From b2f021bc447884d85c9fbcce93bb708d3702d1d8 Mon Sep 17 00:00:00 2001
From: Anton Tananaev <anton@traccar.org>
Date: Sun, 4 Dec 2022 10:38:38 -0800
Subject: Improve permissions check

---
 .../traccar/api/security/PermissionsService.java   | 32 ++++++++++++++--------
 1 file changed, 21 insertions(+), 11 deletions(-)

(limited to 'src/main/java/org/traccar/api')

diff --git a/src/main/java/org/traccar/api/security/PermissionsService.java b/src/main/java/org/traccar/api/security/PermissionsService.java
index 37bb6fd72..4421572d7 100644
--- a/src/main/java/org/traccar/api/security/PermissionsService.java
+++ b/src/main/java/org/traccar/api/security/PermissionsService.java
@@ -120,25 +120,35 @@ public class PermissionsService {
         }
     }
 
-    public void checkEdit(long userId, Object object, boolean addition) throws StorageException, SecurityException {
+    public void checkEdit(long userId, BaseModel object, boolean addition) throws StorageException, SecurityException {
         if (!getUser(userId).getAdministrator()) {
             checkEdit(userId, object.getClass(), addition);
-            boolean denied = false;
             if (object instanceof GroupedModel) {
-                long groupId = ((GroupedModel) object).getGroupId();
-                if (groupId > 0) {
-                    checkPermission(Group.class, userId, groupId);
+                GroupedModel after = ((GroupedModel) object);
+                if (after.getGroupId() > 0) {
+                    GroupedModel before = null;
+                    if (!addition) {
+                        before = storage.getObject(after.getClass(), new Request(
+                                new Columns.Include("groupId"), new Condition.Equals("id", object.getId())));
+                    }
+                    if (before == null || before.getGroupId() != after.getGroupId()) {
+                        checkPermission(Group.class, userId, after.getGroupId());
+                    }
                 }
             }
             if (object instanceof ScheduledModel) {
-                long calendarId = ((ScheduledModel) object).getCalendarId();
-                if (calendarId > 0) {
-                    denied = storage.getPermissions(User.class, userId, Calendar.class, calendarId).isEmpty();
+                ScheduledModel after = ((ScheduledModel) object);
+                if (after.getCalendarId() > 0) {
+                    ScheduledModel before = null;
+                    if (!addition) {
+                        before = storage.getObject(after.getClass(), new Request(
+                                new Columns.Include("calendarId"), new Condition.Equals("id", object.getId())));
+                    }
+                    if (before == null || before.getCalendarId() != after.getCalendarId()) {
+                        checkPermission(Calendar.class, userId, after.getCalendarId());
+                    }
                 }
             }
-            if (denied) {
-                throw new SecurityException("Write access denied");
-            }
         }
     }
 
-- 
cgit v1.2.3