topaLE
/
vaultwarden
mirror of https://github.com/dani-garcia/vaultwarden
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

fix Collection::is_writable_by_user() 

prevent side effects if groups are disabled
pull/4592/head
Stefan Melmuk 11 months ago
parent
49d07ed5aa
commit
37b2143813
No known key found for this signature in database GPG Key ID: 817020C608FE9C09
1 changed files with 57 additions and 41 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 62
      src/db/models/collection.rs

62
src/db/models/collection.rs
View File

@ -371,17 +371,17 @@ impl Collection {
pub async fn is_writable_by_user(&self, user_uuid: &str, conn: &mut DbConn) -> bool { pub async fn is_writable_by_user(&self, user_uuid: &str, conn: &mut DbConn) -> bool {
let user_uuid = user_uuid.to_string(); let user_uuid = user_uuid.to_string();
if CONFIG.org_groups_enabled() {
db_run! { conn: { db_run! { conn: {
collections::table collections::table
.left_join(users_collections::table.on( .filter(collections::uuid.eq(&self.uuid))
users_collections::collection_uuid.eq(collections::uuid).and( .inner_join(users_organizations::table.on(
users_collections::user_uuid.eq(user_uuid.clone()) collections::org_uuid.eq(users_organizations::org_uuid)
) .and(users_organizations::user_uuid.eq(user_uuid.clone()))
)) ))
.left_join(users_organizations::table.on( .left_join(users_collections::table.on(
collections::org_uuid.eq(users_organizations::org_uuid).and( users_collections::collection_uuid.eq(collections::uuid)
users_organizations::user_uuid.eq(user_uuid) .and(users_collections::user_uuid.eq(user_uuid))
)
)) ))
.left_join(groups_users::table.on( .left_join(groups_users::table.on(
groups_users::users_organizations_uuid.eq(users_organizations::uuid) groups_users::users_organizations_uuid.eq(users_organizations::uuid)
@ -390,23 +390,38 @@ impl Collection {
groups::uuid.eq(groups_users::groups_uuid) groups::uuid.eq(groups_users::groups_uuid)
)) ))
.left_join(collections_groups::table.on( .left_join(collections_groups::table.on(
collections_groups::groups_uuid.eq(groups_users::groups_uuid).and( collections_groups::groups_uuid.eq(groups_users::groups_uuid)
collections_groups::collections_uuid.eq(collections::uuid) .and(collections_groups::collections_uuid.eq(collections::uuid))
)
)) ))
.filter(collections::uuid.eq(&self.uuid)) .filter(users_organizations::atype.le(UserOrgType::Admin as i32) // Org admin or owner
.filter( .or(users_organizations::access_all.eq(true)) // access_all via membership
users_collections::collection_uuid.eq(&self.uuid).and(users_collections::read_only.eq(false)).or(// Directly accessed collection .or(users_collections::collection_uuid.eq(&self.uuid) // write access given to collection
users_organizations::access_all.eq(true).or( // access_all in Organization .and(users_collections::read_only.eq(false)))
users_organizations::atype.le(UserOrgType::Admin as i32) // Org admin or owner .or(groups::access_all.eq(true)) // access_all via group
)).or( .or(collections_groups::collections_uuid.is_not_null() // write access given via group
groups::access_all.eq(true) // access_all in groups .and(collections_groups::read_only.eq(false)))
).or( // access via groups
groups_users::users_organizations_uuid.eq(users_organizations::uuid).and(
collections_groups::collections_uuid.is_not_null().and(
collections_groups::read_only.eq(false))
)
) )
.count()
.first::<i64>(conn)
.ok()
.unwrap_or(0) != 0
}}
} else {
db_run! { conn: {
collections::table
.filter(collections::uuid.eq(&self.uuid))
.inner_join(users_organizations::table.on(
collections::org_uuid.eq(users_organizations::org_uuid)
.and(users_organizations::user_uuid.eq(user_uuid.clone()))
))
.left_join(users_collections::table.on(
users_collections::collection_uuid.eq(collections::uuid)
.and(users_collections::user_uuid.eq(user_uuid))
))
.filter(users_organizations::atype.le(UserOrgType::Admin as i32) // Org admin or owner
.or(users_organizations::access_all.eq(true)) // access_all via membership
.or(users_collections::collection_uuid.eq(&self.uuid) // write access given to collection
.and(users_collections::read_only.eq(false)))
) )
.count() .count()
.first::<i64>(conn) .first::<i64>(conn)
@ -414,6 +429,7 @@ impl Collection {
.unwrap_or(0) != 0 .unwrap_or(0) != 0
}} }}
} }
}
pub async fn hide_passwords_for_user(&self, user_uuid: &str, conn: &mut DbConn) -> bool { pub async fn hide_passwords_for_user(&self, user_uuid: &str, conn: &mut DbConn) -> bool {
let user_uuid = user_uuid.to_string(); let user_uuid = user_uuid.to_string();

Write Preview
Loading…
Cancel
Save