Browse Source
Fix org-details issue (#6811 )
Fix an issue where it was possible for users who were not eligible to access all org ciphers to be able to download and extract the encrypted contents.
Only Managers with full access and Admins and Owners should be able to access this endpoint.
This change will block and prevent access for other users.
Signed-off-by: BlackDex <black.dex@gmail.com>
Mathijs van Veluw
2 weeks ago
GitHub
GPG Key ID:
1 changed files with
5 additions and
1 deletions
src/api/core/organizations.rs
@ -929,11 +929,15 @@ struct OrgIdData {
} }
#[ get( " /ciphers/organization-details?<data..> " ) ] #[ get( " /ciphers/organization-details?<data..> " ) ]
async fn get_org_details ( data : OrgIdData , headers : OrgMemberHeaders , conn : DbConn ) -> JsonResult { async fn get_org_details ( data : OrgIdData , headers : ManagerHeadersLoose , conn : DbConn ) -> JsonResult {
if data . organization_id ! = headers . membership . org_uuid { if data . organization_id ! = headers . membership . org_uuid {
err_code ! ( "Resource not found." , "Organization id's do not match" , rocket ::http ::Status ::NotFound . code ) ; err_code ! ( "Resource not found." , "Organization id's do not match" , rocket ::http ::Status ::NotFound . code ) ;
} }
if ! headers . membership . has_full_access ( ) {
err_code ! ( "Resource not found." , "User does not have full access" , rocket ::http ::Status ::NotFound . code ) ;
}
Ok ( Json ( json ! ( { Ok ( Json ( json ! ( {
"data" : _get_org_details ( & data . organization_id , & headers . host , & headers . user . uuid , & conn ) . await ? , "data" : _get_org_details ( & data . organization_id , & headers . host , & headers . user . uuid , & conn ) . await ? ,
"object" : "list" , "object" : "list" ,
Mathijs van Veluw
2 weeks ago
GitHub