From dfb12320817a58484d259011e49d9552b450f2bc Mon Sep 17 00:00:00 2001 From: Miroslav Prasil Date: Fri, 11 May 2018 14:24:41 +0100 Subject: [PATCH] Filter collection lists based on user --- src/api/core/ciphers.rs | 2 +- src/db/models/cipher.rs | 22 +++++++++++++++++++--- 2 files changed, 20 insertions(+), 4 deletions(-) diff --git a/src/api/core/ciphers.rs b/src/api/core/ciphers.rs index d3d4717e..a8ba1c5e 100644 --- a/src/api/core/ciphers.rs +++ b/src/api/core/ciphers.rs @@ -318,7 +318,7 @@ fn post_collections_admin(uuid: String, data: Json, header } let posted_collections: HashSet = data.collectionIds.iter().cloned().collect(); - let current_collections: HashSet = cipher.get_collections(&conn).iter().cloned().collect(); + let current_collections: HashSet = cipher.get_collections(&headers.user.uuid ,&conn).iter().cloned().collect(); for collection in posted_collections.symmetric_difference(¤t_collections) { match Collection::find_by_uuid(&collection, &conn) { diff --git a/src/db/models/cipher.rs b/src/db/models/cipher.rs index 94077e54..e72c2ab0 100644 --- a/src/db/models/cipher.rs +++ b/src/db/models/cipher.rs @@ -3,7 +3,7 @@ use serde_json::Value as JsonValue; use uuid::Uuid; -use super::{User, Organization, UserOrganization, FolderCipher}; +use super::{User, Organization, UserOrganization, FolderCipher, UserOrgType}; #[derive(Debug, Identifiable, Queryable, Insertable, Associations)] #[table_name = "ciphers"] @@ -98,7 +98,7 @@ impl Cipher { "OrganizationId": self.organization_uuid, "Attachments": attachments_json, "OrganizationUseTotp": false, - "CollectionIds": self.get_collections(&conn), + "CollectionIds": self.get_collections(user_uuid, &conn), "Name": self.name, "Notes": self.notes, @@ -242,9 +242,25 @@ impl Cipher { .load::(&**conn).expect("Error loading ciphers") } - pub fn get_collections(&self, conn: &DbConn) -> Vec { + pub fn get_collections(&self, user_id: &str, conn: &DbConn) -> Vec { ciphers_collections::table + .inner_join(collections::table.on( + collections::uuid.eq(ciphers_collections::collection_uuid) + )) + .inner_join(users_organizations::table.on( + users_organizations::org_uuid.eq(collections::org_uuid).and( + users_organizations::user_uuid.eq(user_id) + ) + )) + .left_join(users_collections::table.on( + users_collections::collection_uuid.eq(ciphers_collections::collection_uuid) + )) .filter(ciphers_collections::cipher_uuid.eq(&self.uuid)) + .filter(users_collections::user_uuid.eq(user_id).or( // User has access to collection + users_organizations::access_all.eq(true).or( // User has access all + users_organizations::type_.le(UserOrgType::Admin as i32) // User is admin or owner + ) + )) .select(ciphers_collections::collection_uuid) .load::(&**conn).unwrap_or(vec![]) }