topaLE
/
vaultwarden
mirror of https://github.com/dani-garcia/vaultwarden
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Merge branch 'BlackDex-issue-2932-take2'

pull/2969/head
Daniel García 2 years ago
parent
1b56f4266b 142f7bb50d
commit
7f7b5447fd
No known key found for this signature in database GPG Key ID: FC8A7D14C3CD543A
2 changed files with 36 additions and 11 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 12
      src/auth.rs
  2. 35
      src/db/models/collection.rs

12
src/auth.rs
View File

@ -266,7 +266,7 @@ use rocket::{
}; };
use crate::db::{ use crate::db::{
models::{CollectionUser, Device, User, UserOrgStatus, UserOrgType, UserOrganization, UserStampException}, models::{Collection, Device, User, UserOrgStatus, UserOrgType, UserOrganization, UserStampException},
DbConn, DbConn,
}; };
@ -558,17 +558,15 @@ impl<'r> FromRequest<'r> for ManagerHeaders {
_ => err_handler!("Error getting DB"), _ => err_handler!("Error getting DB"),
}; };
if !headers.org_user.has_full_access() { if !headers.org_user.has_full_access()
match CollectionUser::find_by_collection_and_user( && !Collection::has_access_by_collection_and_user_uuid(
&col_id, &col_id,
&headers.org_user.user_uuid, &headers.org_user.user_uuid,
&mut conn, &mut conn,
) )
.await .await
{ {
Some(_) => (), err_handler!("The current user isn't a manager for this collection")
None => err_handler!("The current user isn't a manager for this collection"),
}
} }
} }
_ => err_handler!("Error getting the collection id"), _ => err_handler!("Error getting the collection id"),

35
src/db/models/collection.rs
View File

@ -167,15 +167,15 @@ impl Collection {
users_collections::user_uuid.eq(user_uuid.clone()) users_collections::user_uuid.eq(user_uuid.clone())
) )
)) ))
.left_join(users_organizations::table.on( .inner_join(users_organizations::table.on(
collections::org_uuid.eq(users_organizations::org_uuid).and( collections::org_uuid.eq(users_organizations::org_uuid).and(
users_organizations::user_uuid.eq(user_uuid.clone()) users_organizations::user_uuid.eq(user_uuid.clone())
) )
)) ))
.left_join(groups_users::table.on( .inner_join(groups_users::table.on(
groups_users::users_organizations_uuid.eq(users_organizations::uuid) groups_users::users_organizations_uuid.eq(users_organizations::uuid)
)) ))
.left_join(groups::table.on( .inner_join(groups::table.on(
groups::uuid.eq(groups_users::groups_uuid) groups::uuid.eq(groups_users::groups_uuid)
)) ))
.left_join(collections_groups::table.on( .left_join(collections_groups::table.on(
@ -203,6 +203,17 @@ impl Collection {
}} }}
} }
// Check if a user has access to a specific collection
// FIXME: This needs to be reviewed. The query used by `find_by_user_uuid` could be adjusted to filter when needed.
// For now this is a good solution without making to much changes.
pub async fn has_access_by_collection_and_user_uuid(
collection_uuid: &str,
user_uuid: &str,
conn: &mut DbConn,
) -> bool {
Self::find_by_user_uuid(user_uuid.to_owned(), conn).await.into_iter().any(|c| c.uuid == collection_uuid)
}
pub async fn find_by_organization_and_user_uuid(org_uuid: &str, user_uuid: &str, conn: &mut DbConn) -> Vec<Self> { pub async fn find_by_organization_and_user_uuid(org_uuid: &str, user_uuid: &str, conn: &mut DbConn) -> Vec<Self> {
Self::find_by_user_uuid(user_uuid.to_owned(), conn) Self::find_by_user_uuid(user_uuid.to_owned(), conn)
.await .await
@ -241,16 +252,32 @@ impl Collection {
users_collections::user_uuid.eq(user_uuid.clone()) users_collections::user_uuid.eq(user_uuid.clone())
) )
)) ))
.left_join(users_organizations::table.on( .inner_join(users_organizations::table.on(
collections::org_uuid.eq(users_organizations::org_uuid).and( collections::org_uuid.eq(users_organizations::org_uuid).and(
users_organizations::user_uuid.eq(user_uuid) users_organizations::user_uuid.eq(user_uuid)
) )
)) ))
.inner_join(groups_users::table.on(
groups_users::users_organizations_uuid.eq(users_organizations::uuid)
))
.inner_join(groups::table.on(
groups::uuid.eq(groups_users::groups_uuid)
))
.left_join(collections_groups::table.on(
collections_groups::groups_uuid.eq(groups_users::groups_uuid).and(
collections_groups::collections_uuid.eq(collections::uuid)
)
))
.filter(collections::uuid.eq(uuid)) .filter(collections::uuid.eq(uuid))
.filter( .filter(
users_collections::collection_uuid.eq(uuid).or( // Directly accessed collection users_collections::collection_uuid.eq(uuid).or( // Directly accessed collection
users_organizations::access_all.eq(true).or( // access_all in Organization users_organizations::access_all.eq(true).or( // access_all in Organization
users_organizations::atype.le(UserOrgType::Admin as i32) // Org admin or owner users_organizations::atype.le(UserOrgType::Admin as i32) // Org admin or owner
)).or(
groups::access_all.eq(true) // access_all in groups
).or( // access via groups
groups_users::users_organizations_uuid.eq(users_organizations::uuid).and(
collections_groups::collections_uuid.is_not_null()
) )
) )
).select(collections::all_columns) ).select(collections::all_columns)

Write Preview
Loading…
Cancel
Save