1
0
mirror of https://github.com/bitwarden/server.git synced 2024-12-28 17:57:37 +01:00

Admins are not limited by collection controls

This commit is contained in:
Kyle Spearrin 2017-09-06 13:01:22 -04:00
parent 06bdda5717
commit b06aae7cfd
8 changed files with 48 additions and 8 deletions

View File

@ -54,8 +54,7 @@ namespace Bit.Api.Controllers
[HttpGet("{id}/admin")]
public async Task<LoginResponseModel> GetAdmin(string id)
{
var userId = _userService.GetProperUserId(User).Value;
var login = await _cipherRepository.GetByIdAsync(new Guid(id), userId);
var login = await _cipherRepository.GetDetailsByIdAsync(new Guid(id));
if(login == null || !login.OrganizationId.HasValue ||
!_currentContext.OrganizationAdmin(login.OrganizationId.Value))
{
@ -131,7 +130,7 @@ namespace Bit.Api.Controllers
public async Task<LoginResponseModel> PutAdmin(string id, [FromBody]LoginRequestModel model)
{
var userId = _userService.GetProperUserId(User).Value;
var login = await _cipherRepository.GetByIdAsync(new Guid(id), userId);
var login = await _cipherRepository.GetDetailsByIdAsync(new Guid(id));
if(login == null || !login.OrganizationId.HasValue ||
!_currentContext.OrganizationAdmin(login.OrganizationId.Value))
{

View File

@ -10,6 +10,7 @@ namespace Bit.Core.Repositories
public interface ICipherRepository : IRepository<Cipher, Guid>
{
Task<CipherDetails> GetByIdAsync(Guid id, Guid userId);
Task<CipherDetails> GetDetailsByIdAsync(Guid id);
Task<bool> GetCanEditByIdAsync(Guid userId, Guid cipherId);
Task<ICollection<CipherDetails>> GetManyByUserIdAsync(Guid userId);
Task<ICollection<CipherDetails>> GetManyByUserIdHasCollectionsAsync(Guid userId);

View File

@ -36,6 +36,19 @@ namespace Bit.Core.Repositories.SqlServer
}
}
public async Task<CipherDetails> GetDetailsByIdAsync(Guid id)
{
using(var connection = new SqlConnection(ConnectionString))
{
var results = await connection.QueryAsync<CipherDetails>(
$"[{Schema}].[CipherDetails_ReadById]",
new { Id = id },
commandType: CommandType.StoredProcedure);
return results.FirstOrDefault();
}
}
public async Task<bool> GetCanEditByIdAsync(Guid userId, Guid cipherId)
{
using(var connection = new SqlConnection(ConnectionString))
@ -401,7 +414,7 @@ namespace Bit.Core.Repositories.SqlServer
}
}
public async Task CreateAsync(IEnumerable<Cipher> ciphers, IEnumerable<Collection> collections,
public async Task CreateAsync(IEnumerable<Cipher> ciphers, IEnumerable<Collection> collections,
IEnumerable<CollectionCipher> collectionCiphers)
{
if(!ciphers.Any())

View File

@ -212,5 +212,6 @@
<Build Include="dbo\Views\InstallationView.sql" />
<Build Include="dbo\Stored Procedures\Organization_ReadByEnabled.sql" />
<Build Include="dbo\Stored Procedures\User_ReadByPremium.sql" />
<Build Include="dbo\Stored Procedures\CipherDetails_ReadById.sql" />
</ItemGroup>
</Project>

View File

@ -11,13 +11,15 @@ SELECT
C.[CreationDate],
C.[RevisionDate],
CASE WHEN
C.[Favorites] IS NULL
@UserId IS NULL
OR C.[Favorites] IS NULL
OR JSON_VALUE(C.[Favorites], CONCAT('$."', @UserId, '"')) IS NULL
THEN 0
ELSE 1
END [Favorite],
CASE WHEN
C.[Folders] IS NULL
@UserId IS NULL
OR C.[Folders] IS NULL
THEN NULL
ELSE TRY_CONVERT(UNIQUEIDENTIFIER, JSON_VALUE(C.[Folders], CONCAT('$."', @UserId, '"')))
END [FolderId]

View File

@ -0,0 +1,20 @@
CREATE PROCEDURE [dbo].[CipherDetails_ReadById]
@Id UNIQUEIDENTIFIER
AS
BEGIN
SET NOCOUNT ON
SELECT
C.*,
1 [Edit],
CASE
WHEN O.[UseTotp] = 1 THEN 1
ELSE 0
END [OrganizationUseTotp]
FROM
[dbo].[CipherDetails](NULL) C
LEFT JOIN
[dbo].[Organization] O ON O.[Id] = C.[OrganizationId]
WHERE
C.[Id] = @Id
END

View File

@ -9,7 +9,11 @@ BEGIN
CASE
WHEN C.[UserId] IS NOT NULL OR OU.[AccessAll] = 1 OR CU.[ReadOnly] = 0 OR G.[AccessAll] = 1 OR CG.[ReadOnly] = 0 THEN 1
ELSE 0
END [Edit]
END [Edit],
CASE
WHEN C.[UserId] IS NULL AND O.[UseTotp] = 1 THEN 1
ELSE 0
END [OrganizationUseTotp]
FROM
[dbo].[CipherDetails](@UserId) C
INNER JOIN

View File

@ -14,7 +14,7 @@ BEGIN
ELSE 0
END [Edit]
FROM
[dbo].[CipherDetails](@UserId) C
[dbo].[Cipher] C
LEFT JOIN
[dbo].[Organization] O ON C.[UserId] IS NULL AND O.[Id] = C.[OrganizationId]
LEFT JOIN