From fc75fe4ab4f8ea9de58c41772fdd92c10c73f2bc Mon Sep 17 00:00:00 2001 From: Anton Tananaev Date: Sat, 13 Jun 2015 17:36:31 +1200 Subject: Fix API access permissions --- src/org/traccar/database/DataManager.java | 7 +++++- src/org/traccar/database/PermissionsManager.java | 27 ++++++++++++++++++------ 2 files changed, 26 insertions(+), 8 deletions(-) (limited to 'src/org/traccar/database') diff --git a/src/org/traccar/database/DataManager.java b/src/org/traccar/database/DataManager.java index dd611d975..bab785a96 100644 --- a/src/org/traccar/database/DataManager.java +++ b/src/org/traccar/database/DataManager.java @@ -50,7 +50,7 @@ public class DataManager { private final Properties properties; private DataSource dataSource; - + private final Map devices = new HashMap(); private long devicesLastUpdate; private long devicesRefreshDelay; @@ -231,6 +231,7 @@ public class DataManager { user.setId(QueryBuilder.create(dataSource, properties.getProperty("database.insertUser")) .setObject(user) .executeUpdate()); + Context.getPermissionsManager().refresh(); } public void updateUser(User user) throws SQLException { @@ -243,12 +244,15 @@ public class DataManager { .setObject(user) .executeUpdate(); } + + Context.getPermissionsManager().refresh(); } public void removeUser(User user) throws SQLException { QueryBuilder.create(dataSource, properties.getProperty("database.deleteUser")) .setObject(user) .executeUpdate(); + Context.getPermissionsManager().refresh(); } public Collection getPermissions() throws SQLException { @@ -290,6 +294,7 @@ public class DataManager { .setLong("userId", userId) .setLong("deviceId", deviceId) .executeUpdate(); + Context.getPermissionsManager().refresh(); } public Collection getPositions(long userId, long deviceId, Date from, Date to) throws SQLException { diff --git a/src/org/traccar/database/PermissionsManager.java b/src/org/traccar/database/PermissionsManager.java index e889afb06..f34fecb08 100644 --- a/src/org/traccar/database/PermissionsManager.java +++ b/src/org/traccar/database/PermissionsManager.java @@ -24,9 +24,12 @@ import java.util.Set; import org.traccar.Context; import org.traccar.helper.Log; import org.traccar.model.Permission; +import org.traccar.model.User; public class PermissionsManager { + private final Map users = new HashMap(); + private final Map> permissions = new HashMap>(); private Set getNotNull(long userId) { @@ -41,8 +44,12 @@ public class PermissionsManager { } public final void refresh() { + users.clear(); permissions.clear(); try { + for (User user : Context.getDataManager().getUsers()) { + users.put(user.getId(), user); + } for (Permission permission : Context.getDataManager().getPermissions()) { getNotNull(permission.getUserId()).add(permission.getDeviceId()); } @@ -51,19 +58,25 @@ public class PermissionsManager { } } + public void checkAdmin(long userId) throws SecurityException { + if (!users.containsKey(userId) || !users.get(userId).getAdmin()) { + throw new SecurityException("Admin access required"); + } + } + + public void checkUser(long userId, long otherUserId) throws SecurityException { + if (userId != otherUserId) { + checkAdmin(userId); + } + } + public Collection allowedDevices(long userId) { return getNotNull(userId); } public void checkDevice(long userId, long deviceId) throws SecurityException { if (getNotNull(userId).contains(deviceId)) { - throw new SecurityException(); - } - } - - public void checkDevices(long userId, Collection devices) throws SecurityException { - if (getNotNull(userId).containsAll(devices)) { - throw new SecurityException(); + throw new SecurityException("Device access denied"); } } -- cgit v1.2.3