org context checks in org apis. remove depr. code

2024-11-25 12:45:18 +01:00 · 2017-04-05 16:13:40 -04:00 · 2017-04-05 16:13:40 -04:00 · 9a1e512020
commit 9a1e512020
parent a474449354
8 changed files with 69 additions and 82 deletions
--- a/src/Api/Controllers/OrganizationsController.cs
+++ b/src/Api/Controllers/OrganizationsController.cs
@ -7,6 +7,7 @@ using Microsoft.AspNetCore.Authorization;
 using Bit.Core.Models.Api;
 using Bit.Core.Exceptions;
 using Bit.Core.Services;
+using Bit.Core;

 namespace Bit.Api.Controllers
 {
@ -18,25 +19,27 @@ namespace Bit.Api.Controllers
        private readonly IOrganizationUserRepository _organizationUserRepository;
        private readonly IOrganizationService _organizationService;
        private readonly IUserService _userService;
+        private readonly CurrentContext _currentContext;

        public OrganizationsController(
            IOrganizationRepository organizationRepository,
            IOrganizationUserRepository organizationUserRepository,
            IOrganizationService organizationService,
-            IUserService userService)
+            IUserService userService,
+            CurrentContext currentContext)
        {
            _organizationRepository = organizationRepository;
            _organizationUserRepository = organizationUserRepository;
            _organizationService = organizationService;
            _userService = userService;
+            _currentContext = currentContext;
        }

        [HttpGet("{id}")]
        public async Task<OrganizationResponseModel> Get(string id)
        {
-            var userId = _userService.GetProperUserId(User).Value;
-            var organization = await _organizationRepository.GetByIdAsync(new Guid(id), userId);
-            if(organization == null)
+            var organization = await _organizationRepository.GetByIdAsync(new Guid(id));
+            if(organization == null || !_currentContext.OrganizationAdmin(organization.Id))
            {
                throw new NotFoundException();
            }
@ -44,25 +47,6 @@ namespace Bit.Api.Controllers
            return new OrganizationResponseModel(organization);
        }

-        [HttpGet("{id}/extended")]
-        public async Task<OrganizationExtendedResponseModel> GetExtended(string id)
-        {
-            var userId = _userService.GetProperUserId(User).Value;
-            var organization = await _organizationRepository.GetByIdAsync(new Guid(id), userId);
-            if(organization == null)
-            {
-                throw new NotFoundException();
-            }
-
-            var organizationUser = await _organizationUserRepository.GetByOrganizationAsync(new Guid(id), userId);
-            if(organizationUser == null)
-            {
-                throw new NotFoundException();
-            }
-
-            return new OrganizationExtendedResponseModel(organization, organizationUser);
-        }
-
        [HttpGet("")]
        public async Task<ListResponseModel<OrganizationResponseModel>> Get()
        {
@ -73,22 +57,20 @@ namespace Bit.Api.Controllers
        }

        [HttpPost("")]
-        public async Task<OrganizationExtendedResponseModel> Post([FromBody]OrganizationCreateRequestModel model)
+        public async Task<OrganizationResponseModel> Post([FromBody]OrganizationCreateRequestModel model)
        {
            var user = await _userService.GetUserByPrincipalAsync(User);
            var organizationSignup = model.ToOrganizationSignup(user);
            var result = await _organizationService.SignUpAsync(organizationSignup);
-            return new OrganizationExtendedResponseModel(result.Item1, result.Item2);
+            return new OrganizationResponseModel(result.Item1);
        }

        [HttpPut("{id}")]
        [HttpPost("{id}")]
        public async Task<OrganizationResponseModel> Put(string id, [FromBody]OrganizationUpdateRequestModel model)
        {
-            var userId = _userService.GetProperUserId(User).Value;
-            var organization = await _organizationRepository.GetByIdAsync(new Guid(id), userId);
-            // TODO: Permission checks
-            if(organization == null)
+            var organization = await _organizationRepository.GetByIdAsync(new Guid(id));
+            if(organization == null || !_currentContext.OrganizationAdmin(organization.Id))
            {
                throw new NotFoundException();
            }
@ -101,9 +83,8 @@ namespace Bit.Api.Controllers
        [HttpPost("{id}/delete")]
        public async Task Delete(string id)
        {
-            var organization = await _organizationRepository.GetByIdAsync(new Guid(id),
-                _userService.GetProperUserId(User).Value);
-            if(organization == null)
+            var organization = await _organizationRepository.GetByIdAsync(new Guid(id));
+            if(organization == null || !_currentContext.OrganizationAdmin(organization.Id))
            {
                throw new NotFoundException();
            }
--- a/src/Api/Middleware/CurrentContextMiddleware.cs
+++ b/src/Api/Middleware/CurrentContextMiddleware.cs
@ -20,6 +20,39 @@ namespace Bit.Api.Middleware
            {
                var securityStampClaim = httpContext.User.Claims.FirstOrDefault(c => c.Type == "device");
                currentContext.DeviceIdentifier = securityStampClaim?.Value;
+
+                var orgOwnerClaims = httpContext.User.Claims.Where(c => c.Type == "orgowner");
+                if(orgOwnerClaims.Any())
+                {
+                    currentContext.Organizations.AddRange(orgOwnerClaims.Select(c =>
+                        new CurrentContext.CurrentContentOrganization
+                        {
+                            Id = new System.Guid(c.Value),
+                            Type = Core.Enums.OrganizationUserType.Owner
+                        }));
+                }
+
+                var orgAdminClaims = httpContext.User.Claims.Where(c => c.Type == "orgadmin");
+                if(orgAdminClaims.Any())
+                {
+                    currentContext.Organizations.AddRange(orgAdminClaims.Select(c =>
+                        new CurrentContext.CurrentContentOrganization
+                        {
+                            Id = new System.Guid(c.Value),
+                            Type = Core.Enums.OrganizationUserType.Admin
+                        }));
+                }
+
+                var orgUserClaims = httpContext.User.Claims.Where(c => c.Type == "orguser");
+                if(orgUserClaims.Any())
+                {
+                    currentContext.Organizations.AddRange(orgUserClaims.Select(c =>
+                        new CurrentContext.CurrentContentOrganization
+                        {
+                            Id = new System.Guid(c.Value),
+                            Type = Core.Enums.OrganizationUserType.User
+                        }));
+                }
            }

            if(currentContext.DeviceIdentifier == null && httpContext.Request.Headers.ContainsKey("Device-Identifier"))
--- a/src/Core/CurrentContext.cs
+++ b/src/Core/CurrentContext.cs
@ -1,8 +1,8 @@
 using System;
 using System.Collections.Generic;
 using System.Linq;
-using System.Threading.Tasks;
 using Bit.Core.Models.Table;
+using Bit.Core.Enums;

 namespace Bit.Core
 {
@ -10,5 +10,26 @@ namespace Bit.Core
    {
        public virtual User User { get; set; }
        public virtual string DeviceIdentifier { get; set; }
+        public virtual List<CurrentContentOrganization> Organizations { get; set; } = new List<CurrentContentOrganization>();
+
+        public bool OrganizationUser(Guid orgId)
+        {
+            return Organizations.Any(o => o.Id == orgId);
+        }
+        public bool OrganizationAdmin(Guid orgId)
+        {
+            return Organizations.Any(o => o.Id == orgId &&
+                (o.Type == OrganizationUserType.Owner || o.Type == OrganizationUserType.Admin));
+        }
+        public bool OrganizationOwner(Guid orgId)
+        {
+            return Organizations.Any(o => o.Id == orgId && o.Type == OrganizationUserType.Owner);
+        }
+
+        public class CurrentContentOrganization
+        {
+            public Guid Id { get; set; }
+            public OrganizationUserType Type { get; set; }
+        }
    }
 }
--- a/src/Core/Models/Api/Response/OrganizationResponseModel.cs
+++ b/src/Core/Models/Api/Response/OrganizationResponseModel.cs
@ -24,24 +24,8 @@ namespace Bit.Core.Models.Api
        public string Id { get; set; }
        public string Name { get; set; }
        public string Plan { get; set; }
-        public Core.Enums.PlanType PlanType { get; set; }
+        public Enums.PlanType PlanType { get; set; }
        public bool PlanTrial { get; set; }
        public short MaxUsers { get; set; }
    }
-
-    public class OrganizationExtendedResponseModel : OrganizationResponseModel
-    {
-        public OrganizationExtendedResponseModel(Organization organization, OrganizationUser organizationUser)
-            : base(organization, "organizationExtended")
-        {
-            if(organizationUser == null)
-            {
-                throw new ArgumentNullException(nameof(organizationUser));
-            }
-
-            Key = organizationUser.Key;
-        }
-
-        public string Key { get; set; }
-    }
 }
--- a/src/Core/Repositories/IOrganizationRepository.cs
+++ b/src/Core/Repositories/IOrganizationRepository.cs
@ -7,7 +7,6 @@ namespace Bit.Core.Repositories
 {
    public interface IOrganizationRepository : IRepository<Organization, Guid>
    {
-        Task<Organization> GetByIdAsync(Guid id, Guid userId);
        Task<ICollection<Organization>> GetManyByUserIdAsync(Guid userId);
    }
 }
--- a/src/Core/Repositories/SqlServer/OrganizationRepository.cs
+++ b/src/Core/Repositories/SqlServer/OrganizationRepository.cs
@ -19,19 +19,6 @@ namespace Bit.Core.Repositories.SqlServer
            : base(connectionString)
        { }

-        public async Task<Organization> GetByIdAsync(Guid id, Guid userId)
-        {
-            using(var connection = new SqlConnection(ConnectionString))
-            {
-                var results = await connection.QueryAsync<Organization>(
-                    "[dbo].[Organization_ReadByIdUserId]",
-                    new { Id = id, UserId = userId },
-                    commandType: CommandType.StoredProcedure);
-
-                return results.SingleOrDefault();
-            }
-        }
-
        public async Task<ICollection<Organization>> GetManyByUserIdAsync(Guid userId)
        {
            using(var connection = new SqlConnection(ConnectionString))
--- a/src/Sql/Sql.sqlproj
+++ b/src/Sql/Sql.sqlproj
@ -163,7 +163,6 @@
    <Build Include="dbo\Stored Procedures\Cipher_UpdatePartial.sql" />
    <Build Include="dbo\Stored Procedures\OrganizationUserOrganizationDetails_ReadByUserIdStatus.sql" />
    <Build Include="dbo\Stored Procedures\OrganizationUser_ReadByOrganizationIdEmail.sql" />
-    <Build Include="dbo\Stored Procedures\Organization_ReadByIdUserId.sql" />
    <Build Include="dbo\Stored Procedures\OrganizationUser_ReadByOrganizationId.sql" />
    <Build Include="dbo\Stored Procedures\Organization_ReadByUserId.sql" />
    <Build Include="dbo\Stored Procedures\Subvault_ReadByIdAdminUserId.sql" />
--- a/Procedures/Organization_ReadByIdUserId.sql
+++ b/Procedures/Organization_ReadByIdUserId.sql
@ -1,17 +0,0 @@
-CREATE PROCEDURE [dbo].[Organization_ReadByIdUserId]
-    @Id UNIQUEIDENTIFIER,
-    @UserId UNIQUEIDENTIFIER
-AS
-BEGIN
-    SET NOCOUNT ON
-
-    SELECT
-        O.*
-    FROM
-        [dbo].[OrganizationView] O
-    INNER JOIN
-        [dbo].[OrganizationUser] OU ON O.[Id] = OU.[OrganizationId]
-    WHERE
-        O.[Id] = @Id
-        AND OU.[UserId] = @UserId
-END