From 136be53a084b84a0a764d0d326146fca241733f4 Mon Sep 17 00:00:00 2001 From: Anton Tananaev Date: Sat, 27 Jun 2015 10:50:40 +1200 Subject: Fix user security issue --- src/org/traccar/http/UserServlet.java | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'src/org/traccar/http') diff --git a/src/org/traccar/http/UserServlet.java b/src/org/traccar/http/UserServlet.java index f388326b0..19a70ac93 100644 --- a/src/org/traccar/http/UserServlet.java +++ b/src/org/traccar/http/UserServlet.java @@ -53,7 +53,11 @@ public class UserServlet extends BaseServlet { private void update(HttpServletRequest req, HttpServletResponse resp) throws Exception { User user = JsonConverter.objectFromJson(req.getReader(), new User()); - Context.getPermissionsManager().checkUser(getUserId(req), user.getId()); + if (user.getAdmin()) { + Context.getPermissionsManager().checkAdmin(getUserId(req)); + } else { + Context.getPermissionsManager().checkUser(getUserId(req), user.getId()); + } Context.getDataManager().updateUser(user); sendResponse(resp.getWriter(), true); } -- cgit v1.2.3