mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2024-12-23 11:29:04 +00:00
Merge pull request #36 from mprasil/cipher_access
Better check for cipher access
This commit is contained in:
commit
513f857672
@ -3,7 +3,7 @@ use serde_json::Value as JsonValue;
|
|||||||
|
|
||||||
use uuid::Uuid;
|
use uuid::Uuid;
|
||||||
|
|
||||||
use super::{User, Organization, UserOrganization, Attachment, FolderCipher, CollectionCipher, UserOrgType};
|
use super::{User, Organization, Attachment, FolderCipher, CollectionCipher, UserOrgType};
|
||||||
|
|
||||||
#[derive(Debug, Identifiable, Queryable, Insertable, Associations)]
|
#[derive(Debug, Identifiable, Queryable, Insertable, Associations)]
|
||||||
#[table_name = "ciphers"]
|
#[table_name = "ciphers"]
|
||||||
@ -194,29 +194,57 @@ impl Cipher {
|
|||||||
}
|
}
|
||||||
|
|
||||||
pub fn is_write_accessible_to_user(&self, user_uuid: &str, conn: &DbConn) -> bool {
|
pub fn is_write_accessible_to_user(&self, user_uuid: &str, conn: &DbConn) -> bool {
|
||||||
match self.user_uuid {
|
match ciphers::table
|
||||||
Some(ref self_user_uuid) => self_user_uuid == user_uuid, // cipher directly owned by user
|
.filter(ciphers::uuid.eq(&self.uuid))
|
||||||
None =>{
|
.left_join(users_organizations::table.on(
|
||||||
match self.organization_uuid {
|
ciphers::organization_uuid.eq(users_organizations::org_uuid.nullable()).and(
|
||||||
Some(ref org_uuid) => {
|
users_organizations::user_uuid.eq(user_uuid)
|
||||||
match users_organizations::table
|
)
|
||||||
.filter(users_organizations::org_uuid.eq(org_uuid))
|
))
|
||||||
.filter(users_organizations::user_uuid.eq(user_uuid))
|
.left_join(ciphers_collections::table)
|
||||||
.filter(users_organizations::access_all.eq(true))
|
.left_join(users_collections::table.on(
|
||||||
.first::<UserOrganization>(&**conn).ok() {
|
ciphers_collections::collection_uuid.eq(users_collections::collection_uuid)
|
||||||
Some(_) => true,
|
))
|
||||||
None => false //TODO R/W access on collection
|
.filter(ciphers::user_uuid.eq(user_uuid).or( // Cipher owner
|
||||||
}
|
users_organizations::access_all.eq(true).or( // access_all in Organization
|
||||||
},
|
users_organizations::type_.le(UserOrgType::Admin as i32).or( // Org admin or owner
|
||||||
None => false // cipher not in organization and not owned by user
|
users_collections::user_uuid.eq(user_uuid).and(
|
||||||
}
|
users_collections::read_only.eq(false) //R/W access to collection
|
||||||
}
|
)
|
||||||
|
)
|
||||||
|
)
|
||||||
|
))
|
||||||
|
.select(ciphers::all_columns)
|
||||||
|
.first::<Self>(&**conn).ok() {
|
||||||
|
Some(_) => true,
|
||||||
|
None => false
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn is_accessible_to_user(&self, user_uuid: &str, conn: &DbConn) -> bool {
|
pub fn is_accessible_to_user(&self, user_uuid: &str, conn: &DbConn) -> bool {
|
||||||
// TODO also check for read-only access
|
match ciphers::table
|
||||||
self.is_write_accessible_to_user(user_uuid, conn)
|
.filter(ciphers::uuid.eq(&self.uuid))
|
||||||
|
.left_join(users_organizations::table.on(
|
||||||
|
ciphers::organization_uuid.eq(users_organizations::org_uuid.nullable()).and(
|
||||||
|
users_organizations::user_uuid.eq(user_uuid)
|
||||||
|
)
|
||||||
|
))
|
||||||
|
.left_join(ciphers_collections::table)
|
||||||
|
.left_join(users_collections::table.on(
|
||||||
|
ciphers_collections::collection_uuid.eq(users_collections::collection_uuid)
|
||||||
|
))
|
||||||
|
.filter(ciphers::user_uuid.eq(user_uuid).or( // Cipher owner
|
||||||
|
users_organizations::access_all.eq(true).or( // access_all in Organization
|
||||||
|
users_organizations::type_.le(UserOrgType::Admin as i32).or( // Org admin or owner
|
||||||
|
users_collections::user_uuid.eq(user_uuid) // Access to Collection
|
||||||
|
)
|
||||||
|
)
|
||||||
|
))
|
||||||
|
.select(ciphers::all_columns)
|
||||||
|
.first::<Self>(&**conn).ok() {
|
||||||
|
Some(_) => true,
|
||||||
|
None => false
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn get_folder_uuid(&self, user_uuid: &str, conn: &DbConn) -> Option<String> {
|
pub fn get_folder_uuid(&self, user_uuid: &str, conn: &DbConn) -> Option<String> {
|
||||||
|
Loading…
Reference in New Issue
Block a user