mirror of
https://github.com/bitwarden/server.git
synced 2024-12-28 17:57:37 +01:00
Admins are not limited by collection controls
This commit is contained in:
parent
06bdda5717
commit
b06aae7cfd
@ -54,8 +54,7 @@ namespace Bit.Api.Controllers
|
||||
[HttpGet("{id}/admin")]
|
||||
public async Task<LoginResponseModel> GetAdmin(string id)
|
||||
{
|
||||
var userId = _userService.GetProperUserId(User).Value;
|
||||
var login = await _cipherRepository.GetByIdAsync(new Guid(id), userId);
|
||||
var login = await _cipherRepository.GetDetailsByIdAsync(new Guid(id));
|
||||
if(login == null || !login.OrganizationId.HasValue ||
|
||||
!_currentContext.OrganizationAdmin(login.OrganizationId.Value))
|
||||
{
|
||||
@ -131,7 +130,7 @@ namespace Bit.Api.Controllers
|
||||
public async Task<LoginResponseModel> PutAdmin(string id, [FromBody]LoginRequestModel model)
|
||||
{
|
||||
var userId = _userService.GetProperUserId(User).Value;
|
||||
var login = await _cipherRepository.GetByIdAsync(new Guid(id), userId);
|
||||
var login = await _cipherRepository.GetDetailsByIdAsync(new Guid(id));
|
||||
if(login == null || !login.OrganizationId.HasValue ||
|
||||
!_currentContext.OrganizationAdmin(login.OrganizationId.Value))
|
||||
{
|
||||
|
@ -10,6 +10,7 @@ namespace Bit.Core.Repositories
|
||||
public interface ICipherRepository : IRepository<Cipher, Guid>
|
||||
{
|
||||
Task<CipherDetails> GetByIdAsync(Guid id, Guid userId);
|
||||
Task<CipherDetails> GetDetailsByIdAsync(Guid id);
|
||||
Task<bool> GetCanEditByIdAsync(Guid userId, Guid cipherId);
|
||||
Task<ICollection<CipherDetails>> GetManyByUserIdAsync(Guid userId);
|
||||
Task<ICollection<CipherDetails>> GetManyByUserIdHasCollectionsAsync(Guid userId);
|
||||
|
@ -36,6 +36,19 @@ namespace Bit.Core.Repositories.SqlServer
|
||||
}
|
||||
}
|
||||
|
||||
public async Task<CipherDetails> GetDetailsByIdAsync(Guid id)
|
||||
{
|
||||
using(var connection = new SqlConnection(ConnectionString))
|
||||
{
|
||||
var results = await connection.QueryAsync<CipherDetails>(
|
||||
$"[{Schema}].[CipherDetails_ReadById]",
|
||||
new { Id = id },
|
||||
commandType: CommandType.StoredProcedure);
|
||||
|
||||
return results.FirstOrDefault();
|
||||
}
|
||||
}
|
||||
|
||||
public async Task<bool> GetCanEditByIdAsync(Guid userId, Guid cipherId)
|
||||
{
|
||||
using(var connection = new SqlConnection(ConnectionString))
|
||||
@ -401,7 +414,7 @@ namespace Bit.Core.Repositories.SqlServer
|
||||
}
|
||||
}
|
||||
|
||||
public async Task CreateAsync(IEnumerable<Cipher> ciphers, IEnumerable<Collection> collections,
|
||||
public async Task CreateAsync(IEnumerable<Cipher> ciphers, IEnumerable<Collection> collections,
|
||||
IEnumerable<CollectionCipher> collectionCiphers)
|
||||
{
|
||||
if(!ciphers.Any())
|
||||
|
@ -212,5 +212,6 @@
|
||||
<Build Include="dbo\Views\InstallationView.sql" />
|
||||
<Build Include="dbo\Stored Procedures\Organization_ReadByEnabled.sql" />
|
||||
<Build Include="dbo\Stored Procedures\User_ReadByPremium.sql" />
|
||||
<Build Include="dbo\Stored Procedures\CipherDetails_ReadById.sql" />
|
||||
</ItemGroup>
|
||||
</Project>
|
@ -11,13 +11,15 @@ SELECT
|
||||
C.[CreationDate],
|
||||
C.[RevisionDate],
|
||||
CASE WHEN
|
||||
C.[Favorites] IS NULL
|
||||
@UserId IS NULL
|
||||
OR C.[Favorites] IS NULL
|
||||
OR JSON_VALUE(C.[Favorites], CONCAT('$."', @UserId, '"')) IS NULL
|
||||
THEN 0
|
||||
ELSE 1
|
||||
END [Favorite],
|
||||
CASE WHEN
|
||||
C.[Folders] IS NULL
|
||||
@UserId IS NULL
|
||||
OR C.[Folders] IS NULL
|
||||
THEN NULL
|
||||
ELSE TRY_CONVERT(UNIQUEIDENTIFIER, JSON_VALUE(C.[Folders], CONCAT('$."', @UserId, '"')))
|
||||
END [FolderId]
|
||||
|
20
src/Sql/dbo/Stored Procedures/CipherDetails_ReadById.sql
Normal file
20
src/Sql/dbo/Stored Procedures/CipherDetails_ReadById.sql
Normal file
@ -0,0 +1,20 @@
|
||||
CREATE PROCEDURE [dbo].[CipherDetails_ReadById]
|
||||
@Id UNIQUEIDENTIFIER
|
||||
AS
|
||||
BEGIN
|
||||
SET NOCOUNT ON
|
||||
|
||||
SELECT
|
||||
C.*,
|
||||
1 [Edit],
|
||||
CASE
|
||||
WHEN O.[UseTotp] = 1 THEN 1
|
||||
ELSE 0
|
||||
END [OrganizationUseTotp]
|
||||
FROM
|
||||
[dbo].[CipherDetails](NULL) C
|
||||
LEFT JOIN
|
||||
[dbo].[Organization] O ON O.[Id] = C.[OrganizationId]
|
||||
WHERE
|
||||
C.[Id] = @Id
|
||||
END
|
@ -9,7 +9,11 @@ BEGIN
|
||||
CASE
|
||||
WHEN C.[UserId] IS NOT NULL OR OU.[AccessAll] = 1 OR CU.[ReadOnly] = 0 OR G.[AccessAll] = 1 OR CG.[ReadOnly] = 0 THEN 1
|
||||
ELSE 0
|
||||
END [Edit]
|
||||
END [Edit],
|
||||
CASE
|
||||
WHEN C.[UserId] IS NULL AND O.[UseTotp] = 1 THEN 1
|
||||
ELSE 0
|
||||
END [OrganizationUseTotp]
|
||||
FROM
|
||||
[dbo].[CipherDetails](@UserId) C
|
||||
INNER JOIN
|
||||
|
@ -14,7 +14,7 @@ BEGIN
|
||||
ELSE 0
|
||||
END [Edit]
|
||||
FROM
|
||||
[dbo].[CipherDetails](@UserId) C
|
||||
[dbo].[Cipher] C
|
||||
LEFT JOIN
|
||||
[dbo].[Organization] O ON C.[UserId] IS NULL AND O.[Id] = C.[OrganizationId]
|
||||
LEFT JOIN
|
||||
|
Loading…
Reference in New Issue
Block a user