diff --git a/application/src/main/java/org/thingsboard/server/controller/AlarmController.java b/application/src/main/java/org/thingsboard/server/controller/AlarmController.java index 2132675f97..f6881c7164 100644 --- a/application/src/main/java/org/thingsboard/server/controller/AlarmController.java +++ b/application/src/main/java/org/thingsboard/server/controller/AlarmController.java @@ -28,7 +28,6 @@ import org.springframework.web.bind.annotation.ResponseStatus; import org.springframework.web.bind.annotation.RestController; import org.thingsboard.server.common.data.EntityType; import org.thingsboard.server.common.data.alarm.Alarm; -import org.thingsboard.server.common.data.id.AlarmId; import org.thingsboard.server.common.data.alarm.AlarmInfo; import org.thingsboard.server.common.data.alarm.AlarmQuery; import org.thingsboard.server.common.data.alarm.AlarmSearchStatus; @@ -37,6 +36,7 @@ import org.thingsboard.server.common.data.alarm.AlarmStatus; import org.thingsboard.server.common.data.audit.ActionType; import org.thingsboard.server.common.data.exception.ThingsboardErrorCode; import org.thingsboard.server.common.data.exception.ThingsboardException; +import org.thingsboard.server.common.data.id.AlarmId; import org.thingsboard.server.common.data.id.EntityId; import org.thingsboard.server.common.data.id.EntityIdFactory; import org.thingsboard.server.common.data.page.TimePageData; @@ -84,8 +84,14 @@ public class AlarmController extends BaseController { public Alarm saveAlarm(@RequestBody Alarm alarm) throws ThingsboardException { try { alarm.setTenantId(getCurrentUser().getTenantId()); - Operation operation = alarm.getId() == null ? Operation.CREATE : Operation.WRITE; - accessControlService.checkPermission(getCurrentUser(), Resource.ALARM, operation, alarm.getId(), alarm); + + if (alarm.getId() == null) { + accessControlService + .checkPermission(getCurrentUser(), Resource.ALARM, Operation.CREATE, alarm.getId(), alarm); + } else { + checkAlarmId(alarm.getId(), Operation.WRITE); + } + Alarm savedAlarm = checkNotNull(alarmService.createOrUpdateAlarm(alarm)); logEntityAction(savedAlarm.getId(), savedAlarm, getCurrentUser().getCustomerId(), diff --git a/application/src/main/java/org/thingsboard/server/controller/AssetController.java b/application/src/main/java/org/thingsboard/server/controller/AssetController.java index 03c5462446..322991176b 100644 --- a/application/src/main/java/org/thingsboard/server/controller/AssetController.java +++ b/application/src/main/java/org/thingsboard/server/controller/AssetController.java @@ -76,18 +76,20 @@ public class AssetController extends BaseController { try { asset.setTenantId(getCurrentUser().getTenantId()); - Operation operation = asset.getId() == null ? Operation.CREATE : Operation.WRITE; + if (asset.getId() == null) { + accessControlService + .checkPermission(getCurrentUser(), Resource.ASSET, Operation.CREATE, asset.getId(), asset); + } else { + checkAssetId(asset.getId(), Operation.WRITE); + } - accessControlService.checkPermission(getCurrentUser(), Resource.ASSET, operation, - asset.getId(), asset); - - Asset savedAsset = checkNotNull(assetService.saveAsset(asset)); + Asset savedAsset = checkNotNull(assetService.saveAsset(asset)); logEntityAction(savedAsset.getId(), savedAsset, savedAsset.getCustomerId(), asset.getId() == null ? ActionType.ADDED : ActionType.UPDATED, null); - return savedAsset; + return savedAsset; } catch (Exception e) { logEntityAction(emptyId(EntityType.ASSET), asset, null, asset.getId() == null ? ActionType.ADDED : ActionType.UPDATED, e); @@ -138,7 +140,7 @@ public class AssetController extends BaseController { savedAsset.getCustomerId(), ActionType.ASSIGNED_TO_CUSTOMER, null, strAssetId, strCustomerId, customer.getName()); - return savedAsset; + return savedAsset; } catch (Exception e) { logEntityAction(emptyId(EntityType.ASSET), null, @@ -218,7 +220,7 @@ public class AssetController extends BaseController { try { TenantId tenantId = getCurrentUser().getTenantId(); TextPageLink pageLink = createPageLink(limit, textSearch, idOffset, textOffset); - if (type != null && type.trim().length()>0) { + if (type != null && type.trim().length() > 0) { return checkNotNull(assetService.findAssetsByTenantIdAndType(tenantId, type, pageLink)); } else { return checkNotNull(assetService.findAssetsByTenantId(tenantId, pageLink)); @@ -257,7 +259,7 @@ public class AssetController extends BaseController { CustomerId customerId = new CustomerId(toUUID(strCustomerId)); checkCustomerId(customerId, Operation.READ); TextPageLink pageLink = createPageLink(limit, textSearch, idOffset, textOffset); - if (type != null && type.trim().length()>0) { + if (type != null && type.trim().length() > 0) { return checkNotNull(assetService.findAssetsByTenantIdAndCustomerIdAndType(tenantId, customerId, type, pageLink)); } else { return checkNotNull(assetService.findAssetsByTenantIdAndCustomerId(tenantId, customerId, pageLink)); diff --git a/application/src/main/java/org/thingsboard/server/controller/CustomerController.java b/application/src/main/java/org/thingsboard/server/controller/CustomerController.java index 18fcfc2ab5..31b41c9745 100644 --- a/application/src/main/java/org/thingsboard/server/controller/CustomerController.java +++ b/application/src/main/java/org/thingsboard/server/controller/CustomerController.java @@ -100,8 +100,12 @@ public class CustomerController extends BaseController { try { customer.setTenantId(getCurrentUser().getTenantId()); - Operation operation = customer.getId() == null ? Operation.CREATE : Operation.WRITE; - accessControlService.checkPermission(getCurrentUser(), Resource.CUSTOMER, operation, customer.getId(), customer); + if (customer.getId() == null) { + accessControlService + .checkPermission(getCurrentUser(), Resource.CUSTOMER, Operation.CREATE, customer.getId(), customer); + } else { + checkCustomerId(customer.getId(), Operation.WRITE); + } Customer savedCustomer = checkNotNull(customerService.saveCustomer(customer)); diff --git a/application/src/main/java/org/thingsboard/server/controller/DashboardController.java b/application/src/main/java/org/thingsboard/server/controller/DashboardController.java index 68f18c9081..ee6e6b03cd 100644 --- a/application/src/main/java/org/thingsboard/server/controller/DashboardController.java +++ b/application/src/main/java/org/thingsboard/server/controller/DashboardController.java @@ -100,15 +100,17 @@ public class DashboardController extends BaseController { @PreAuthorize("hasAuthority('TENANT_ADMIN')") @RequestMapping(value = "/dashboard", method = RequestMethod.POST) - @ResponseBody + @ResponseBody public Dashboard saveDashboard(@RequestBody Dashboard dashboard) throws ThingsboardException { try { dashboard.setTenantId(getCurrentUser().getTenantId()); - Operation operation = dashboard.getId() == null ? Operation.CREATE : Operation.WRITE; - - accessControlService.checkPermission(getCurrentUser(), Resource.DASHBOARD, operation, - dashboard.getId(), dashboard); + if (dashboard.getId() == null) { + accessControlService + .checkPermission(getCurrentUser(), Resource.DASHBOARD, Operation.CREATE, dashboard.getId(), dashboard); + } else { + checkDashboardId(dashboard.getId(), Operation.WRITE); + } Dashboard savedDashboard = checkNotNull(dashboardService.saveDashboard(dashboard)); @@ -152,9 +154,9 @@ public class DashboardController extends BaseController { @PreAuthorize("hasAuthority('TENANT_ADMIN')") @RequestMapping(value = "/customer/{customerId}/dashboard/{dashboardId}", method = RequestMethod.POST) - @ResponseBody + @ResponseBody public Dashboard assignDashboardToCustomer(@PathVariable("customerId") String strCustomerId, - @PathVariable(DASHBOARD_ID) String strDashboardId) throws ThingsboardException { + @PathVariable(DASHBOARD_ID) String strDashboardId) throws ThingsboardException { checkParameter("customerId", strCustomerId); checkParameter(DASHBOARD_ID, strDashboardId); try { @@ -163,7 +165,7 @@ public class DashboardController extends BaseController { DashboardId dashboardId = new DashboardId(toUUID(strDashboardId)); checkDashboardId(dashboardId, Operation.ASSIGN_TO_CUSTOMER); - + Dashboard savedDashboard = checkNotNull(dashboardService.assignDashboardToCustomer(getCurrentUser().getTenantId(), dashboardId, customerId)); logEntityAction(dashboardId, savedDashboard, @@ -184,7 +186,7 @@ public class DashboardController extends BaseController { @PreAuthorize("hasAuthority('TENANT_ADMIN')") @RequestMapping(value = "/customer/{customerId}/dashboard/{dashboardId}", method = RequestMethod.DELETE) - @ResponseBody + @ResponseBody public Dashboard unassignDashboardFromCustomer(@PathVariable("customerId") String strCustomerId, @PathVariable(DASHBOARD_ID) String strDashboardId) throws ThingsboardException { checkParameter("customerId", strCustomerId); @@ -418,7 +420,7 @@ public class DashboardController extends BaseController { } @PreAuthorize("hasAuthority('SYS_ADMIN')") - @RequestMapping(value = "/tenant/{tenantId}/dashboards", params = { "limit" }, method = RequestMethod.GET) + @RequestMapping(value = "/tenant/{tenantId}/dashboards", params = {"limit"}, method = RequestMethod.GET) @ResponseBody public TextPageData getTenantDashboards( @PathVariable("tenantId") String strTenantId, @@ -437,7 +439,7 @@ public class DashboardController extends BaseController { } @PreAuthorize("hasAuthority('TENANT_ADMIN')") - @RequestMapping(value = "/tenant/dashboards", params = { "limit" }, method = RequestMethod.GET) + @RequestMapping(value = "/tenant/dashboards", params = {"limit"}, method = RequestMethod.GET) @ResponseBody public TextPageData getTenantDashboards( @RequestParam int limit, @@ -454,7 +456,7 @@ public class DashboardController extends BaseController { } @PreAuthorize("hasAnyAuthority('TENANT_ADMIN', 'CUSTOMER_USER')") - @RequestMapping(value = "/customer/{customerId}/dashboards", params = { "limit" }, method = RequestMethod.GET) + @RequestMapping(value = "/customer/{customerId}/dashboards", params = {"limit"}, method = RequestMethod.GET) @ResponseBody public TimePageData getCustomerDashboards( @PathVariable("customerId") String strCustomerId, diff --git a/application/src/main/java/org/thingsboard/server/controller/DeviceController.java b/application/src/main/java/org/thingsboard/server/controller/DeviceController.java index ca61ecc8e9..8984001a3b 100644 --- a/application/src/main/java/org/thingsboard/server/controller/DeviceController.java +++ b/application/src/main/java/org/thingsboard/server/controller/DeviceController.java @@ -92,10 +92,12 @@ public class DeviceController extends BaseController { try { device.setTenantId(getCurrentUser().getTenantId()); - Operation operation = device.getId() == null ? Operation.CREATE : Operation.WRITE; - - accessControlService.checkPermission(getCurrentUser(), Resource.DEVICE, operation, - device.getId(), device); + if (device.getId() == null) { + accessControlService + .checkPermission(getCurrentUser(), Resource.DEVICE, Operation.CREATE, device.getId(), device); + } else { + checkDeviceId(device.getId(), Operation.WRITE); + } Device savedDevice = checkNotNull(deviceService.saveDeviceWithAccessToken(device, accessToken)); diff --git a/application/src/main/java/org/thingsboard/server/controller/EntityViewController.java b/application/src/main/java/org/thingsboard/server/controller/EntityViewController.java index 05c57d35fa..7d5d01d94e 100644 --- a/application/src/main/java/org/thingsboard/server/controller/EntityViewController.java +++ b/application/src/main/java/org/thingsboard/server/controller/EntityViewController.java @@ -92,10 +92,12 @@ public class EntityViewController extends BaseController { try { entityView.setTenantId(getCurrentUser().getTenantId()); - Operation operation = entityView.getId() == null ? Operation.CREATE : Operation.WRITE; - - accessControlService.checkPermission(getCurrentUser(), Resource.ENTITY_VIEW, operation, - entityView.getId(), entityView); + if (entityView.getId() == null) { + accessControlService + .checkPermission(getCurrentUser(), Resource.ENTITY_VIEW, Operation.CREATE, entityView.getId(), entityView); + } else { + checkEntityViewId(entityView.getId(), Operation.WRITE); + } EntityView savedEntityView = checkNotNull(entityViewService.saveEntityView(entityView)); List>> futures = new ArrayList<>(); diff --git a/application/src/main/java/org/thingsboard/server/controller/RuleChainController.java b/application/src/main/java/org/thingsboard/server/controller/RuleChainController.java index 0bc518e48c..c9c17e210e 100644 --- a/application/src/main/java/org/thingsboard/server/controller/RuleChainController.java +++ b/application/src/main/java/org/thingsboard/server/controller/RuleChainController.java @@ -126,10 +126,12 @@ public class RuleChainController extends BaseController { boolean created = ruleChain.getId() == null; ruleChain.setTenantId(getCurrentUser().getTenantId()); - Operation operation = created ? Operation.CREATE : Operation.WRITE; - - accessControlService.checkPermission(getCurrentUser(), Resource.RULE_CHAIN, operation, - ruleChain.getId(), ruleChain); + if (created) { + accessControlService + .checkPermission(getCurrentUser(), Resource.RULE_CHAIN, Operation.CREATE, ruleChain.getId(), ruleChain); + } else { + checkRuleChain(ruleChain.getId(), Operation.WRITE); + } RuleChain savedRuleChain = checkNotNull(ruleChainService.saveRuleChain(ruleChain)); diff --git a/application/src/main/java/org/thingsboard/server/controller/TenantController.java b/application/src/main/java/org/thingsboard/server/controller/TenantController.java index 9def943e88..8a62cd8892 100644 --- a/application/src/main/java/org/thingsboard/server/controller/TenantController.java +++ b/application/src/main/java/org/thingsboard/server/controller/TenantController.java @@ -72,10 +72,13 @@ public class TenantController extends BaseController { try { boolean newTenant = tenant.getId() == null; - Operation operation = newTenant ? Operation.CREATE : Operation.WRITE; + if (newTenant) { + accessControlService + .checkPermission(getCurrentUser(), Resource.TENANT, Operation.CREATE, tenant.getId(), tenant); + } else { + checkTenantId(tenant.getId(), Operation.WRITE); + } - accessControlService.checkPermission(getCurrentUser(), Resource.TENANT, operation, - tenant.getId(), tenant); tenant = checkNotNull(tenantService.saveTenant(tenant)); if (newTenant) { installScripts.createDefaultRuleChains(tenant.getId()); diff --git a/application/src/main/java/org/thingsboard/server/controller/UserController.java b/application/src/main/java/org/thingsboard/server/controller/UserController.java index bf64ad7d6f..2e27a3c481 100644 --- a/application/src/main/java/org/thingsboard/server/controller/UserController.java +++ b/application/src/main/java/org/thingsboard/server/controller/UserController.java @@ -132,17 +132,18 @@ public class UserController extends BaseController { @ResponseBody public User saveUser(@RequestBody User user, @RequestParam(required = false, defaultValue = "true") boolean sendActivationMail, - HttpServletRequest request) throws ThingsboardException { + HttpServletRequest request) throws ThingsboardException { try { - if (getCurrentUser().getAuthority() == Authority.TENANT_ADMIN) { user.setTenantId(getCurrentUser().getTenantId()); } - Operation operation = user.getId() == null ? Operation.CREATE : Operation.WRITE; - - accessControlService.checkPermission(getCurrentUser(), Resource.USER, operation, - user.getId(), user); + if (user.getId() == null) { + accessControlService + .checkPermission(getCurrentUser(), Resource.USER, Operation.CREATE, user.getId(), user); + } else { + checkUserId(user.getId(), Operation.WRITE); + } boolean sendEmail = user.getId() == null && sendActivationMail; User savedUser = checkNotNull(userService.saveUser(user)); @@ -250,7 +251,7 @@ public class UserController extends BaseController { } @PreAuthorize("hasAuthority('SYS_ADMIN')") - @RequestMapping(value = "/tenant/{tenantId}/users", params = { "limit" }, method = RequestMethod.GET) + @RequestMapping(value = "/tenant/{tenantId}/users", params = {"limit"}, method = RequestMethod.GET) @ResponseBody public TextPageData getTenantAdmins( @PathVariable("tenantId") String strTenantId, @@ -269,7 +270,7 @@ public class UserController extends BaseController { } @PreAuthorize("hasAuthority('TENANT_ADMIN')") - @RequestMapping(value = "/customer/{customerId}/users", params = { "limit" }, method = RequestMethod.GET) + @RequestMapping(value = "/customer/{customerId}/users", params = {"limit"}, method = RequestMethod.GET) @ResponseBody public TextPageData getCustomerUsers( @PathVariable("customerId") String strCustomerId, diff --git a/application/src/main/java/org/thingsboard/server/controller/WidgetTypeController.java b/application/src/main/java/org/thingsboard/server/controller/WidgetTypeController.java index debe49b018..650bb9f90f 100644 --- a/application/src/main/java/org/thingsboard/server/controller/WidgetTypeController.java +++ b/application/src/main/java/org/thingsboard/server/controller/WidgetTypeController.java @@ -66,10 +66,12 @@ public class WidgetTypeController extends BaseController { widgetType.setTenantId(getCurrentUser().getTenantId()); } - Operation operation = widgetType.getId() == null ? Operation.CREATE : Operation.WRITE; - - accessControlService.checkPermission(getCurrentUser(), Resource.WIDGET_TYPE, operation, - widgetType.getId(), widgetType); + if (widgetType.getId() == null) { + accessControlService + .checkPermission(getCurrentUser(), Resource.WIDGET_TYPE, Operation.CREATE, widgetType.getId(), widgetType); + } else { + checkWidgetTypeId(widgetType.getId(), Operation.WRITE); + } return checkNotNull(widgetTypeService.saveWidgetType(widgetType)); } catch (Exception e) { @@ -92,7 +94,7 @@ public class WidgetTypeController extends BaseController { } @PreAuthorize("hasAnyAuthority('SYS_ADMIN', 'TENANT_ADMIN')") - @RequestMapping(value = "/widgetTypes", params = { "isSystem", "bundleAlias"}, method = RequestMethod.GET) + @RequestMapping(value = "/widgetTypes", params = {"isSystem", "bundleAlias"}, method = RequestMethod.GET) @ResponseBody public List getBundleWidgetTypes( @RequestParam boolean isSystem, @@ -111,7 +113,7 @@ public class WidgetTypeController extends BaseController { } @PreAuthorize("hasAnyAuthority('SYS_ADMIN', 'TENANT_ADMIN', 'CUSTOMER_USER')") - @RequestMapping(value = "/widgetType", params = { "isSystem", "bundleAlias", "alias" }, method = RequestMethod.GET) + @RequestMapping(value = "/widgetType", params = {"isSystem", "bundleAlias", "alias"}, method = RequestMethod.GET) @ResponseBody public WidgetType getWidgetType( @RequestParam boolean isSystem, diff --git a/application/src/main/java/org/thingsboard/server/controller/WidgetsBundleController.java b/application/src/main/java/org/thingsboard/server/controller/WidgetsBundleController.java index 3d5cd22400..de668de039 100644 --- a/application/src/main/java/org/thingsboard/server/controller/WidgetsBundleController.java +++ b/application/src/main/java/org/thingsboard/server/controller/WidgetsBundleController.java @@ -67,10 +67,12 @@ public class WidgetsBundleController extends BaseController { widgetsBundle.setTenantId(getCurrentUser().getTenantId()); } - Operation operation = widgetsBundle.getId() == null ? Operation.CREATE : Operation.WRITE; - - accessControlService.checkPermission(getCurrentUser(), Resource.WIDGETS_BUNDLE, operation, - widgetsBundle.getId(), widgetsBundle); + if (widgetsBundle.getId() == null) { + accessControlService + .checkPermission(getCurrentUser(), Resource.WIDGETS_BUNDLE, Operation.CREATE, widgetsBundle.getId(), widgetsBundle); + } else { + checkWidgetsBundleId(widgetsBundle.getId(), Operation.WRITE); + } return checkNotNull(widgetsBundleService.saveWidgetsBundle(widgetsBundle)); } catch (Exception e) { @@ -93,7 +95,7 @@ public class WidgetsBundleController extends BaseController { } @PreAuthorize("hasAnyAuthority('SYS_ADMIN', 'TENANT_ADMIN', 'CUSTOMER_USER')") - @RequestMapping(value = "/widgetsBundles", params = { "limit" }, method = RequestMethod.GET) + @RequestMapping(value = "/widgetsBundles", params = {"limit"}, method = RequestMethod.GET) @ResponseBody public TextPageData getWidgetsBundles( @RequestParam int limit,