mirror of
https://github.com/bitwarden/server.git
synced 2024-11-21 12:05:42 +01:00
[PM-5450] Add check for admin/org access for events (#4705)
* check to see if the org allows access to collections/ciphers to owners for events * linter * add check for organization value before attempting to use it * refactor logic to check for org abilities * remove checks for organization abilities - The previous logic would block events from being collected when a cipher was unassigned * check for organization when recording an event from owner/admin
This commit is contained in:
parent
fa87c827fd
commit
7b1edb3d3f
@ -19,19 +19,22 @@ public class CollectController : Controller
|
||||
private readonly ICipherRepository _cipherRepository;
|
||||
private readonly IOrganizationRepository _organizationRepository;
|
||||
private readonly IFeatureService _featureService;
|
||||
private readonly IApplicationCacheService _applicationCacheService;
|
||||
|
||||
public CollectController(
|
||||
ICurrentContext currentContext,
|
||||
IEventService eventService,
|
||||
ICipherRepository cipherRepository,
|
||||
IOrganizationRepository organizationRepository,
|
||||
IFeatureService featureService)
|
||||
IFeatureService featureService,
|
||||
IApplicationCacheService applicationCacheService)
|
||||
{
|
||||
_currentContext = currentContext;
|
||||
_eventService = eventService;
|
||||
_cipherRepository = cipherRepository;
|
||||
_organizationRepository = organizationRepository;
|
||||
_featureService = featureService;
|
||||
_applicationCacheService = applicationCacheService;
|
||||
}
|
||||
|
||||
[HttpPost]
|
||||
@ -76,9 +79,23 @@ public class CollectController : Controller
|
||||
_currentContext.UserId.Value);
|
||||
}
|
||||
if (cipher == null)
|
||||
{
|
||||
// When the user cannot access the cipher directly, check if the organization allows for
|
||||
// admin/owners access to all collections and the user can access the cipher from that perspective.
|
||||
if (!eventModel.OrganizationId.HasValue)
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
cipher = await _cipherRepository.GetByIdAsync(eventModel.CipherId.Value);
|
||||
var cipherBelongsToOrg = cipher.OrganizationId == eventModel.OrganizationId;
|
||||
var org = _currentContext.GetOrganization(eventModel.OrganizationId.Value);
|
||||
|
||||
if (!cipherBelongsToOrg || org == null || cipher == null)
|
||||
{
|
||||
continue;
|
||||
}
|
||||
}
|
||||
if (!ciphersCache.ContainsKey(eventModel.CipherId.Value))
|
||||
{
|
||||
ciphersCache.Add(eventModel.CipherId.Value, cipher);
|
||||
|
Loading…
Reference in New Issue
Block a user