From fc75fe4ab4f8ea9de58c41772fdd92c10c73f2bc Mon Sep 17 00:00:00 2001
From: Anton Tananaev <anton.tananaev@gmail.com>
Date: Sat, 13 Jun 2015 17:36:31 +1200
Subject: Fix API access permissions

---
 src/org/traccar/database/PermissionsManager.java | 27 ++++++++++++++++++------
 1 file changed, 20 insertions(+), 7 deletions(-)

(limited to 'src/org/traccar/database/PermissionsManager.java')

diff --git a/src/org/traccar/database/PermissionsManager.java b/src/org/traccar/database/PermissionsManager.java
index e889afb06..f34fecb08 100644
--- a/src/org/traccar/database/PermissionsManager.java
+++ b/src/org/traccar/database/PermissionsManager.java
@@ -24,9 +24,12 @@ import java.util.Set;
 import org.traccar.Context;
 import org.traccar.helper.Log;
 import org.traccar.model.Permission;
+import org.traccar.model.User;
 
 public class PermissionsManager {
     
+    private final Map<Long, User> users = new HashMap<Long, User>();
+    
     private final Map<Long, Set<Long>> permissions = new HashMap<Long, Set<Long>>();
     
     private Set<Long> getNotNull(long userId) {
@@ -41,8 +44,12 @@ public class PermissionsManager {
     }
     
     public final void refresh() {
+        users.clear();
         permissions.clear();
         try {
+            for (User user : Context.getDataManager().getUsers()) {
+                users.put(user.getId(), user);
+            }
             for (Permission permission : Context.getDataManager().getPermissions()) {
                 getNotNull(permission.getUserId()).add(permission.getDeviceId());
             }
@@ -51,19 +58,25 @@ public class PermissionsManager {
         }
     }
     
+    public void checkAdmin(long userId) throws SecurityException {
+        if (!users.containsKey(userId) || !users.get(userId).getAdmin()) {
+            throw new SecurityException("Admin access required");
+        }
+    }
+    
+    public void checkUser(long userId, long otherUserId) throws SecurityException {
+        if (userId != otherUserId) {
+            checkAdmin(userId);
+        }
+    }
+    
     public Collection<Long> allowedDevices(long userId) {
         return getNotNull(userId);
     }
     
     public void checkDevice(long userId, long deviceId) throws SecurityException {
         if (getNotNull(userId).contains(deviceId)) {
-            throw new SecurityException();
-        }
-    }
-    
-    public void checkDevices(long userId, Collection<Long> devices) throws SecurityException {
-        if (getNotNull(userId).containsAll(devices)) {
-            throw new SecurityException();
+            throw new SecurityException("Device access denied");
         }
     }
     
-- 
cgit v1.2.3