[PM-5450] Add check for admin/org access for events (#4705)

* check to see if the org allows access to collections/ciphers to owners for events * linter * add check for organization value before attempting to use it * refactor logic to check for org abilities * remove checks for organization abilities - The previous logic would block events from being collected when a cipher was unassigned * check for organization when recording an event from owner/admin
2024-11-21 12:05:42 +01:00 · 2024-09-30 08:59:18 -05:00 · 2024-09-30 08:59:18 -05:00 · 7b1edb3d3f
commit 7b1edb3d3f
parent fa87c827fd
1 changed files with 19 additions and 2 deletions
--- a/src/Events/Controllers/CollectController.cs
+++ b/src/Events/Controllers/CollectController.cs
@ -19,19 +19,22 @@ public class CollectController : Controller
    private readonly ICipherRepository _cipherRepository;
    private readonly IOrganizationRepository _organizationRepository;
    private readonly IFeatureService _featureService;
+    private readonly IApplicationCacheService _applicationCacheService;

    public CollectController(
        ICurrentContext currentContext,
        IEventService eventService,
        ICipherRepository cipherRepository,
        IOrganizationRepository organizationRepository,
-        IFeatureService featureService)
+        IFeatureService featureService,
+        IApplicationCacheService applicationCacheService)
    {
        _currentContext = currentContext;
        _eventService = eventService;
        _cipherRepository = cipherRepository;
        _organizationRepository = organizationRepository;
        _featureService = featureService;
+        _applicationCacheService = applicationCacheService;
    }

    [HttpPost]
@ -77,7 +80,21 @@ public class CollectController : Controller
                    }
                    if (cipher == null)
                    {
-                        continue;
+                        // When the user cannot access the cipher directly, check if the organization allows for
+                        // admin/owners access to all collections and the user can access the cipher from that perspective.
+                        if (!eventModel.OrganizationId.HasValue)
+                        {
+                            continue;
+                        }
+
+                        cipher = await _cipherRepository.GetByIdAsync(eventModel.CipherId.Value);
+                        var cipherBelongsToOrg = cipher.OrganizationId == eventModel.OrganizationId;
+                        var org = _currentContext.GetOrganization(eventModel.OrganizationId.Value);
+
+                        if (!cipherBelongsToOrg || org == null || cipher == null)
+                        {
+                            continue;
+                        }
                    }
                    if (!ciphersCache.ContainsKey(eventModel.CipherId.Value))
                    {