From 5fe089626bd367241d3424a0b71dee87805673ca Mon Sep 17 00:00:00 2001
From: Anton Tananaev <anton@traccar.org>
Date: Sat, 9 Apr 2022 19:51:37 -0700
Subject: Fix nested permission check

---
 .../traccar/api/security/PermissionsService.java   | 26 +++++++++++++++-------
 1 file changed, 18 insertions(+), 8 deletions(-)

(limited to 'src/main')

diff --git a/src/main/java/org/traccar/api/security/PermissionsService.java b/src/main/java/org/traccar/api/security/PermissionsService.java
index e39b8808f..c640f8d74 100644
--- a/src/main/java/org/traccar/api/security/PermissionsService.java
+++ b/src/main/java/org/traccar/api/security/PermissionsService.java
@@ -15,6 +15,7 @@
  */
 package org.traccar.api.security;
 
+import org.traccar.model.BaseModel;
 import org.traccar.model.Calendar;
 import org.traccar.model.Command;
 import org.traccar.model.Device;
@@ -99,8 +100,7 @@ public class PermissionsService {
             if (object instanceof GroupedModel) {
                 long groupId = ((GroupedModel) object).getGroupId();
                 if (groupId > 0) {
-                    denied = storage.getPermissions(User.class, userId, Group.class, groupId).isEmpty();
-                    // TODO TEST NESTED GROUP PERMISSION
+                    checkPermission(Group.class, userId, groupId);
                 }
             }
             if (object instanceof ScheduledModel) {
@@ -124,12 +124,22 @@ public class PermissionsService {
         }
     }
 
-    public void checkPermission(
-            Class<?> clazz, long userId, long objectId) throws StorageException, SecurityException {
-        if (!getUser(userId).getAdministrator()
-                && storage.getPermissions(User.class, userId, clazz, objectId).isEmpty()) {
-            // TODO handle nested objects
-            throw new SecurityException(clazz.getSimpleName() + " access denied");
+    public <T extends BaseModel> void checkPermission(
+            Class<T> clazz, long userId, long objectId) throws StorageException, SecurityException {
+        if (!getUser(userId).getAdministrator()) {
+            var objects = storage.getObjects(clazz, new Request(
+                    new Columns.Include("id"),
+                    new Condition.Permission(User.class, userId, clazz)));
+            boolean found = false;
+            for (var object : objects) {
+                if (object.getId() == objectId) {
+                    found = true;
+                    break;
+                }
+            }
+            if (!found) {
+                throw new SecurityException(clazz.getSimpleName() + " access denied");
+            }
         }
     }
 
-- 
cgit v1.2.3