From 9562e31ffebaa9621b28bce453d4383e9eed78b2 Mon Sep 17 00:00:00 2001
From: jcardus <asklocation.net@gmail.com>
Date: Sat, 10 Jul 2021 21:45:11 +0100
Subject: check permission types

---
 .../org/traccar/api/resource/PermissionsResource.java   | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

(limited to 'src/main/java/org/traccar/api/resource/PermissionsResource.java')

diff --git a/src/main/java/org/traccar/api/resource/PermissionsResource.java b/src/main/java/org/traccar/api/resource/PermissionsResource.java
index 15c298094..db16bf941 100644
--- a/src/main/java/org/traccar/api/resource/PermissionsResource.java
+++ b/src/main/java/org/traccar/api/resource/PermissionsResource.java
@@ -26,6 +26,7 @@ import javax.ws.rs.DELETE;
 import javax.ws.rs.POST;
 import javax.ws.rs.Path;
 import javax.ws.rs.Produces;
+import javax.ws.rs.WebApplicationException;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
 
@@ -66,6 +67,7 @@ public class PermissionsResource  extends BaseResource {
     @POST
     public Response add(List<LinkedHashMap<String, Long>> entities) throws SQLException, ClassNotFoundException {
         Context.getPermissionsManager().checkReadonly(getUserId());
+        checkPermissionTypes(entities);
         for (LinkedHashMap<String, Long> entity: entities) {
             Permission permission = new Permission(entity);
             checkPermission(permission, true);
@@ -74,13 +76,25 @@ public class PermissionsResource  extends BaseResource {
             LogAction.link(getUserId(), permission.getOwnerClass(), permission.getOwnerId(),
                     permission.getPropertyClass(), permission.getPropertyId());
         }
-        // we assume all permissions are of same type so we use the first one for refreshing
         if (!entities.isEmpty()) {
             Context.getPermissionsManager().refreshPermissions(new Permission(entities.get(0)));
         }
         return Response.noContent().build();
     }
 
+    private void checkPermissionTypes(List<LinkedHashMap<String, Long>> entities) throws ClassNotFoundException {
+        if (!entities.isEmpty()) {
+            Permission first = new Permission(entities.get(0));
+            for (LinkedHashMap<String, Long> entity: entities) {
+                Permission permission = new Permission(entity);
+                if (!first.getOwnerClass().equals(permission.getOwnerClass())
+                    || !first.getPropertyClass().equals(permission.getPropertyClass())) {
+                    throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).build());
+                }
+            }
+        }
+    }
+
     @DELETE
     public Response remove(LinkedHashMap<String, Long> entity) throws SQLException, ClassNotFoundException {
         return remove(Collections.singletonList(entity));
@@ -90,6 +104,7 @@ public class PermissionsResource  extends BaseResource {
     @Path("bulk")
     public Response remove(List<LinkedHashMap<String, Long>> entities) throws SQLException, ClassNotFoundException {
         Context.getPermissionsManager().checkReadonly(getUserId());
+        checkPermissionTypes(entities);
         for (LinkedHashMap<String, Long> entity: entities) {
             Permission permission = new Permission(entity);
             checkPermission(permission, false);
-- 
cgit v1.2.3