mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2025-01-11 10:38:15 +00:00
Merge branch 'BlackDex-issue-2932-take2'
This commit is contained in:
commit
7f7b5447fd
12
src/auth.rs
12
src/auth.rs
@ -266,7 +266,7 @@ use rocket::{
|
|||||||
};
|
};
|
||||||
|
|
||||||
use crate::db::{
|
use crate::db::{
|
||||||
models::{CollectionUser, Device, User, UserOrgStatus, UserOrgType, UserOrganization, UserStampException},
|
models::{Collection, Device, User, UserOrgStatus, UserOrgType, UserOrganization, UserStampException},
|
||||||
DbConn,
|
DbConn,
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -558,17 +558,15 @@ impl<'r> FromRequest<'r> for ManagerHeaders {
|
|||||||
_ => err_handler!("Error getting DB"),
|
_ => err_handler!("Error getting DB"),
|
||||||
};
|
};
|
||||||
|
|
||||||
if !headers.org_user.has_full_access() {
|
if !headers.org_user.has_full_access()
|
||||||
match CollectionUser::find_by_collection_and_user(
|
&& !Collection::has_access_by_collection_and_user_uuid(
|
||||||
&col_id,
|
&col_id,
|
||||||
&headers.org_user.user_uuid,
|
&headers.org_user.user_uuid,
|
||||||
&mut conn,
|
&mut conn,
|
||||||
)
|
)
|
||||||
.await
|
.await
|
||||||
{
|
{
|
||||||
Some(_) => (),
|
err_handler!("The current user isn't a manager for this collection")
|
||||||
None => err_handler!("The current user isn't a manager for this collection"),
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
_ => err_handler!("Error getting the collection id"),
|
_ => err_handler!("Error getting the collection id"),
|
||||||
|
@ -167,15 +167,15 @@ impl Collection {
|
|||||||
users_collections::user_uuid.eq(user_uuid.clone())
|
users_collections::user_uuid.eq(user_uuid.clone())
|
||||||
)
|
)
|
||||||
))
|
))
|
||||||
.left_join(users_organizations::table.on(
|
.inner_join(users_organizations::table.on(
|
||||||
collections::org_uuid.eq(users_organizations::org_uuid).and(
|
collections::org_uuid.eq(users_organizations::org_uuid).and(
|
||||||
users_organizations::user_uuid.eq(user_uuid.clone())
|
users_organizations::user_uuid.eq(user_uuid.clone())
|
||||||
)
|
)
|
||||||
))
|
))
|
||||||
.left_join(groups_users::table.on(
|
.inner_join(groups_users::table.on(
|
||||||
groups_users::users_organizations_uuid.eq(users_organizations::uuid)
|
groups_users::users_organizations_uuid.eq(users_organizations::uuid)
|
||||||
))
|
))
|
||||||
.left_join(groups::table.on(
|
.inner_join(groups::table.on(
|
||||||
groups::uuid.eq(groups_users::groups_uuid)
|
groups::uuid.eq(groups_users::groups_uuid)
|
||||||
))
|
))
|
||||||
.left_join(collections_groups::table.on(
|
.left_join(collections_groups::table.on(
|
||||||
@ -203,6 +203,17 @@ impl Collection {
|
|||||||
}}
|
}}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Check if a user has access to a specific collection
|
||||||
|
// FIXME: This needs to be reviewed. The query used by `find_by_user_uuid` could be adjusted to filter when needed.
|
||||||
|
// For now this is a good solution without making to much changes.
|
||||||
|
pub async fn has_access_by_collection_and_user_uuid(
|
||||||
|
collection_uuid: &str,
|
||||||
|
user_uuid: &str,
|
||||||
|
conn: &mut DbConn,
|
||||||
|
) -> bool {
|
||||||
|
Self::find_by_user_uuid(user_uuid.to_owned(), conn).await.into_iter().any(|c| c.uuid == collection_uuid)
|
||||||
|
}
|
||||||
|
|
||||||
pub async fn find_by_organization_and_user_uuid(org_uuid: &str, user_uuid: &str, conn: &mut DbConn) -> Vec<Self> {
|
pub async fn find_by_organization_and_user_uuid(org_uuid: &str, user_uuid: &str, conn: &mut DbConn) -> Vec<Self> {
|
||||||
Self::find_by_user_uuid(user_uuid.to_owned(), conn)
|
Self::find_by_user_uuid(user_uuid.to_owned(), conn)
|
||||||
.await
|
.await
|
||||||
@ -241,16 +252,32 @@ impl Collection {
|
|||||||
users_collections::user_uuid.eq(user_uuid.clone())
|
users_collections::user_uuid.eq(user_uuid.clone())
|
||||||
)
|
)
|
||||||
))
|
))
|
||||||
.left_join(users_organizations::table.on(
|
.inner_join(users_organizations::table.on(
|
||||||
collections::org_uuid.eq(users_organizations::org_uuid).and(
|
collections::org_uuid.eq(users_organizations::org_uuid).and(
|
||||||
users_organizations::user_uuid.eq(user_uuid)
|
users_organizations::user_uuid.eq(user_uuid)
|
||||||
)
|
)
|
||||||
))
|
))
|
||||||
|
.inner_join(groups_users::table.on(
|
||||||
|
groups_users::users_organizations_uuid.eq(users_organizations::uuid)
|
||||||
|
))
|
||||||
|
.inner_join(groups::table.on(
|
||||||
|
groups::uuid.eq(groups_users::groups_uuid)
|
||||||
|
))
|
||||||
|
.left_join(collections_groups::table.on(
|
||||||
|
collections_groups::groups_uuid.eq(groups_users::groups_uuid).and(
|
||||||
|
collections_groups::collections_uuid.eq(collections::uuid)
|
||||||
|
)
|
||||||
|
))
|
||||||
.filter(collections::uuid.eq(uuid))
|
.filter(collections::uuid.eq(uuid))
|
||||||
.filter(
|
.filter(
|
||||||
users_collections::collection_uuid.eq(uuid).or( // Directly accessed collection
|
users_collections::collection_uuid.eq(uuid).or( // Directly accessed collection
|
||||||
users_organizations::access_all.eq(true).or( // access_all in Organization
|
users_organizations::access_all.eq(true).or( // access_all in Organization
|
||||||
users_organizations::atype.le(UserOrgType::Admin as i32) // Org admin or owner
|
users_organizations::atype.le(UserOrgType::Admin as i32) // Org admin or owner
|
||||||
|
)).or(
|
||||||
|
groups::access_all.eq(true) // access_all in groups
|
||||||
|
).or( // access via groups
|
||||||
|
groups_users::users_organizations_uuid.eq(users_organizations::uuid).and(
|
||||||
|
collections_groups::collections_uuid.is_not_null()
|
||||||
)
|
)
|
||||||
)
|
)
|
||||||
).select(collections::all_columns)
|
).select(collections::all_columns)
|
||||||
|
Loading…
Reference in New Issue
Block a user