mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2024-12-23 11:29:04 +00:00
Merge pull request #1333 from jjlin/fix-manager-access
Fix collection access issues for owner/admin users
This commit is contained in:
commit
b884fd20a1
14
src/auth.rs
14
src/auth.rs
@ -330,9 +330,9 @@ pub struct OrgHeaders {
|
|||||||
pub org_id: String,
|
pub org_id: String,
|
||||||
}
|
}
|
||||||
|
|
||||||
// org_id is usually the second param ("/organizations/<org_id>")
|
// org_id is usually the second path param ("/organizations/<org_id>"),
|
||||||
// But there are cases where it is located in a query value.
|
// but there are cases where it is a query value.
|
||||||
// First check the param, if this is not a valid uuid, we will try the query value.
|
// First check the path, if this is not a valid uuid, try the query values.
|
||||||
fn get_org_id(request: &Request) -> Option<String> {
|
fn get_org_id(request: &Request) -> Option<String> {
|
||||||
if let Some(Ok(org_id)) = request.get_param::<String>(1) {
|
if let Some(Ok(org_id)) = request.get_param::<String>(1) {
|
||||||
if uuid::Uuid::parse_str(&org_id).is_ok() {
|
if uuid::Uuid::parse_str(&org_id).is_ok() {
|
||||||
@ -439,9 +439,9 @@ impl Into<Headers> for AdminHeaders {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// col_id is usually the forth param ("/organizations/<org_id>/collections/<col_id>")
|
// col_id is usually the fourth path param ("/organizations/<org_id>/collections/<col_id>"),
|
||||||
// But there cloud be cases where it is located in a query value.
|
// but there could be cases where it is a query value.
|
||||||
// First check the param, if this is not a valid uuid, we will try the query value.
|
// First check the path, if this is not a valid uuid, try the query values.
|
||||||
fn get_col_id(request: &Request) -> Option<String> {
|
fn get_col_id(request: &Request) -> Option<String> {
|
||||||
if let Some(Ok(col_id)) = request.get_param::<String>(3) {
|
if let Some(Ok(col_id)) = request.get_param::<String>(3) {
|
||||||
if uuid::Uuid::parse_str(&col_id).is_ok() {
|
if uuid::Uuid::parse_str(&col_id).is_ok() {
|
||||||
@ -484,7 +484,7 @@ impl<'a, 'r> FromRequest<'a, 'r> for ManagerHeaders {
|
|||||||
_ => err_handler!("Error getting DB"),
|
_ => err_handler!("Error getting DB"),
|
||||||
};
|
};
|
||||||
|
|
||||||
if !headers.org_user.access_all {
|
if !headers.org_user.has_full_access() {
|
||||||
match CollectionUser::find_by_collection_and_user(&col_id, &headers.org_user.user_uuid, &conn) {
|
match CollectionUser::find_by_collection_and_user(&col_id, &headers.org_user.user_uuid, &conn) {
|
||||||
Some(_) => (),
|
Some(_) => (),
|
||||||
None => err_handler!("The current user isn't a manager for this collection"),
|
None => err_handler!("The current user isn't a manager for this collection"),
|
||||||
|
Loading…
Reference in New Issue
Block a user