diff --git a/application/src/main/java/org/thingsboard/server/controller/AssetController.java b/application/src/main/java/org/thingsboard/server/controller/AssetController.java
index 5809a7f..2e17fab 100644
--- a/application/src/main/java/org/thingsboard/server/controller/AssetController.java
+++ b/application/src/main/java/org/thingsboard/server/controller/AssetController.java
@@ -28,8 +28,10 @@ import org.thingsboard.server.common.data.id.TenantId;
import org.thingsboard.server.common.data.page.TextPageData;
import org.thingsboard.server.common.data.page.TextPageLink;
import org.thingsboard.server.common.data.asset.AssetSearchQuery;
+import org.thingsboard.server.common.data.security.Authority;
import org.thingsboard.server.dao.exception.IncorrectParameterException;
import org.thingsboard.server.dao.model.ModelConstants;
+import org.thingsboard.server.exception.ThingsboardErrorCode;
import org.thingsboard.server.exception.ThingsboardException;
import org.thingsboard.server.service.security.model.SecurityUser;
@@ -54,12 +56,21 @@ public class AssetController extends BaseController {
}
}
- @PreAuthorize("hasAuthority('TENANT_ADMIN')")
+ @PreAuthorize("hasAnyAuthority('TENANT_ADMIN', 'CUSTOMER_USER')")
@RequestMapping(value = "/asset", method = RequestMethod.POST)
@ResponseBody
public Asset saveAsset(@RequestBody Asset asset) throws ThingsboardException {
try {
asset.setTenantId(getCurrentUser().getTenantId());
+ if (getCurrentUser().getAuthority() == Authority.CUSTOMER_USER) {
+ if (asset.getId() == null || asset.getId().isNullUid() ||
+ asset.getCustomerId() == null || asset.getCustomerId().isNullUid()) {
+ throw new ThingsboardException("You don't have permission to perform this operation!",
+ ThingsboardErrorCode.PERMISSION_DENIED);
+ } else {
+ checkCustomerId(asset.getCustomerId());
+ }
+ }
return checkNotNull(assetService.saveAsset(asset));
} catch (Exception e) {
throw handleException(e);
diff --git a/application/src/main/java/org/thingsboard/server/controller/DeviceController.java b/application/src/main/java/org/thingsboard/server/controller/DeviceController.java
index 637a760..fac841d 100644
--- a/application/src/main/java/org/thingsboard/server/controller/DeviceController.java
+++ b/application/src/main/java/org/thingsboard/server/controller/DeviceController.java
@@ -27,10 +27,12 @@ import org.thingsboard.server.common.data.id.DeviceId;
import org.thingsboard.server.common.data.id.TenantId;
import org.thingsboard.server.common.data.page.TextPageData;
import org.thingsboard.server.common.data.page.TextPageLink;
+import org.thingsboard.server.common.data.security.Authority;
import org.thingsboard.server.common.data.security.DeviceCredentials;
import org.thingsboard.server.common.data.device.DeviceSearchQuery;
import org.thingsboard.server.dao.exception.IncorrectParameterException;
import org.thingsboard.server.dao.model.ModelConstants;
+import org.thingsboard.server.exception.ThingsboardErrorCode;
import org.thingsboard.server.exception.ThingsboardException;
import org.thingsboard.server.service.security.model.SecurityUser;
@@ -55,12 +57,21 @@ public class DeviceController extends BaseController {
}
}
- @PreAuthorize("hasAuthority('TENANT_ADMIN')")
+ @PreAuthorize("hasAnyAuthority('TENANT_ADMIN', 'CUSTOMER_USER')")
@RequestMapping(value = "/device", method = RequestMethod.POST)
@ResponseBody
public Device saveDevice(@RequestBody Device device) throws ThingsboardException {
try {
device.setTenantId(getCurrentUser().getTenantId());
+ if (getCurrentUser().getAuthority() == Authority.CUSTOMER_USER) {
+ if (device.getId() == null || device.getId().isNullUid() ||
+ device.getCustomerId() == null || device.getCustomerId().isNullUid()) {
+ throw new ThingsboardException("You don't have permission to perform this operation!",
+ ThingsboardErrorCode.PERMISSION_DENIED);
+ } else {
+ checkCustomerId(device.getCustomerId());
+ }
+ }
Device savedDevice = checkNotNull(deviceService.saveDevice(device));
actorService
.onDeviceNameOrTypeUpdate(
