Admins are not limited by collection controls

2024-11-26 12:55:17 +01:00 · 2017-09-06 13:01:22 -04:00 · 2017-09-06 13:01:22 -04:00 · b06aae7cfd
commit b06aae7cfd
parent 06bdda5717
8 changed files with 48 additions and 8 deletions
--- a/src/Api/Controllers/LoginsController.cs
+++ b/src/Api/Controllers/LoginsController.cs
@ -54,8 +54,7 @@ namespace Bit.Api.Controllers
        [HttpGet("{id}/admin")]
        public async Task<LoginResponseModel> GetAdmin(string id)
        {
-            var userId = _userService.GetProperUserId(User).Value;
-            var login = await _cipherRepository.GetByIdAsync(new Guid(id), userId);
+            var login = await _cipherRepository.GetDetailsByIdAsync(new Guid(id));
            if(login == null || !login.OrganizationId.HasValue ||
                !_currentContext.OrganizationAdmin(login.OrganizationId.Value))
            {
@ -131,7 +130,7 @@ namespace Bit.Api.Controllers
        public async Task<LoginResponseModel> PutAdmin(string id, [FromBody]LoginRequestModel model)
        {
            var userId = _userService.GetProperUserId(User).Value;
-            var login = await _cipherRepository.GetByIdAsync(new Guid(id), userId);
+            var login = await _cipherRepository.GetDetailsByIdAsync(new Guid(id));
            if(login == null || !login.OrganizationId.HasValue ||
                !_currentContext.OrganizationAdmin(login.OrganizationId.Value))
            {
--- a/src/Core/Repositories/ICipherRepository.cs
+++ b/src/Core/Repositories/ICipherRepository.cs
@ -10,6 +10,7 @@ namespace Bit.Core.Repositories
    public interface ICipherRepository : IRepository<Cipher, Guid>
    {
        Task<CipherDetails> GetByIdAsync(Guid id, Guid userId);
+        Task<CipherDetails> GetDetailsByIdAsync(Guid id);
        Task<bool> GetCanEditByIdAsync(Guid userId, Guid cipherId);
        Task<ICollection<CipherDetails>> GetManyByUserIdAsync(Guid userId);
        Task<ICollection<CipherDetails>> GetManyByUserIdHasCollectionsAsync(Guid userId);
--- a/src/Core/Repositories/SqlServer/CipherRepository.cs
+++ b/src/Core/Repositories/SqlServer/CipherRepository.cs
@ -36,6 +36,19 @@ namespace Bit.Core.Repositories.SqlServer
            }
        }

+        public async Task<CipherDetails> GetDetailsByIdAsync(Guid id)
+        {
+            using(var connection = new SqlConnection(ConnectionString))
+            {
+                var results = await connection.QueryAsync<CipherDetails>(
+                    $"[{Schema}].[CipherDetails_ReadById]",
+                    new { Id = id },
+                    commandType: CommandType.StoredProcedure);
+
+                return results.FirstOrDefault();
+            }
+        }
+
        public async Task<bool> GetCanEditByIdAsync(Guid userId, Guid cipherId)
        {
            using(var connection = new SqlConnection(ConnectionString))
@ -401,7 +414,7 @@ namespace Bit.Core.Repositories.SqlServer
            }
        }

-        public async Task CreateAsync(IEnumerable<Cipher> ciphers, IEnumerable<Collection> collections, 
+        public async Task CreateAsync(IEnumerable<Cipher> ciphers, IEnumerable<Collection> collections,
            IEnumerable<CollectionCipher> collectionCiphers)
        {
            if(!ciphers.Any())
--- a/src/Sql/Sql.sqlproj
+++ b/src/Sql/Sql.sqlproj
@ -212,5 +212,6 @@
    <Build Include="dbo\Views\InstallationView.sql" />
    <Build Include="dbo\Stored Procedures\Organization_ReadByEnabled.sql" />
    <Build Include="dbo\Stored Procedures\User_ReadByPremium.sql" />
+    <Build Include="dbo\Stored Procedures\CipherDetails_ReadById.sql" />
  </ItemGroup>
 </Project>
--- a/src/Sql/dbo/Functions/CipherDetails.sql
+++ b/src/Sql/dbo/Functions/CipherDetails.sql
@ -11,13 +11,15 @@ SELECT
    C.[CreationDate],
    C.[RevisionDate],
    CASE WHEN
-        C.[Favorites] IS NULL
+        @UserId IS NULL
+        OR C.[Favorites] IS NULL
        OR JSON_VALUE(C.[Favorites], CONCAT('$."', @UserId, '"')) IS NULL
    THEN 0
    ELSE 1
    END [Favorite],
    CASE WHEN
-        C.[Folders] IS NULL
+        @UserId IS NULL
+        OR C.[Folders] IS NULL
    THEN NULL
    ELSE TRY_CONVERT(UNIQUEIDENTIFIER, JSON_VALUE(C.[Folders], CONCAT('$."', @UserId, '"')))
    END [FolderId]
--- a/Procedures/CipherDetails_ReadById.sql
+++ b/Procedures/CipherDetails_ReadById.sql
@ -0,0 +1,20 @@
+CREATE PROCEDURE [dbo].[CipherDetails_ReadById]
+    @Id UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    SELECT
+        C.*,
+        1 [Edit],
+        CASE 
+            WHEN O.[UseTotp] = 1 THEN 1
+            ELSE 0
+        END [OrganizationUseTotp]
+    FROM
+        [dbo].[CipherDetails](NULL) C
+    LEFT JOIN
+        [dbo].[Organization] O ON O.[Id] = C.[OrganizationId]
+    WHERE
+        C.[Id] = @Id
+END
--- a/Procedures/CipherDetails_ReadByUserIdHasCollection.sql
+++ b/Procedures/CipherDetails_ReadByUserIdHasCollection.sql
@ -9,7 +9,11 @@ BEGIN
        CASE 
            WHEN C.[UserId] IS NOT NULL OR OU.[AccessAll] = 1 OR CU.[ReadOnly] = 0 OR G.[AccessAll] = 1 OR CG.[ReadOnly] = 0 THEN 1
            ELSE 0
-        END [Edit]
+        END [Edit],
+        CASE 
+            WHEN C.[UserId] IS NULL AND O.[UseTotp] = 1 THEN 1
+            ELSE 0
+        END [OrganizationUseTotp]
    FROM
        [dbo].[CipherDetails](@UserId) C
    INNER JOIN
--- a/Procedures/Cipher_ReadCanEditByIdUserId.sql
+++ b/Procedures/Cipher_ReadCanEditByIdUserId.sql
@ -14,7 +14,7 @@ BEGIN
                ELSE 0
            END [Edit]
        FROM
-            [dbo].[CipherDetails](@UserId) C
+            [dbo].[Cipher] C
        LEFT JOIN
            [dbo].[Organization] O ON C.[UserId] IS NULL AND O.[Id] = C.[OrganizationId]
        LEFT JOIN