topaLE
/
vaultwarden
mirror of https://github.com/dani-garcia/vaultwarden
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

improve check if the user has access via groups 

instead of returning the two lists of member ids and later checking if
they contain the uuid of the current user, we really only care if
the current user has full access via a group or if they have
access to a given collection via a group
pull/3754/head
Stefan Melmuk 2 years ago
committed by Matlink
parent
a41125d34f
commit
e858b96ff1
2 changed files with 21 additions and 27 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 20
      src/api/core/organizations.rs
  2. 28
      src/db/models/group.rs

20
src/api/core/organizations.rs
View File

@ -321,14 +321,10 @@ async fn get_org_collections_details(org_id: &str, headers: ManagerHeadersLoose,
}; };
let coll_users = CollectionUser::find_by_organization(org_id, &mut conn).await; let coll_users = CollectionUser::find_by_organization(org_id, &mut conn).await;
// uuids of users in groups having access to all collections
let has_full_access_via_group = if CONFIG.org_groups_enabled() {
GroupUser::get_members_of_full_access_groups(org_id, &mut conn).await
} else {
vec![]
};
let has_full_access = user_org.access_all || has_full_access_via_group.contains(&user_org.uuid); let has_full_access_via_group =
CONFIG.org_groups_enabled() && GroupUser::has_full_access_by_member(org_id, &user_org.uuid, &mut conn).await;
let has_full_access = user_org.access_all || has_full_access_via_group;
for col in Collection::find_by_organization(org_id, &mut conn).await { for col in Collection::find_by_organization(org_id, &mut conn).await {
let groups: Vec<Value> = if CONFIG.org_groups_enabled() { let groups: Vec<Value> = if CONFIG.org_groups_enabled() {
@ -359,12 +355,10 @@ async fn get_org_collections_details(org_id: &str, headers: ManagerHeadersLoose,
}) })
.collect(); .collect();
// if the current user is not assigned and groups are enabled, // check if the current user has access to the given collection via a group
// check if they have access to the given collection via a group if !assigned && CONFIG.org_groups_enabled() {
if !assigned && CONFIG.org_groups_enabled() assigned = GroupUser::has_access_to_collection_by_member(&col.uuid, &user_org.uuid, &mut conn).await;
{ }
assigned = GroupUser::get_group_members_for_collection(&col.uuid, &mut conn).await.contains(&user_org.uuid);
}
let mut json_object = col.to_json(); let mut json_object = col.to_json();
json_object["Assigned"] = json!(assigned); json_object["Assigned"] = json!(assigned);

28
src/db/models/group.rs
View File

@ -486,23 +486,25 @@ impl GroupUser {
}} }}
} }
pub async fn get_group_members_for_collection(collection_uuid: &str, conn: &mut DbConn) -> Vec<String> { pub async fn has_access_to_collection_by_member(
collection_uuid: &str,
member_uuid: &str,
conn: &mut DbConn,
) -> bool {
db_run! { conn: { db_run! { conn: {
groups_users::table groups_users::table
.inner_join(collections_groups::table.on( .inner_join(collections_groups::table.on(
collections_groups::groups_uuid.eq(groups_users::groups_uuid) collections_groups::groups_uuid.eq(groups_users::groups_uuid)
)) ))
.filter(collections_groups::collections_uuid.eq(collection_uuid)) .filter(collections_groups::collections_uuid.eq(collection_uuid))
.select(groups_users::users_organizations_uuid) .filter(groups_users::users_organizations_uuid.eq(member_uuid))
.distinct() .count()
.load::<String>(conn) .first::<i64>(conn)
.expect("Error loading group users for collection") .unwrap_or(0) != 0
}} }}
.into_iter()
.collect()
} }
pub async fn get_members_of_full_access_groups(org_uuid: &str, conn: &mut DbConn) -> Vec<String> { pub async fn has_full_access_by_member(org_uuid: &str, member_uuid: &str, conn: &mut DbConn) -> bool {
db_run! { conn: { db_run! { conn: {
groups_users::table groups_users::table
.inner_join(groups::table.on( .inner_join(groups::table.on(
@ -510,13 +512,11 @@ impl GroupUser {
)) ))
.filter(groups::organizations_uuid.eq(org_uuid)) .filter(groups::organizations_uuid.eq(org_uuid))
.filter(groups::access_all.eq(true)) .filter(groups::access_all.eq(true))
.select(groups_users::users_organizations_uuid) .filter(groups_users::users_organizations_uuid.eq(member_uuid))
.distinct() .count()
.load::<String>(conn) .first::<i64>(conn)
.expect("Error loading all access group users for organization") .unwrap_or(0) != 0
}} }}
.into_iter()
.collect()
} }
pub async fn update_user_revision(&self, conn: &mut DbConn) { pub async fn update_user_revision(&self, conn: &mut DbConn) {

Write Preview
Loading…
Cancel
Save