user checks on read procs

2025-02-22 02:51:33 +01:00 · 2017-03-21 21:13:20 -04:00 · 2017-03-21 21:13:20 -04:00 · d266da1084
commit d266da1084
parent ed8d5d69a4
8 changed files with 50 additions and 20 deletions
--- a/src/Api/Controllers/CiphersController.cs
+++ b/src/Api/Controllers/CiphersController.cs
@ -90,10 +90,10 @@ namespace Bit.Api.Controllers

        [HttpPut("{id}/move")]
        [HttpPost("{id}/move")]
-        public async Task PostMoveSubvault(string id, [FromBody]CipherMoveRequestModel model)
+        public async Task PostMove(string id, [FromBody]CipherMoveRequestModel model)
        {
            var userId = _userService.GetProperUserId(User).Value;
-            var cipher = await _cipherRepository.GetByIdAsync(new Guid(id));
+            var cipher = await _cipherRepository.GetByIdAsync(new Guid(id), userId);
            if(cipher == null)
            {
                throw new NotFoundException();
@ -107,7 +107,8 @@ namespace Bit.Api.Controllers
        [HttpPost("{id}/delete")]
        public async Task Delete(string id)
        {
-            var cipher = await _cipherRepository.GetByIdAsync(new Guid(id), _userService.GetProperUserId(User).Value);
+            var userId = _userService.GetProperUserId(User).Value;
+            var cipher = await _cipherRepository.GetByIdAsync(new Guid(id), userId);
            if(cipher == null)
            {
                throw new NotFoundException();
--- a/src/Core/Repositories/SqlServer/CipherRepository.cs
+++ b/src/Core/Repositories/SqlServer/CipherRepository.cs
@ -28,11 +28,11 @@ namespace Bit.Core.Repositories.SqlServer
            using(var connection = new SqlConnection(ConnectionString))
            {
                var results = await connection.QueryAsync<CipherDetails>(
-                    $"[{Schema}].[CipherDetails_ReadById]",
-                    new { Id = id },
+                    $"[{Schema}].[CipherDetails_ReadByIdUserId]",
+                    new { Id = id, UserId = userId },
                    commandType: CommandType.StoredProcedure);

-                return results.FirstOrDefault(c => c.UserId == userId);
+                return results.FirstOrDefault();
            }
        }

--- a/src/Core/Services/Implementations/CipherService.cs
+++ b/src/Core/Services/Implementations/CipherService.cs
@ -103,12 +103,6 @@ namespace Bit.Core.Services
                throw new BadRequestException(nameof(cipher.OrganizationId));
            }

-            var existingCipher = await _cipherRepository.GetByIdAsync(cipher.Id);
-            if(existingCipher == null || (existingCipher.UserId.HasValue && existingCipher.UserId != userId))
-            {
-                throw new NotFoundException();
-            }
-
            var subvaultUserDetails = await _subvaultUserRepository.GetPermissionsByUserIdAsync(userId, subvaultIds,
                cipher.OrganizationId.Value);

@ -117,7 +111,7 @@ namespace Bit.Core.Services
            await _cipherRepository.ReplaceAsync(cipher, subvaultUserDetails.Where(s => s.Admin).Select(s => s.SubvaultId));

            // push
-            await _pushService.PushSyncCipherUpdateAsync(cipher);
+            //await _pushService.PushSyncCipherUpdateAsync(cipher);
        }

        public async Task ImportCiphersAsync(
--- a/src/Sql/Sql.sqlproj
+++ b/src/Sql/Sql.sqlproj
@ -172,5 +172,6 @@
    <Build Include="dbo\Stored Procedures\SubvaultUser_ReadPermissionsBySubvaultUserId.sql" />
    <Build Include="dbo\UserDefinedTypes\GuidIdArray.sql" />
    <Build Include="dbo\Stored Procedures\Cipher_UpdateWithSubvaults.sql" />
+    <Build Include="dbo\Stored Procedures\CipherDetails_ReadByIdUserId.sql" />
  </ItemGroup>
 </Project>
--- a/Procedures/CipherDetails_ReadByIdUserId.sql
+++ b/Procedures/CipherDetails_ReadByIdUserId.sql
@ -0,0 +1,24 @@
+CREATE PROCEDURE [dbo].[CipherDetails_ReadByIdUserId]
+    @Id UNIQUEIDENTIFIER,
+    @UserId UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    SELECT DISTINCT
+        C.*
+    FROM
+        [dbo].[CipherDetailsView] C
+    LEFT JOIN
+        [dbo].[SubvaultCipher] SC ON SC.[CipherId] = C.[Id]
+    LEFT JOIN
+        [dbo].[SubvaultUser] SU ON SU.[SubvaultId] = SC.[SubvaultId]
+    LEFT JOIN
+        [dbo].[OrganizationUser] OU ON OU.[Id] = SU.[OrganizationUserId]
+    WHERE
+        C.Id = @Id
+        AND (
+            (C.[UserId] IS NOT NULL AND C.[UserId] = @UserId)
+            OR (OU.[UserId] = @UserId AND OU.[Status] = 2) -- 2 = Confirmed
+        )
+END
--- a/Procedures/CipherDetails_ReadByTypeUserId.sql
+++ b/Procedures/CipherDetails_ReadByTypeUserId.sql
@ -5,11 +5,20 @@ AS
 BEGIN
    SET NOCOUNT ON

-    SELECT
-        *
+    SELECT DISTINCT
+        C.*
    FROM
-        [dbo].[CipherDetailsView]
+        [dbo].[CipherDetailsView] C
+    LEFT JOIN
+        [dbo].[SubvaultCipher] SC ON SC.[CipherId] = C.[Id]
+    LEFT JOIN
+        [dbo].[SubvaultUser] SU ON SU.[SubvaultId] = SC.[SubvaultId]
+    LEFT JOIN
+        [dbo].[OrganizationUser] OU ON OU.[Id] = SU.[OrganizationUserId]
    WHERE
-        [Type] = @Type
-        AND [UserId] = @UserId
+        C.[Type] = @Type
+        AND (
+            (C.[UserId] IS NOT NULL AND C.[UserId] = @UserId)
+            OR (OU.[UserId] = @UserId AND OU.[Status] = 2) -- 2 = Confirmed
+        )
 END
--- a/Procedures/CipherDetails_ReadByUserId.sql
+++ b/Procedures/CipherDetails_ReadByUserId.sql
@ -16,5 +16,5 @@ BEGIN
        [dbo].[OrganizationUser] OU ON OU.[Id] = SU.[OrganizationUserId]
    WHERE
        (C.[UserId] IS NOT NULL AND C.[UserId] = @UserId)
-        OR OU.[UserId] = @UserId
+        OR (OU.[UserId] = @UserId AND OU.[Status] = 2) -- 2 = Confirmed
 END
--- a/Procedures/CipherDetails_ReadByUserIdHasSubvault.sql
+++ b/Procedures/CipherDetails_ReadByUserIdHasSubvault.sql
@ -15,5 +15,6 @@ BEGIN
    INNER JOIN
        [dbo].[OrganizationUser] OU ON OU.[Id] = SU.[OrganizationUserId]
    WHERE
-        [OU].[UserId] = @UserId
+        OU.[UserId] = @UserId 
+        AND OU.[Status] = 2 -- 2 = Confirmed
 END