Upstream/bitwarden-server
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2024-11-23 12:25:16 +01:00
Code Issues Projects Releases Wiki Activity

only owners can manage owners

Browse Source
This commit is contained in:
Kyle Spearrin 2017-09-27 22:37:13 -04:00
parent c135a2a166
commit 2444346ea9
2 changed files with 32 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/Api/Controllers/OrganizationUsersController.cs
View File

@ -174,6 +174,11 @@ namespace Bit.Api.Controllers
throw new NotFoundException(); throw new NotFoundException();
} }
if(organizationUser.Type == Core.Enums.OrganizationUserType.Owner && !_currentContext.OrganizationOwner(orgGuidId))
{
throw new BadRequestException("Only owners can update other owners.");
}
await _organizationUserRepository.UpdateGroupsAsync(organizationUser.Id, model.GroupIds.Select(g => new Guid(g))); await _organizationUserRepository.UpdateGroupsAsync(organizationUser.Id, model.GroupIds.Select(g => new Guid(g)));
} }

28
src/Core/Services/Implementations/OrganizationService.cs
View File

@ -809,6 +809,15 @@ namespace Bit.Core.Services
throw new NotFoundException(); throw new NotFoundException();
} }
if(type == OrganizationUserType.Owner)
{
var invitingUserOrgs = await _organizationUserRepository.GetManyByUserAsync(invitingUserId);
if(!invitingUserOrgs.Any(u => u.OrganizationId == organizationId && u.Type == OrganizationUserType.Owner))
{
throw new BadRequestException("Only owners can invite new owners.");
}
}
if(organization.Seats.HasValue) if(organization.Seats.HasValue)
{ {
var userCount = await _organizationUserRepository.GetCountByOrganizationIdAsync(organizationId); var userCount = await _organizationUserRepository.GetCountByOrganizationIdAsync(organizationId);
@ -995,13 +1004,21 @@ namespace Bit.Core.Services
throw new BadRequestException("Invite the user first."); throw new BadRequestException("Invite the user first.");
} }
if(user.Type == OrganizationUserType.Owner)
{
var savingUserOrgs = await _organizationUserRepository.GetManyByUserAsync(savingUserId);
if(!savingUserOrgs.Any(u => u.OrganizationId == user.OrganizationId && u.Type == OrganizationUserType.Owner))
{
throw new BadRequestException("Only owners can update other owners.");
}
}
var confirmedOwners = (await GetConfirmedOwnersAsync(user.OrganizationId)).ToList(); var confirmedOwners = (await GetConfirmedOwnersAsync(user.OrganizationId)).ToList();
if(user.Type != OrganizationUserType.Owner && confirmedOwners.Count == 1 && confirmedOwners[0].Id == user.Id) if(user.Type != OrganizationUserType.Owner && confirmedOwners.Count == 1 && confirmedOwners[0].Id == user.Id)
{ {
throw new BadRequestException("Organization must have at least one confirmed owner."); throw new BadRequestException("Organization must have at least one confirmed owner.");
} }
if(user.AccessAll) if(user.AccessAll)
{ {
// We don't need any collections if we're flagged to have all access. // We don't need any collections if we're flagged to have all access.
@ -1023,6 +1040,15 @@ namespace Bit.Core.Services
throw new BadRequestException("You cannot remove yourself."); throw new BadRequestException("You cannot remove yourself.");
} }
if(orgUser.Type == OrganizationUserType.Owner)
{
var deletingUserOrgs = await _organizationUserRepository.GetManyByUserAsync(deletingUserId);
if(!deletingUserOrgs.Any(u => u.OrganizationId == organizationId && u.Type == OrganizationUserType.Owner))
{
throw new BadRequestException("Only owners can delete other owners.");
}
}
var confirmedOwners = (await GetConfirmedOwnersAsync(organizationId)).ToList(); var confirmedOwners = (await GetConfirmedOwnersAsync(organizationId)).ToList();
if(confirmedOwners.Count == 1 && confirmedOwners[0].Id == organizationUserId) if(confirmedOwners.Count == 1 && confirmedOwners[0].Id == organizationUserId)
{ {