0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2025-01-21 01:12:28 -05:00

Merge branch 'BlackDex-issue-2932-take2'

This commit is contained in:
Daniel García 2022-12-08 20:43:15 +01:00
commit 7f7b5447fd
No known key found for this signature in database
GPG key ID: FC8A7D14C3CD543A
2 changed files with 36 additions and 11 deletions

View file

@ -266,7 +266,7 @@ use rocket::{
}; };
use crate::db::{ use crate::db::{
models::{CollectionUser, Device, User, UserOrgStatus, UserOrgType, UserOrganization, UserStampException}, models::{Collection, Device, User, UserOrgStatus, UserOrgType, UserOrganization, UserStampException},
DbConn, DbConn,
}; };
@ -558,17 +558,15 @@ impl<'r> FromRequest<'r> for ManagerHeaders {
_ => err_handler!("Error getting DB"), _ => err_handler!("Error getting DB"),
}; };
if !headers.org_user.has_full_access() { if !headers.org_user.has_full_access()
match CollectionUser::find_by_collection_and_user( && !Collection::has_access_by_collection_and_user_uuid(
&col_id, &col_id,
&headers.org_user.user_uuid, &headers.org_user.user_uuid,
&mut conn, &mut conn,
) )
.await .await
{ {
Some(_) => (), err_handler!("The current user isn't a manager for this collection")
None => err_handler!("The current user isn't a manager for this collection"),
}
} }
} }
_ => err_handler!("Error getting the collection id"), _ => err_handler!("Error getting the collection id"),

View file

@ -167,15 +167,15 @@ impl Collection {
users_collections::user_uuid.eq(user_uuid.clone()) users_collections::user_uuid.eq(user_uuid.clone())
) )
)) ))
.left_join(users_organizations::table.on( .inner_join(users_organizations::table.on(
collections::org_uuid.eq(users_organizations::org_uuid).and( collections::org_uuid.eq(users_organizations::org_uuid).and(
users_organizations::user_uuid.eq(user_uuid.clone()) users_organizations::user_uuid.eq(user_uuid.clone())
) )
)) ))
.left_join(groups_users::table.on( .inner_join(groups_users::table.on(
groups_users::users_organizations_uuid.eq(users_organizations::uuid) groups_users::users_organizations_uuid.eq(users_organizations::uuid)
)) ))
.left_join(groups::table.on( .inner_join(groups::table.on(
groups::uuid.eq(groups_users::groups_uuid) groups::uuid.eq(groups_users::groups_uuid)
)) ))
.left_join(collections_groups::table.on( .left_join(collections_groups::table.on(
@ -203,6 +203,17 @@ impl Collection {
}} }}
} }
// Check if a user has access to a specific collection
// FIXME: This needs to be reviewed. The query used by `find_by_user_uuid` could be adjusted to filter when needed.
// For now this is a good solution without making to much changes.
pub async fn has_access_by_collection_and_user_uuid(
collection_uuid: &str,
user_uuid: &str,
conn: &mut DbConn,
) -> bool {
Self::find_by_user_uuid(user_uuid.to_owned(), conn).await.into_iter().any(|c| c.uuid == collection_uuid)
}
pub async fn find_by_organization_and_user_uuid(org_uuid: &str, user_uuid: &str, conn: &mut DbConn) -> Vec<Self> { pub async fn find_by_organization_and_user_uuid(org_uuid: &str, user_uuid: &str, conn: &mut DbConn) -> Vec<Self> {
Self::find_by_user_uuid(user_uuid.to_owned(), conn) Self::find_by_user_uuid(user_uuid.to_owned(), conn)
.await .await
@ -241,16 +252,32 @@ impl Collection {
users_collections::user_uuid.eq(user_uuid.clone()) users_collections::user_uuid.eq(user_uuid.clone())
) )
)) ))
.left_join(users_organizations::table.on( .inner_join(users_organizations::table.on(
collections::org_uuid.eq(users_organizations::org_uuid).and( collections::org_uuid.eq(users_organizations::org_uuid).and(
users_organizations::user_uuid.eq(user_uuid) users_organizations::user_uuid.eq(user_uuid)
) )
)) ))
.inner_join(groups_users::table.on(
groups_users::users_organizations_uuid.eq(users_organizations::uuid)
))
.inner_join(groups::table.on(
groups::uuid.eq(groups_users::groups_uuid)
))
.left_join(collections_groups::table.on(
collections_groups::groups_uuid.eq(groups_users::groups_uuid).and(
collections_groups::collections_uuid.eq(collections::uuid)
)
))
.filter(collections::uuid.eq(uuid)) .filter(collections::uuid.eq(uuid))
.filter( .filter(
users_collections::collection_uuid.eq(uuid).or( // Directly accessed collection users_collections::collection_uuid.eq(uuid).or( // Directly accessed collection
users_organizations::access_all.eq(true).or( // access_all in Organization users_organizations::access_all.eq(true).or( // access_all in Organization
users_organizations::atype.le(UserOrgType::Admin as i32) // Org admin or owner users_organizations::atype.le(UserOrgType::Admin as i32) // Org admin or owner
)).or(
groups::access_all.eq(true) // access_all in groups
).or( // access via groups
groups_users::users_organizations_uuid.eq(users_organizations::uuid).and(
collections_groups::collections_uuid.is_not_null()
) )
) )
).select(collections::all_columns) ).select(collections::all_columns)