From 2bb63a0b1c82c42c0d13614c5a67521130165368 Mon Sep 17 00:00:00 2001 From: Anton Tananaev Date: Sun, 20 Dec 2015 21:12:37 +1300 Subject: Check readonly and registration flags --- src/org/traccar/api/resource/DeviceResource.java | 3 +++ src/org/traccar/api/resource/ServerResource.java | 1 + src/org/traccar/api/resource/UserResource.java | 2 +- src/org/traccar/database/PermissionsManager.java | 22 +++++++++++++++++++++- 4 files changed, 26 insertions(+), 2 deletions(-) (limited to 'src/org/traccar') diff --git a/src/org/traccar/api/resource/DeviceResource.java b/src/org/traccar/api/resource/DeviceResource.java index a25201678..a4bfc1030 100644 --- a/src/org/traccar/api/resource/DeviceResource.java +++ b/src/org/traccar/api/resource/DeviceResource.java @@ -55,6 +55,7 @@ public class DeviceResource extends BaseResource { @POST public Response add(Device entity) throws SQLException { + Context.getPermissionsManager().checkReadonly(getUserId()); Context.getDataManager().addDevice(entity); Context.getDataManager().linkDevice(getUserId(), entity.getId()); Context.getPermissionsManager().refresh(); @@ -64,6 +65,7 @@ public class DeviceResource extends BaseResource { @Path("{id}") @PUT public Response update(@PathParam("id") long id, Device entity) throws SQLException { + Context.getPermissionsManager().checkReadonly(getUserId()); Context.getPermissionsManager().checkDevice(getUserId(), id); Context.getDataManager().updateDevice(entity); return Response.ok(entity).build(); @@ -72,6 +74,7 @@ public class DeviceResource extends BaseResource { @Path("{id}") @DELETE public Response remove(@PathParam("id") long id) throws SQLException { + Context.getPermissionsManager().checkReadonly(getUserId()); Context.getPermissionsManager().checkDevice(getUserId(), id); Context.getDataManager().removeDevice(id); Context.getPermissionsManager().refresh(); diff --git a/src/org/traccar/api/resource/ServerResource.java b/src/org/traccar/api/resource/ServerResource.java index 54c04d21b..9e42687ab 100644 --- a/src/org/traccar/api/resource/ServerResource.java +++ b/src/org/traccar/api/resource/ServerResource.java @@ -44,6 +44,7 @@ public class ServerResource extends BaseResource { public Response update(Server entity) throws SQLException { Context.getPermissionsManager().checkAdmin(getUserId()); Context.getDataManager().updateServer(entity); + Context.getPermissionsManager().refresh(); return Response.ok(entity).build(); } diff --git a/src/org/traccar/api/resource/UserResource.java b/src/org/traccar/api/resource/UserResource.java index bf4cb85c3..4d57d5b0c 100644 --- a/src/org/traccar/api/resource/UserResource.java +++ b/src/org/traccar/api/resource/UserResource.java @@ -47,7 +47,7 @@ public class UserResource extends BaseResource { @PermitAll @POST public Response add(User entity) throws SQLException { - Context.getPermissionsManager().checkUser(getUserId(), entity.getId()); + Context.getPermissionsManager().checkRegistration(getUserId()); Context.getDataManager().addUser(entity); Context.getPermissionsManager().refresh(); return Response.ok(entity).build(); diff --git a/src/org/traccar/database/PermissionsManager.java b/src/org/traccar/database/PermissionsManager.java index a38a29c32..b0f544a42 100644 --- a/src/org/traccar/database/PermissionsManager.java +++ b/src/org/traccar/database/PermissionsManager.java @@ -23,12 +23,15 @@ import java.util.Map; import java.util.Set; import org.traccar.helper.Log; import org.traccar.model.Permission; +import org.traccar.model.Server; import org.traccar.model.User; public class PermissionsManager { private final DataManager dataManager; + private Server server; + private final Map users = new HashMap<>(); private final Map> permissions = new HashMap<>(); @@ -49,6 +52,7 @@ public class PermissionsManager { users.clear(); permissions.clear(); try { + server = dataManager.getServer(); for (User user : dataManager.getUsers()) { users.put(user.getId(), user); } @@ -60,8 +64,12 @@ public class PermissionsManager { } } + private boolean isAdmin(long userId) { + return users.containsKey(userId) && users.get(userId).getAdmin(); + } + public void checkAdmin(long userId) throws SecurityException { - if (!users.containsKey(userId) || !users.get(userId).getAdmin()) { + if (!isAdmin(userId)) { throw new SecurityException("Admin access required"); } } @@ -82,4 +90,16 @@ public class PermissionsManager { } } + public void checkRegistration(long userId) { + if (!server.getRegistration() && !isAdmin(userId)) { + throw new SecurityException("Registration disabled"); + } + } + + public void checkReadonly(long userId) { + if (server.getReadonly() && !isAdmin(userId)) { + throw new SecurityException("Readonly user"); + } + } + } -- cgit v1.2.3