permission checks for cipher crud operations

2025-02-23 03:01:23 +01:00 · 2017-03-24 09:27:15 -04:00 · 2017-03-24 09:27:15 -04:00 · 10c72fafda
commit 10c72fafda
parent 0dae19bd4f
10 changed files with 78 additions and 11 deletions
--- a/src/Api/Controllers/CiphersController.cs
+++ b/src/Api/Controllers/CiphersController.cs
@ -127,7 +127,7 @@ namespace Bit.Api.Controllers
                throw new NotFoundException();
            }
-            await _cipherService.DeleteAsync(cipher);
+            await _cipherService.DeleteAsync(cipher, userId);
        }
    }
 }
--- a/src/Api/Controllers/LoginsController.cs
+++ b/src/Api/Controllers/LoginsController.cs
@ -59,7 +59,7 @@ namespace Bit.Api.Controllers
        {
            var userId = _userService.GetProperUserId(User).Value;
            var login = model.ToCipherDetails(userId);
-            await _cipherService.SaveAsync(login);
+            await _cipherService.SaveAsync(login, userId);
            var response = new LoginResponseModel(login);
            return response;
@ -76,7 +76,7 @@ namespace Bit.Api.Controllers
                throw new NotFoundException();
            }
-            await _cipherService.SaveAsync(model.ToCipherDetails(login));
+            await _cipherService.SaveAsync(model.ToCipherDetails(login), userId);
            var response = new LoginResponseModel(login);
            return response;
@ -86,13 +86,14 @@ namespace Bit.Api.Controllers
        [HttpPost("{id}/delete")]
        public async Task Delete(string id)
        {
-            var login = await _cipherRepository.GetByIdAsync(new Guid(id), _userService.GetProperUserId(User).Value);
+            var userId = _userService.GetProperUserId(User).Value;
            var login = await _cipherRepository.GetByIdAsync(new Guid(id), userId);
            if(login == null || login.Type != Core.Enums.CipherType.Login)
            {
                throw new NotFoundException();
            }
-            await _cipherService.DeleteAsync(login);
+            await _cipherService.DeleteAsync(login, userId);
        }
    }
 }
--- a/src/Core/Repositories/ISubvaultUserRepository.cs
+++ b/src/Core/Repositories/ISubvaultUserRepository.cs
@ -12,5 +12,6 @@ namespace Bit.Core.Repositories
        Task<ICollection<SubvaultUserDetails>> GetManyDetailsByUserIdAsync(Guid userId);
        Task<ICollection<SubvaultUserPermissions>> GetPermissionsByUserIdAsync(Guid userId, IEnumerable<Guid> subvaultIds,
            Guid organizationId);
        Task<bool> GetIsAdminByUserIdCipherIdAsync(Guid userId, Guid cipherId);
    }
 }
--- a/src/Core/Repositories/SqlServer/SubvaultUserRepository.cs
+++ b/src/Core/Repositories/SqlServer/SubvaultUserRepository.cs
@ -60,5 +60,18 @@ namespace Bit.Core.Repositories.SqlServer
                return results.ToList();
            }
        }
        public async Task<bool> GetIsAdminByUserIdCipherIdAsync(Guid userId, Guid cipherId)
        {
            using(var connection = new SqlConnection(ConnectionString))
            {
                var result = await connection.QueryFirstOrDefaultAsync<bool>(
                    $"[{Schema}].[SubvaultUser_ReadIsAdminByCipherIdUserId]",
                    new { UserId = userId, CipherId = cipherId },
                    commandType: CommandType.StoredProcedure);
                return result;
            }
        }
    }
 }
--- a/src/Core/Services/ICipherService.cs
+++ b/src/Core/Services/ICipherService.cs
@ -8,8 +8,8 @@ namespace Bit.Core.Services
 {
    public interface ICipherService
    {
-        Task SaveAsync(CipherDetails cipher);
+        Task SaveAsync(CipherDetails cipher, Guid savingUserId);
-        Task DeleteAsync(Cipher cipher);
+        Task DeleteAsync(CipherDetails cipher, Guid deletingUserId);
        Task SaveFolderAsync(Folder folder);
        Task DeleteFolderAsync(Folder folder);
        Task MoveSubvaultAsync(Cipher cipher, IEnumerable<Guid> subvaultIds, Guid userId);
--- a/src/Core/Services/Implementations/CipherService.cs
+++ b/src/Core/Services/Implementations/CipherService.cs
@ -37,8 +37,14 @@ namespace Bit.Core.Services
            _pushService = pushService;
        }
-        public async Task SaveAsync(CipherDetails cipher)
+        public async Task SaveAsync(CipherDetails cipher, Guid savingUserId)
        {
            if(!(await UserHasAdminRights(cipher, savingUserId)))
            {
                throw new BadRequestException("Not an admin.");
            }
            cipher.UserId = savingUserId;
            if(cipher.Id == default(Guid))
            {
                await _cipherRepository.CreateAsync(cipher);
@ -56,8 +62,13 @@ namespace Bit.Core.Services
            }
        }
-        public async Task DeleteAsync(Cipher cipher)
+        public async Task DeleteAsync(CipherDetails cipher, Guid deletingUserId)
        {
            if(!(await UserHasAdminRights(cipher, deletingUserId)))
            {
                throw new BadRequestException("Not an admin.");
            }
            await _cipherRepository.DeleteAsync(cipher);
            // push
@ -151,5 +162,15 @@ namespace Bit.Core.Services
                await _pushService.PushSyncCiphersAsync(userId.Value);
            }
        }
        private async Task<bool> UserHasAdminRights(CipherDetails cipher, Guid userId)
        {
            if(!cipher.OrganizationId.HasValue && cipher.UserId.HasValue && cipher.UserId.Value == userId)
            {
                return true;
            }
            return await _subvaultUserRepository.GetIsAdminByUserIdCipherIdAsync(userId, cipher.Id);
        }
    }
 }
--- a/src/Sql/Sql.sqlproj
+++ b/src/Sql/Sql.sqlproj
@ -173,5 +173,6 @@
    <Build Include="dbo\Stored Procedures\OrganizationUserUserDetails_ReadByOrganizationId.sql" />
    <Build Include="dbo\Stored Procedures\Subvault_ReadByOrganizationIdAdminUserId.sql" />
    <Build Include="dbo\User Defined Types\GuidIdArray.sql" />
    <Build Include="dbo\Stored Procedures\SubvaultUser_ReadIsAdminByCipherIdUserId.sql" />
  </ItemGroup>
 </Project>
--- a/Procedures/CipherDetails_Create.sql
+++ b/Procedures/CipherDetails_Create.sql
@ -25,7 +25,7 @@ BEGIN
    VALUES
    (
        @Id,
-        @UserId,
+        CASE WHEN @OrganizationId IS NULL THEN @UserId ELSE NULL END,
        @OrganizationId,
        @Type,
        @Data,
--- a/Procedures/CipherDetails_Update.sql
+++ b/Procedures/CipherDetails_Update.sql
@ -15,7 +15,7 @@ BEGIN
    UPDATE
        [dbo].[Cipher]
    SET
-        [UserId] = @UserId,
+        [UserId] = CASE WHEN @OrganizationId IS NULL THEN @UserId ELSE NULL END,
        [OrganizationId] = @OrganizationId,
        [Type] = @Type,
        [Data] = @Data,
--- a/Procedures/SubvaultUser_ReadIsAdminByCipherIdUserId.sql
+++ b/Procedures/SubvaultUser_ReadIsAdminByCipherIdUserId.sql
@ -0,0 +1,30 @@
 CREATE PROCEDURE [dbo].[SubvaultUser_ReadIsAdminByCipherIdUserId]
    @UserId UNIQUEIDENTIFIER,
    @CipherId AS UNIQUEIDENTIFIER
 AS
 BEGIN
    SET NOCOUNT ON
    ;WITH [CTE] AS(
        SELECT
            CASE WHEN OU.[Type] = 2 THEN SU.[Admin] ELSE 1 END AS [Admin] -- 2 = Regular User
        FROM
            [dbo].[SubvaultUser] SU
        INNER JOIN
            [dbo].[SubvaultCipher] SC ON SC.SubvaultId = SU.SubvaultId
        INNER JOIN
            [dbo].[Cipher] C ON SC.[CipherId] = C.[Id]
        INNER JOIN
            [dbo].[OrganizationUser] OU ON OU.Id = SU.OrganizationUserId AND OU.OrganizationId = C.OrganizationId
        WHERE
            C.[Id] = @CipherId
            AND OU.[UserId] = @UserId
            AND OU.[Status] = 2 -- 2 = Confirmed
    )
    SELECT
        CASE WHEN COUNT(1) > 0 THEN 1 ELSE 0 END
    FROM
        [CTE]
    WHERE
        [Admin] = 1
 END