From fc75fe4ab4f8ea9de58c41772fdd92c10c73f2bc Mon Sep 17 00:00:00 2001 From: Anton Tananaev Date: Sat, 13 Jun 2015 17:36:31 +1200 Subject: Fix API access permissions --- src/org/traccar/http/BaseServlet.java | 13 +++++++++---- src/org/traccar/http/DeviceServlet.java | 14 ++++++++------ src/org/traccar/http/PositionServlet.java | 8 ++++---- src/org/traccar/http/ServerServlet.java | 5 +++-- src/org/traccar/http/UserServlet.java | 12 ++++++++---- 5 files changed, 32 insertions(+), 20 deletions(-) (limited to 'src/org/traccar/http') diff --git a/src/org/traccar/http/BaseServlet.java b/src/org/traccar/http/BaseServlet.java index be4b41631..9dba2e647 100644 --- a/src/org/traccar/http/BaseServlet.java +++ b/src/org/traccar/http/BaseServlet.java @@ -25,7 +25,6 @@ import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import javax.servlet.http.HttpSession; import org.traccar.model.User; public abstract class BaseServlet extends HttpServlet { @@ -46,14 +45,20 @@ public abstract class BaseServlet extends HttpServlet { protected abstract boolean handle(String command, HttpServletRequest req, HttpServletResponse resp) throws Exception; - public long getUserId(HttpSession session) { - User user = (User) session.getAttribute(USER_KEY); + public long getUserId(HttpServletRequest req) { + User user = (User) req.getSession().getAttribute(USER_KEY); if (user == null) { - throw new AccessControlException("User is not logged in"); + throw new AccessControlException("User not logged in"); } return user.getId(); } + public void securityCheck(boolean check) throws SecurityException { + if (!check) { + throw new SecurityException("Access denied"); + } + } + public void sendResponse(Writer writer, boolean success) throws IOException { JsonObjectBuilder result = Json.createObjectBuilder(); result.add("success", success); diff --git a/src/org/traccar/http/DeviceServlet.java b/src/org/traccar/http/DeviceServlet.java index 1387c2a13..1e8e1f047 100644 --- a/src/org/traccar/http/DeviceServlet.java +++ b/src/org/traccar/http/DeviceServlet.java @@ -40,25 +40,27 @@ public class DeviceServlet extends BaseServlet { private void get(HttpServletRequest req, HttpServletResponse resp) throws Exception { sendResponse(resp.getWriter(), JsonConverter.arrayToJson( - Context.getDataManager().getDevices(getUserId(req.getSession())))); + Context.getDataManager().getDevices(getUserId(req)))); } private void add(HttpServletRequest req, HttpServletResponse resp) throws Exception { Device device = JsonConverter.objectFromJson(req.getReader(), new Device()); Context.getDataManager().addDevice(device); - Context.getDataManager().linkDevice(getUserId(req.getSession()), device.getId()); + Context.getDataManager().linkDevice(getUserId(req), device.getId()); sendResponse(resp.getWriter(), JsonConverter.objectToJson(device)); } private void update(HttpServletRequest req, HttpServletResponse resp) throws Exception { - Context.getDataManager().updateDevice(JsonConverter.objectFromJson( - req.getReader(), new Device())); + Device device = JsonConverter.objectFromJson(req.getReader(), new Device()); + Context.getPermissionsManager().checkDevice(getUserId(req), device.getId()); + Context.getDataManager().updateDevice(device); sendResponse(resp.getWriter(), true); } private void remove(HttpServletRequest req, HttpServletResponse resp) throws Exception { - Context.getDataManager().removeDevice(JsonConverter.objectFromJson( - req.getReader(), new Device())); + Device device = JsonConverter.objectFromJson(req.getReader(), new Device()); + Context.getPermissionsManager().checkDevice(getUserId(req), device.getId()); + Context.getDataManager().removeDevice(device); sendResponse(resp.getWriter(), true); } diff --git a/src/org/traccar/http/PositionServlet.java b/src/org/traccar/http/PositionServlet.java index e6348ec54..57b411a79 100644 --- a/src/org/traccar/http/PositionServlet.java +++ b/src/org/traccar/http/PositionServlet.java @@ -15,10 +15,9 @@ */ package org.traccar.http; -import org.traccar.Context; - import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.traccar.Context; public class PositionServlet extends BaseServlet { @@ -31,10 +30,11 @@ public class PositionServlet extends BaseServlet { } private void get(HttpServletRequest req, HttpServletResponse resp) throws Exception { + long deviceId = Long.valueOf(req.getParameter("deviceId")); + Context.getPermissionsManager().checkDevice(getUserId(req), deviceId); sendResponse(resp.getWriter(), JsonConverter.arrayToJson( Context.getDataManager().getPositions( - getUserId(req.getSession()), - Long.valueOf(req.getParameter("deviceId")), + getUserId(req), deviceId, JsonConverter.parseDate(req.getParameter("from")), JsonConverter.parseDate(req.getParameter("to"))))); } diff --git a/src/org/traccar/http/ServerServlet.java b/src/org/traccar/http/ServerServlet.java index baac99084..d814769a8 100644 --- a/src/org/traccar/http/ServerServlet.java +++ b/src/org/traccar/http/ServerServlet.java @@ -40,8 +40,9 @@ public class ServerServlet extends BaseServlet { } private void update(HttpServletRequest req, HttpServletResponse resp) throws Exception { - Context.getDataManager().updateServer(JsonConverter.objectFromJson( - req.getReader(), new Server())); + Server server = JsonConverter.objectFromJson(req.getReader(), new Server()); + Context.getPermissionsManager().checkAdmin(getUserId(req)); + Context.getDataManager().updateServer(server); sendResponse(resp.getWriter(), true); } diff --git a/src/org/traccar/http/UserServlet.java b/src/org/traccar/http/UserServlet.java index 597b54a5c..f388326b0 100644 --- a/src/org/traccar/http/UserServlet.java +++ b/src/org/traccar/http/UserServlet.java @@ -39,25 +39,29 @@ public class UserServlet extends BaseServlet { } private void get(HttpServletRequest req, HttpServletResponse resp) throws Exception { + Context.getPermissionsManager().checkAdmin(getUserId(req)); sendResponse(resp.getWriter(), JsonConverter.arrayToJson( Context.getDataManager().getUsers())); } private void add(HttpServletRequest req, HttpServletResponse resp) throws Exception { User user = JsonConverter.objectFromJson(req.getReader(), new User()); + Context.getPermissionsManager().checkUser(getUserId(req), user.getId()); Context.getDataManager().addUser(user); sendResponse(resp.getWriter(), JsonConverter.objectToJson(user)); } private void update(HttpServletRequest req, HttpServletResponse resp) throws Exception { - Context.getDataManager().updateUser(JsonConverter.objectFromJson( - req.getReader(), new User())); + User user = JsonConverter.objectFromJson(req.getReader(), new User()); + Context.getPermissionsManager().checkUser(getUserId(req), user.getId()); + Context.getDataManager().updateUser(user); sendResponse(resp.getWriter(), true); } private void remove(HttpServletRequest req, HttpServletResponse resp) throws Exception { - Context.getDataManager().removeUser(JsonConverter.objectFromJson( - req.getReader(), new User())); + User user = JsonConverter.objectFromJson(req.getReader(), new User()); + Context.getPermissionsManager().checkUser(getUserId(req), user.getId()); + Context.getDataManager().removeUser(user); sendResponse(resp.getWriter(), true); } -- cgit v1.2.3