Upstream/bitwarden-server
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-01-22 21:51:22 +01:00
Code Issues Projects Releases Wiki Activity

Only owner can change the type of another owner.

Browse Source 
resolves #467
This commit is contained in:
Kyle Spearrin 2019-03-28 12:36:57 -04:00
parent 3f598c35fc
commit 54c46f716b
1 changed files with 11 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
src/Core/Services/Implementations/OrganizationService.cs
View File

@ -1012,12 +1012,20 @@ namespace Bit.Core.Services
throw new BadRequestException("Invite the user first.");
}
if(savingUserId.HasValue && user.Type == OrganizationUserType.Owner)
if(savingUserId.HasValue)
{
var savingUserOrgs = await _organizationUserRepository.GetManyByUserAsync(savingUserId.Value);
if(!savingUserOrgs.Any(u => u.OrganizationId == user.OrganizationId && u.Type == OrganizationUserType.Owner))
var savingUserIsOrgOwner = savingUserOrgs
.Any(u => u.OrganizationId == user.OrganizationId && u.Type == OrganizationUserType.Owner);
if(!savingUserIsOrgOwner)
{
throw new BadRequestException("Only owners can update other owners.");
var originalUser = await _organizationUserRepository.GetByIdAsync(user.Id);
var isOwner = originalUser.Type == OrganizationUserType.Owner;
var nowOwner = user.Type == OrganizationUserType.Owner;
if((isOwner && !nowOwner) || (!isOwner && nowOwner))
{
throw new BadRequestException("Only an owner can change the user type of another owner.");
}
}
}