From 9562e31ffebaa9621b28bce453d4383e9eed78b2 Mon Sep 17 00:00:00 2001 From: jcardus Date: Sat, 10 Jul 2021 21:45:11 +0100 Subject: check permission types --- .../org/traccar/api/resource/PermissionsResource.java | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) (limited to 'src/main/java/org/traccar/api') diff --git a/src/main/java/org/traccar/api/resource/PermissionsResource.java b/src/main/java/org/traccar/api/resource/PermissionsResource.java index 15c298094..db16bf941 100644 --- a/src/main/java/org/traccar/api/resource/PermissionsResource.java +++ b/src/main/java/org/traccar/api/resource/PermissionsResource.java @@ -26,6 +26,7 @@ import javax.ws.rs.DELETE; import javax.ws.rs.POST; import javax.ws.rs.Path; import javax.ws.rs.Produces; +import javax.ws.rs.WebApplicationException; import javax.ws.rs.core.MediaType; import javax.ws.rs.core.Response; @@ -66,6 +67,7 @@ public class PermissionsResource extends BaseResource { @POST public Response add(List> entities) throws SQLException, ClassNotFoundException { Context.getPermissionsManager().checkReadonly(getUserId()); + checkPermissionTypes(entities); for (LinkedHashMap entity: entities) { Permission permission = new Permission(entity); checkPermission(permission, true); @@ -74,13 +76,25 @@ public class PermissionsResource extends BaseResource { LogAction.link(getUserId(), permission.getOwnerClass(), permission.getOwnerId(), permission.getPropertyClass(), permission.getPropertyId()); } - // we assume all permissions are of same type so we use the first one for refreshing if (!entities.isEmpty()) { Context.getPermissionsManager().refreshPermissions(new Permission(entities.get(0))); } return Response.noContent().build(); } + private void checkPermissionTypes(List> entities) throws ClassNotFoundException { + if (!entities.isEmpty()) { + Permission first = new Permission(entities.get(0)); + for (LinkedHashMap entity: entities) { + Permission permission = new Permission(entity); + if (!first.getOwnerClass().equals(permission.getOwnerClass()) + || !first.getPropertyClass().equals(permission.getPropertyClass())) { + throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).build()); + } + } + } + } + @DELETE public Response remove(LinkedHashMap entity) throws SQLException, ClassNotFoundException { return remove(Collections.singletonList(entity)); @@ -90,6 +104,7 @@ public class PermissionsResource extends BaseResource { @Path("bulk") public Response remove(List> entities) throws SQLException, ClassNotFoundException { Context.getPermissionsManager().checkReadonly(getUserId()); + checkPermissionTypes(entities); for (LinkedHashMap entity: entities) { Permission permission = new Permission(entity); checkPermission(permission, false); -- cgit v1.2.3