From 18305737a6dac8fb45037f193736b0261f92ab9d Mon Sep 17 00:00:00 2001 From: Anton Tananaev Date: Wed, 23 Nov 2016 02:28:11 +1300 Subject: New user security check (fix #2589) --- src/org/traccar/api/SecurityRequestFilter.java | 2 +- src/org/traccar/api/resource/SessionResource.java | 2 +- src/org/traccar/api/resource/UserResource.java | 17 ++++------------- 3 files changed, 6 insertions(+), 15 deletions(-) (limited to 'src/org/traccar/api') diff --git a/src/org/traccar/api/SecurityRequestFilter.java b/src/org/traccar/api/SecurityRequestFilter.java index 3f2390754..ca3ebf04d 100644 --- a/src/org/traccar/api/SecurityRequestFilter.java +++ b/src/org/traccar/api/SecurityRequestFilter.java @@ -83,7 +83,7 @@ public class SecurityRequestFilter implements ContainerRequestFilter { Long userId = (Long) request.getSession().getAttribute(SessionResource.USER_ID_KEY); if (userId != null) { - Context.getPermissionsManager().checkUser(userId); + Context.getPermissionsManager().checkUserEnabled(userId); Context.getStatisticsManager().registerRequest(userId); securityContext = new UserSecurityContext(new UserPrincipal(userId)); } diff --git a/src/org/traccar/api/resource/SessionResource.java b/src/org/traccar/api/resource/SessionResource.java index 996865c4b..5f1c597d1 100644 --- a/src/org/traccar/api/resource/SessionResource.java +++ b/src/org/traccar/api/resource/SessionResource.java @@ -80,7 +80,7 @@ public class SessionResource extends BaseResource { } if (userId != null) { - Context.getPermissionsManager().checkUser(userId); + Context.getPermissionsManager().checkUserEnabled(userId); return Context.getPermissionsManager().getUser(userId); } else { throw new WebApplicationException(Response.status(Response.Status.NOT_FOUND).build()); diff --git a/src/org/traccar/api/resource/UserResource.java b/src/org/traccar/api/resource/UserResource.java index a9edced25..ddbca6b0f 100644 --- a/src/org/traccar/api/resource/UserResource.java +++ b/src/org/traccar/api/resource/UserResource.java @@ -49,6 +49,7 @@ public class UserResource extends BaseResource { public Response add(User entity) throws SQLException { if (!Context.getPermissionsManager().isAdmin(getUserId())) { Context.getPermissionsManager().checkRegistration(getUserId()); + Context.getPermissionsManager().checkUserUpdate(getUserId(), new User(), entity); } Context.getPermissionsManager().addUser(entity); if (Context.getNotificationManager() != null) { @@ -60,19 +61,9 @@ public class UserResource extends BaseResource { @Path("{id}") @PUT public Response update(User entity) throws SQLException { - User old = Context.getPermissionsManager().getUser(entity.getId()); - if (old.getExpirationTime() == null && entity.getExpirationTime() != null - || old.getExpirationTime() != null && !old.getExpirationTime().equals(entity.getExpirationTime()) - || old.getAdmin() != entity.getAdmin() - || old.getReadonly() != entity.getReadonly() - || old.getDisabled() != entity.getDisabled() - || old.getDeviceLimit() != entity.getDeviceLimit() - || old.getToken() == null && entity.getToken() != null - || old.getToken() != null && !old.getToken().equals(entity.getToken())) { - Context.getPermissionsManager().checkAdmin(getUserId()); - } else { - Context.getPermissionsManager().checkUser(getUserId(), entity.getId()); - } + User before = Context.getPermissionsManager().getUser(entity.getId()); + Context.getPermissionsManager().checkUser(getUserId(), entity.getId()); + Context.getPermissionsManager().checkUserUpdate(getUserId(), before, entity); Context.getPermissionsManager().updateUser(entity); if (Context.getNotificationManager() != null) { Context.getNotificationManager().refresh(); -- cgit v1.2.3