Stefan Melmuk
1 month ago
committed by
GitHub
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with
13 additions and
4 deletions
-
src/api/core/ciphers.rs
-
src/db/models/cipher.rs
|
|
|
@ -773,8 +773,8 @@ async fn post_collections_update( |
|
|
|
err!("Cipher doesn't exist") |
|
|
|
}; |
|
|
|
|
|
|
|
if !cipher.is_write_accessible_to_user(&headers.user.uuid, &mut conn).await { |
|
|
|
err!("Cipher is not write accessible") |
|
|
|
if !cipher.is_in_editable_collection_by_user(&headers.user.uuid, &mut conn).await { |
|
|
|
err!("Collection cannot be changed") |
|
|
|
} |
|
|
|
|
|
|
|
let posted_collections = HashSet::<CollectionId>::from_iter(data.collection_ids); |
|
|
|
@ -850,8 +850,8 @@ async fn post_collections_admin( |
|
|
|
err!("Cipher doesn't exist") |
|
|
|
}; |
|
|
|
|
|
|
|
if !cipher.is_write_accessible_to_user(&headers.user.uuid, &mut conn).await { |
|
|
|
err!("Cipher is not write accessible") |
|
|
|
if !cipher.is_in_editable_collection_by_user(&headers.user.uuid, &mut conn).await { |
|
|
|
err!("Collection cannot be changed") |
|
|
|
} |
|
|
|
|
|
|
|
let posted_collections = HashSet::<CollectionId>::from_iter(data.collection_ids); |
|
|
|
|
|
|
|
@ -717,6 +717,15 @@ impl Cipher { |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
// used for checking if collection can be edited (only if user has access to a collection they
|
|
|
|
// can write to and also passwords are not hidden to prevent privilege escalation)
|
|
|
|
pub async fn is_in_editable_collection_by_user(&self, user_uuid: &UserId, conn: &mut DbConn) -> bool { |
|
|
|
match self.get_access_restrictions(user_uuid, None, conn).await { |
|
|
|
Some((read_only, hide_passwords, manage)) => (!read_only && !hide_passwords) || manage, |
|
|
|
None => false, |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
pub async fn is_accessible_to_user(&self, user_uuid: &UserId, conn: &mut DbConn) -> bool { |
|
|
|
self.get_access_restrictions(user_uuid, None, conn).await.is_some() |
|
|
|
} |
|
|
|
|
