diff --git a/application/src/main/java/org/thingsboard/server/controller/AssetController.java b/application/src/main/java/org/thingsboard/server/controller/AssetController.java index 5809a7fe7e..2e17fab218 100644 --- a/application/src/main/java/org/thingsboard/server/controller/AssetController.java +++ b/application/src/main/java/org/thingsboard/server/controller/AssetController.java @@ -28,8 +28,10 @@ import org.thingsboard.server.common.data.id.TenantId; import org.thingsboard.server.common.data.page.TextPageData; import org.thingsboard.server.common.data.page.TextPageLink; import org.thingsboard.server.common.data.asset.AssetSearchQuery; +import org.thingsboard.server.common.data.security.Authority; import org.thingsboard.server.dao.exception.IncorrectParameterException; import org.thingsboard.server.dao.model.ModelConstants; +import org.thingsboard.server.exception.ThingsboardErrorCode; import org.thingsboard.server.exception.ThingsboardException; import org.thingsboard.server.service.security.model.SecurityUser; @@ -54,12 +56,21 @@ public class AssetController extends BaseController { } } - @PreAuthorize("hasAuthority('TENANT_ADMIN')") + @PreAuthorize("hasAnyAuthority('TENANT_ADMIN', 'CUSTOMER_USER')") @RequestMapping(value = "/asset", method = RequestMethod.POST) @ResponseBody public Asset saveAsset(@RequestBody Asset asset) throws ThingsboardException { try { asset.setTenantId(getCurrentUser().getTenantId()); + if (getCurrentUser().getAuthority() == Authority.CUSTOMER_USER) { + if (asset.getId() == null || asset.getId().isNullUid() || + asset.getCustomerId() == null || asset.getCustomerId().isNullUid()) { + throw new ThingsboardException("You don't have permission to perform this operation!", + ThingsboardErrorCode.PERMISSION_DENIED); + } else { + checkCustomerId(asset.getCustomerId()); + } + } return checkNotNull(assetService.saveAsset(asset)); } catch (Exception e) { throw handleException(e); diff --git a/application/src/main/java/org/thingsboard/server/controller/DeviceController.java b/application/src/main/java/org/thingsboard/server/controller/DeviceController.java index 637a760a00..fac841d938 100644 --- a/application/src/main/java/org/thingsboard/server/controller/DeviceController.java +++ b/application/src/main/java/org/thingsboard/server/controller/DeviceController.java @@ -27,10 +27,12 @@ import org.thingsboard.server.common.data.id.DeviceId; import org.thingsboard.server.common.data.id.TenantId; import org.thingsboard.server.common.data.page.TextPageData; import org.thingsboard.server.common.data.page.TextPageLink; +import org.thingsboard.server.common.data.security.Authority; import org.thingsboard.server.common.data.security.DeviceCredentials; import org.thingsboard.server.common.data.device.DeviceSearchQuery; import org.thingsboard.server.dao.exception.IncorrectParameterException; import org.thingsboard.server.dao.model.ModelConstants; +import org.thingsboard.server.exception.ThingsboardErrorCode; import org.thingsboard.server.exception.ThingsboardException; import org.thingsboard.server.service.security.model.SecurityUser; @@ -55,12 +57,21 @@ public class DeviceController extends BaseController { } } - @PreAuthorize("hasAuthority('TENANT_ADMIN')") + @PreAuthorize("hasAnyAuthority('TENANT_ADMIN', 'CUSTOMER_USER')") @RequestMapping(value = "/device", method = RequestMethod.POST) @ResponseBody public Device saveDevice(@RequestBody Device device) throws ThingsboardException { try { device.setTenantId(getCurrentUser().getTenantId()); + if (getCurrentUser().getAuthority() == Authority.CUSTOMER_USER) { + if (device.getId() == null || device.getId().isNullUid() || + device.getCustomerId() == null || device.getCustomerId().isNullUid()) { + throw new ThingsboardException("You don't have permission to perform this operation!", + ThingsboardErrorCode.PERMISSION_DENIED); + } else { + checkCustomerId(device.getCustomerId()); + } + } Device savedDevice = checkNotNull(deviceService.saveDevice(device)); actorService .onDeviceNameOrTypeUpdate(