Browse Source
Merge branch 'main' into fix/dummyIdentifier
pull/6263/head
Mathijs van Veluw
5 days ago
committed by
GitHub
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
6 changed files with
28 additions and
18 deletions
-
docker/DockerSettings.yaml
-
docker/Dockerfile.alpine
-
docker/Dockerfile.debian
-
src/api/core/ciphers.rs
-
src/db/models/cipher.rs
-
src/db/models/org_policy.rs
|
|
@ -1,6 +1,6 @@ |
|
|
|
--- |
|
|
|
vault_version: "v2025.8.0" |
|
|
|
vault_image_digest: "sha256:41c2b51c87882248f405d5a0ab37210d2672a312ec5d4f3b9afcdbbe8eb9d57d" |
|
|
|
vault_version: "v2025.9.1" |
|
|
|
vault_image_digest: "sha256:15a126ca967cd2efc4c9625fec49f0b972a3f7d7d81d7770bb0a2502d5e4b8a4" |
|
|
|
# Cross Compile Docker Helper Scripts v1.6.1 |
|
|
|
# We use the linux/amd64 platform shell scripts since there is no difference between the different platform scripts |
|
|
|
# https://github.com/tonistiigi/xx | https://hub.docker.com/r/tonistiigi/xx/tags |
|
|
|
|
|
@ -19,15 +19,15 @@ |
|
|
|
# - From https://hub.docker.com/r/vaultwarden/web-vault/tags, |
|
|
|
# click the tag name to view the digest of the image it currently points to. |
|
|
|
# - From the command line: |
|
|
|
# $ docker pull docker.io/vaultwarden/web-vault:v2025.8.0 |
|
|
|
# $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2025.8.0 |
|
|
|
# [docker.io/vaultwarden/web-vault@sha256:41c2b51c87882248f405d5a0ab37210d2672a312ec5d4f3b9afcdbbe8eb9d57d] |
|
|
|
# $ docker pull docker.io/vaultwarden/web-vault:v2025.9.1 |
|
|
|
# $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2025.9.1 |
|
|
|
# [docker.io/vaultwarden/web-vault@sha256:15a126ca967cd2efc4c9625fec49f0b972a3f7d7d81d7770bb0a2502d5e4b8a4] |
|
|
|
# |
|
|
|
# - Conversely, to get the tag name from the digest: |
|
|
|
# $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:41c2b51c87882248f405d5a0ab37210d2672a312ec5d4f3b9afcdbbe8eb9d57d |
|
|
|
# [docker.io/vaultwarden/web-vault:v2025.8.0] |
|
|
|
# $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:15a126ca967cd2efc4c9625fec49f0b972a3f7d7d81d7770bb0a2502d5e4b8a4 |
|
|
|
# [docker.io/vaultwarden/web-vault:v2025.9.1] |
|
|
|
# |
|
|
|
FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:41c2b51c87882248f405d5a0ab37210d2672a312ec5d4f3b9afcdbbe8eb9d57d AS vault |
|
|
|
FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:15a126ca967cd2efc4c9625fec49f0b972a3f7d7d81d7770bb0a2502d5e4b8a4 AS vault |
|
|
|
|
|
|
|
########################## ALPINE BUILD IMAGES ########################## |
|
|
|
## NOTE: The Alpine Base Images do not support other platforms then linux/amd64 |
|
|
|
|
|
@ -19,15 +19,15 @@ |
|
|
|
# - From https://hub.docker.com/r/vaultwarden/web-vault/tags, |
|
|
|
# click the tag name to view the digest of the image it currently points to. |
|
|
|
# - From the command line: |
|
|
|
# $ docker pull docker.io/vaultwarden/web-vault:v2025.8.0 |
|
|
|
# $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2025.8.0 |
|
|
|
# [docker.io/vaultwarden/web-vault@sha256:41c2b51c87882248f405d5a0ab37210d2672a312ec5d4f3b9afcdbbe8eb9d57d] |
|
|
|
# $ docker pull docker.io/vaultwarden/web-vault:v2025.9.1 |
|
|
|
# $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2025.9.1 |
|
|
|
# [docker.io/vaultwarden/web-vault@sha256:15a126ca967cd2efc4c9625fec49f0b972a3f7d7d81d7770bb0a2502d5e4b8a4] |
|
|
|
# |
|
|
|
# - Conversely, to get the tag name from the digest: |
|
|
|
# $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:41c2b51c87882248f405d5a0ab37210d2672a312ec5d4f3b9afcdbbe8eb9d57d |
|
|
|
# [docker.io/vaultwarden/web-vault:v2025.8.0] |
|
|
|
# $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:15a126ca967cd2efc4c9625fec49f0b972a3f7d7d81d7770bb0a2502d5e4b8a4 |
|
|
|
# [docker.io/vaultwarden/web-vault:v2025.9.1] |
|
|
|
# |
|
|
|
FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:41c2b51c87882248f405d5a0ab37210d2672a312ec5d4f3b9afcdbbe8eb9d57d AS vault |
|
|
|
FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:15a126ca967cd2efc4c9625fec49f0b972a3f7d7d81d7770bb0a2502d5e4b8a4 AS vault |
|
|
|
|
|
|
|
########################## Cross Compile Docker Helper Scripts ########################## |
|
|
|
## We use the linux/amd64 no matter which Build Platform, since these are all bash scripts |
|
|
|
|
|
@ -773,8 +773,8 @@ async fn post_collections_update( |
|
|
|
err!("Cipher doesn't exist") |
|
|
|
}; |
|
|
|
|
|
|
|
if !cipher.is_write_accessible_to_user(&headers.user.uuid, &mut conn).await { |
|
|
|
err!("Cipher is not write accessible") |
|
|
|
if !cipher.is_in_editable_collection_by_user(&headers.user.uuid, &mut conn).await { |
|
|
|
err!("Collection cannot be changed") |
|
|
|
} |
|
|
|
|
|
|
|
let posted_collections = HashSet::<CollectionId>::from_iter(data.collection_ids); |
|
|
@ -850,8 +850,8 @@ async fn post_collections_admin( |
|
|
|
err!("Cipher doesn't exist") |
|
|
|
}; |
|
|
|
|
|
|
|
if !cipher.is_write_accessible_to_user(&headers.user.uuid, &mut conn).await { |
|
|
|
err!("Cipher is not write accessible") |
|
|
|
if !cipher.is_in_editable_collection_by_user(&headers.user.uuid, &mut conn).await { |
|
|
|
err!("Collection cannot be changed") |
|
|
|
} |
|
|
|
|
|
|
|
let posted_collections = HashSet::<CollectionId>::from_iter(data.collection_ids); |
|
|
|
|
|
@ -717,6 +717,15 @@ impl Cipher { |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
// used for checking if collection can be edited (only if user has access to a collection they
|
|
|
|
// can write to and also passwords are not hidden to prevent privilege escalation)
|
|
|
|
pub async fn is_in_editable_collection_by_user(&self, user_uuid: &UserId, conn: &mut DbConn) -> bool { |
|
|
|
match self.get_access_restrictions(user_uuid, None, conn).await { |
|
|
|
Some((read_only, hide_passwords, manage)) => (!read_only && !hide_passwords) || manage, |
|
|
|
None => false, |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
pub async fn is_accessible_to_user(&self, user_uuid: &UserId, conn: &mut DbConn) -> bool { |
|
|
|
self.get_access_restrictions(user_uuid, None, conn).await.is_some() |
|
|
|
} |
|
|
|
|
|
@ -39,6 +39,7 @@ pub enum OrgPolicyType { |
|
|
|
// AutomaticAppLogIn = 12,
|
|
|
|
// FreeFamiliesSponsorshipPolicy = 13,
|
|
|
|
RemoveUnlockWithPin = 14, |
|
|
|
RestrictedItemTypes = 15, |
|
|
|
} |
|
|
|
|
|
|
|
// https://github.com/bitwarden/server/blob/9ebe16587175b1c0e9208f84397bb75d0d595510/src/Core/AdminConsole/Models/Data/Organizations/Policies/SendOptionsPolicyData.cs#L5
|
|
|
|