From 5fe089626bd367241d3424a0b71dee87805673ca Mon Sep 17 00:00:00 2001 From: Anton Tananaev Date: Sat, 9 Apr 2022 19:51:37 -0700 Subject: Fix nested permission check --- .../traccar/api/security/PermissionsService.java | 26 +++++++++++++++------- 1 file changed, 18 insertions(+), 8 deletions(-) (limited to 'src/main/java') diff --git a/src/main/java/org/traccar/api/security/PermissionsService.java b/src/main/java/org/traccar/api/security/PermissionsService.java index e39b8808f..c640f8d74 100644 --- a/src/main/java/org/traccar/api/security/PermissionsService.java +++ b/src/main/java/org/traccar/api/security/PermissionsService.java @@ -15,6 +15,7 @@ */ package org.traccar.api.security; +import org.traccar.model.BaseModel; import org.traccar.model.Calendar; import org.traccar.model.Command; import org.traccar.model.Device; @@ -99,8 +100,7 @@ public class PermissionsService { if (object instanceof GroupedModel) { long groupId = ((GroupedModel) object).getGroupId(); if (groupId > 0) { - denied = storage.getPermissions(User.class, userId, Group.class, groupId).isEmpty(); - // TODO TEST NESTED GROUP PERMISSION + checkPermission(Group.class, userId, groupId); } } if (object instanceof ScheduledModel) { @@ -124,12 +124,22 @@ public class PermissionsService { } } - public void checkPermission( - Class clazz, long userId, long objectId) throws StorageException, SecurityException { - if (!getUser(userId).getAdministrator() - && storage.getPermissions(User.class, userId, clazz, objectId).isEmpty()) { - // TODO handle nested objects - throw new SecurityException(clazz.getSimpleName() + " access denied"); + public void checkPermission( + Class clazz, long userId, long objectId) throws StorageException, SecurityException { + if (!getUser(userId).getAdministrator()) { + var objects = storage.getObjects(clazz, new Request( + new Columns.Include("id"), + new Condition.Permission(User.class, userId, clazz))); + boolean found = false; + for (var object : objects) { + if (object.getId() == objectId) { + found = true; + break; + } + } + if (!found) { + throw new SecurityException(clazz.getSimpleName() + " access denied"); + } } } -- cgit v1.2.3