.rs.Path; import javax.ws.rs.Produces; -import javax.ws.rs.WebApplicationException; import javax.ws.rs.core.MediaType; import javax.ws.rs.core.Response; import java.sql.SQLException; @@ -35,23 +34,19 @@ import java.sql.SQLException; public class PermissionResource extends BaseResource { @POST - public Response add(Permission entity) { - try { - Context.getDataManager().linkDevice(entity.getUserId(), entity.getDeviceId()); - return Response.ok(entity).build(); - } catch (SQLException e) { - throw new WebApplicationException(e); - } + public Response add(Permission entity) throws SQLException { + Context.getPermissionsManager().checkAdmin(getUserId()); + Context.getDataManager().linkDevice(entity.getUserId(), entity.getDeviceId()); + Context.getPermissionsManager().refresh(); + return Response.ok(entity).build(); } @DELETE - public Response remove(Permission entity) { - try { - Context.getDataManager().unlinkDevice(entity.getUserId(), entity.getDeviceId()); - return Response.noContent().build(); - } catch (SQLException e) { - throw new WebApplicationException(e); - } + public Response remove(Permission entity) throws SQLException { + Context.getPermissionsManager().checkAdmin(getUserId()); + Context.getDataManager().unlinkDevice(entity.getUserId(), entity.getDeviceId()); + Context.getPermissionsManager().refresh(); + return Response.noContent().build(); } } diff --git a/src/org/traccar/api/resource/PositionResource.java b/src/org/traccar/api/resource/PositionResource.java index e2c405d96..ec6925b3a 100644 --- a/src/org/traccar/api/resource/PositionResource.java +++ b/src/org/traccar/api/resource/PositionResource.java @@ -25,7 +25,6 @@ import javax.ws.rs.GET; import javax.ws.rs.Path; import javax.ws.rs.Produces; import javax.ws.rs.QueryParam; -import javax.ws.rs.WebApplicationException; import javax.ws.rs.core.MediaType; import java.sql.SQLException; import java.util.Collection; @@ -37,13 +36,11 @@ public class PositionResource extends BaseResource { @GET public Collection get( - @QueryParam("deviceId") long deviceId, @QueryParam("from") String from, @QueryParam("to") String to) { - try { - return Context.getDataManager().getPositions( - deviceId, JsonConverter.parseDate(from), JsonConverter.parseDate(to)); - } catch (SQLException e) { - throw new WebApplicationException(e); - } + @QueryParam("deviceId") long deviceId, @QueryParam("from") String from, @QueryParam("to") String to) + throws SQLException { + Context.getPermissionsManager().checkDevice(getUserId(), deviceId); + return Context.getDataManager().getPositions( + deviceId, JsonConverter.parseDate(from), JsonConverter.parseDate(to)); } } diff --git a/src/org/traccar/api/resource/ServerResource.java b/src/org/traccar/api/resource/ServerResource.java index 36f7f14c3..54c04d21b 100644 --- a/src/org/traccar/api/resource/ServerResource.java +++ b/src/org/traccar/api/resource/ServerResource.java @@ -25,7 +25,6 @@ import javax.ws.rs.GET; import javax.ws.rs.PUT; import javax.ws.rs.Path; import javax.ws.rs.Produces; -import javax.ws.rs.WebApplicationException; import javax.ws.rs.core.MediaType; import javax.ws.rs.core.Response; import java.sql.SQLException; @@ -37,22 +36,15 @@ public class ServerResource extends BaseResource { @PermitAll @GET - public Server get() { - try { - return Context.getDataManager().getServer(); - } catch (SQLException e) { - throw new WebApplicationException(e); - } + public Server get() throws SQLException { + return Context.getDataManager().getServer(); } @PUT - public Response update(Server entity) { - try { - Context.getDataManager().updateServer(entity); - return Response.ok(entity).build(); - } catch (SQLException e) { - throw new WebApplicationException(e); - } + public Response update(Server entity) throws SQLException { + Context.getPermissionsManager().checkAdmin(getUserId()); + Context.getDataManager().updateServer(entity); + return Response.ok(entity).build(); } } diff --git a/src/org/traccar/api/resource/SessionResource.java b/src/org/traccar/api/resource/SessionResource.java index 554b6760e..745088a4d 100644 --- a/src/org/traccar/api/resource/SessionResource.java +++ b/src/org/traccar/api/resource/SessionResource.java @@ -45,32 +45,25 @@ public class SessionResource extends BaseResource { @PermitAll @GET - public User get() { - try { - Long userId = (Long) request.getSession().getAttribute(USER_ID_KEY); - if (userId != null) { - return Context.getDataManager().getUser(userId); - } else { - throw new WebApplicationException(Response.status(Response.Status.NOT_FOUND).build()); - } - } catch (SQLException e) { - throw new WebApplicationException(e); + public User get() throws SQLException { + Long userId = (Long) request.getSession().getAttribute(USER_ID_KEY); + if (userId != null) { + return Context.getDataManager().getUser(userId); + } else { + throw new WebApplicationException(Response.status(Response.Status.NOT_FOUND).build()); } } @PermitAll @POST - public User add(@FormParam("email") String email, @FormParam("password") String password) { - try { - User user = Context.getDataManager().login(email, password); - if (user != null) { - request.getSession().setAttribute(USER_ID_KEY, user.getId()); - return user; - } else { - throw new WebApplicationException(Response.status(Response.Status.UNAUTHORIZED).build()); - } - } catch (SQLException e) { - throw new WebApplicationException(e); + public User add( + @FormParam("email") String email, @FormParam("password") String password) throws SQLException { + User user = Context.getDataManager().login(email, password); + if (user != null) { + request.getSession().setAttribute(USER_ID_KEY, user.getId()); + return user; + } else { + throw new WebApplicationException(Response.status(Response.Status.UNAUTHORIZED).build()); } } diff --git a/src/org/traccar/api/resource/UserResource.java b/src/org/traccar/api/resource/UserResource.java index ac81ba865..bf4cb85c3 100644 --- a/src/org/traccar/api/resource/UserResource.java +++ b/src/org/traccar/api/resource/UserResource.java @@ -26,7 +26,6 @@ import javax.ws.rs.PUT; import javax.ws.rs.Path; import javax.ws.rs.PathParam; import javax.ws.rs.Produces; -import javax.ws.rs.WebApplicationException; import javax.ws.rs.core.MediaType; import javax.ws.rs.core.Response; @@ -40,46 +39,40 @@ import org.traccar.model.User; public class UserResource extends BaseResource { @GET - public Collection get() { - try { - return Context.getDataManager().getUsers(); - } catch (SQLException e) { - throw new WebApplicationException(e); - } + public Collection get() throws SQLException { + Context.getPermissionsManager().checkAdmin(getUserId()); + return Context.getDataManager().getUsers(); } @PermitAll @POST - public Response add(User entity) { - try { - Context.getDataManager().addUser(entity); - return Response.ok(entity).build(); - } catch (SQLException e) { - throw new WebApplicationException(e); - } + public Response add(User entity) throws SQLException { + Context.getPermissionsManager().checkUser(getUserId(), entity.getId()); + Context.getDataManager().addUser(entity); + Context.getPermissionsManager().refresh(); + return Response.ok(entity).build(); } @Path("{id}") @PUT - public Response update(@PathParam("id") long id, User entity) { - try { - entity.setId(id); - Context.getDataManager().updateUser(entity); - return Response.ok(entity).build(); - } catch (SQLException e) { - throw new WebApplicationException(e); + public Response update(@PathParam("id") long id, User entity) throws SQLException { + if (entity.getAdmin()) { + Context.getPermissionsManager().checkAdmin(getUserId()); + } else { + Context.getPermissionsManager().checkUser(getUserId(), entity.getId()); } + Context.getDataManager().updateUser(entity); + Context.getPermissionsManager().refresh(); + return Response.ok(entity).build(); } @Path("{id}") @DELETE - public Response remove(@PathParam("id") long id) { - try { - Context.getDataManager().removeUser(id); - return Response.noContent().build(); - } catch (SQLException e) { - throw new WebApplicationException(e); - } + public Response remove(@PathParam("id") long id) throws SQLException { + Context.getPermissionsManager().checkUser(getUserId(), id); + Context.getDataManager().removeUser(id); + Context.getPermissionsManager().refresh(); + return Response.noContent().build(); } } -- cgit v1.2.3