Upstream/bitwarden-server
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-02-23 03:01:23 +01:00
Code Issues Projects Releases Wiki Activity

refactor subvault ctrl with org context checks

Browse Source
This commit is contained in:
Kyle Spearrin 2017-04-05 16:40:09 -04:00
parent c4ab901098
commit e414b8d731
6 changed files with 30 additions and 87 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
src/Api/Controllers/SubvaultsController.cs
View File

@ -7,6 +7,7 @@ using Microsoft.AspNetCore.Authorization;
using Bit.Core.Models.Api;
using Bit.Core.Exceptions;
using Bit.Core.Services;
using Bit.Core;
namespace Bit.Api.Controllers
{
@ -16,21 +17,23 @@ namespace Bit.Api.Controllers
{
private readonly ISubvaultRepository _subvaultRepository;
private readonly IUserService _userService;
private readonly CurrentContext _currentContext;
public SubvaultsController(
ISubvaultRepository subvaultRepository,
IUserService userService)
IUserService userService,
CurrentContext currentContext)
{
_subvaultRepository = subvaultRepository;
_userService = userService;
_currentContext = currentContext;
}
[HttpGet("{id}")]
public async Task<SubvaultResponseModel> Get(string orgId, string id)
{
var userId = _userService.GetProperUserId(User).Value;
var subvault = await _subvaultRepository.GetByIdAdminUserIdAsync(new Guid(id), userId);
if(subvault == null)
var subvault = await _subvaultRepository.GetByIdAsync(new Guid(id));
if(subvault == null || !_currentContext.OrganizationAdmin(subvault.OrganizationId))
{
throw new NotFoundException();
}
@ -38,19 +41,24 @@ namespace Bit.Api.Controllers
return new SubvaultResponseModel(subvault);
}
[HttpGet("~/subvaults")]
public async Task<ListResponseModel<SubvaultResponseModel>> Get()
[HttpGet("")]
public async Task<ListResponseModel<SubvaultResponseModel>> Get(string orgId)
{
var subvaults = await _subvaultRepository.GetManyByUserIdAsync(_userService.GetProperUserId(User).Value);
var orgIdGuid = new Guid(orgId);
if(!_currentContext.OrganizationAdmin(orgIdGuid))
{
throw new NotFoundException();
}
var subvaults = await _subvaultRepository.GetManyByOrganizationIdAsync(orgIdGuid);
var responses = subvaults.Select(s => new SubvaultResponseModel(s));
return new ListResponseModel<SubvaultResponseModel>(responses);
}
[HttpGet("")]
public async Task<ListResponseModel<SubvaultResponseModel>> GetByOrganization(string orgId)
[HttpGet("~/subvaults")]
public async Task<ListResponseModel<SubvaultResponseModel>> GetUser()
{
var subvaults = await _subvaultRepository.GetManyByOrganizationIdAdminUserIdAsync(new Guid(orgId),
_userService.GetProperUserId(User).Value);
var subvaults = await _subvaultRepository.GetManyByUserIdAsync(_userService.GetProperUserId(User).Value);
var responses = subvaults.Select(s => new SubvaultResponseModel(s));
return new ListResponseModel<SubvaultResponseModel>(responses);
}
@ -58,8 +66,13 @@ namespace Bit.Api.Controllers
[HttpPost("")]
public async Task<SubvaultResponseModel> Post(string orgId, [FromBody]SubvaultRequestModel model)
{
// TODO: permission check
var subvault = model.ToSubvault(new Guid(orgId));
var orgIdGuid = new Guid(orgId);
if(!_currentContext.OrganizationAdmin(orgIdGuid))
{
throw new NotFoundException();
}
var subvault = model.ToSubvault(orgIdGuid);
await _subvaultRepository.CreateAsync(subvault);
return new SubvaultResponseModel(subvault);
}
@ -68,9 +81,8 @@ namespace Bit.Api.Controllers
[HttpPost("{id}")]
public async Task<SubvaultResponseModel> Put(string orgId, string id, [FromBody]SubvaultRequestModel model)
{
var subvault = await _subvaultRepository.GetByIdAdminUserIdAsync(new Guid(id),
_userService.GetProperUserId(User).Value);
if(subvault == null)
var subvault = await _subvaultRepository.GetByIdAsync(new Guid(id));
if(subvault == null || !_currentContext.OrganizationAdmin(subvault.OrganizationId))
{
throw new NotFoundException();
}
@ -83,9 +95,8 @@ namespace Bit.Api.Controllers
[HttpPost("{id}/delete")]
public async Task Delete(string orgId, string id)
{
var subvault = await _subvaultRepository.GetByIdAdminUserIdAsync(new Guid(id),
_userService.GetProperUserId(User).Value);
if(subvault == null)
var subvault = await _subvaultRepository.GetByIdAsync(new Guid(id));
if(subvault == null || !_currentContext.OrganizationAdmin(subvault.OrganizationId))
{
throw new NotFoundException();
}

2
src/Core/Repositories/ISubvaultRepository.cs
View File

@ -7,8 +7,6 @@ namespace Bit.Core.Repositories
{
public interface ISubvaultRepository : IRepository<Subvault, Guid>
{
Task<Subvault> GetByIdAdminUserIdAsync(Guid id, Guid userId);
Task<ICollection<Subvault>> GetManyByOrganizationIdAdminUserIdAsync(Guid organizationId, Guid userId);
Task<ICollection<Subvault>> GetManyByOrganizationIdAsync(Guid organizationId);
Task<ICollection<Subvault>> GetManyByUserIdAsync(Guid userId);

26
src/Core/Repositories/SqlServer/SubvaultRepository.cs
View File

@ -19,32 +19,6 @@ namespace Bit.Core.Repositories.SqlServer
: base(connectionString)
{ }
public async Task<Subvault> GetByIdAdminUserIdAsync(Guid id, Guid userId)
{
using(var connection = new SqlConnection(ConnectionString))
{
var results = await connection.QueryAsync<Subvault>(
$"[{Schema}].[{Table}_ReadByIdAdminUserId]",
new { Id = id, UserId = userId },
commandType: CommandType.StoredProcedure);
return results.FirstOrDefault();
}
}
public async Task<ICollection<Subvault>> GetManyByOrganizationIdAdminUserIdAsync(Guid organizationId, Guid userId)
{
using(var connection = new SqlConnection(ConnectionString))
{
var results = await connection.QueryAsync<Subvault>(
$"[{Schema}].[{Table}_ReadByOrganizationIdAdminUserId]",
new { OrganizationId = organizationId, UserId = userId },
commandType: CommandType.StoredProcedure);
return results.ToList();
}
}
public async Task<ICollection<Subvault>> GetManyByOrganizationIdAsync(Guid organizationId)
{
using(var connection = new SqlConnection(ConnectionString))

2
src/Sql/Sql.sqlproj
View File

@ -165,7 +165,6 @@
<Build Include="dbo\Stored Procedures\OrganizationUser_ReadByOrganizationIdEmail.sql" />
<Build Include="dbo\Stored Procedures\OrganizationUser_ReadByOrganizationId.sql" />
<Build Include="dbo\Stored Procedures\Organization_ReadByUserId.sql" />
<Build Include="dbo\Stored Procedures\Subvault_ReadByIdAdminUserId.sql" />
<Build Include="dbo\Stored Procedures\Grant_DeleteByKey.sql" />
<Build Include="dbo\Stored Procedures\SubvaultUserSubvaultDetails_ReadByUserId.sql" />
<Build Include="dbo\Stored Procedures\Grant_DeleteBySubjectIdClientId.sql" />
@ -178,7 +177,6 @@
<Build Include="dbo\Stored Procedures\User_ReadPublicKeyById.sql" />
<Build Include="dbo\Stored Procedures\OrganizationUserUserDetails_ReadById.sql" />
<Build Include="dbo\Stored Procedures\OrganizationUserUserDetails_ReadByOrganizationId.sql" />
<Build Include="dbo\Stored Procedures\Subvault_ReadByOrganizationIdAdminUserId.sql" />
<Build Include="dbo\User Defined Types\GuidIdArray.sql" />
<Build Include="dbo\Stored Procedures\SubvaultCipher_ReadByCipherId.sql" />
<Build Include="dbo\Stored Procedures\OrganizationUser_ReadByUserId.sql" />

19
src/Sql/dbo/Stored Procedures/Subvault_ReadByIdAdminUserId.sql
View File

@ -1,19 +0,0 @@
CREATE PROCEDURE [dbo].[Subvault_ReadByIdAdminUserId]
@Id UNIQUEIDENTIFIER,
@UserId UNIQUEIDENTIFIER
AS
BEGIN
SET NOCOUNT ON
SELECT
S.*
FROM
[dbo].[SubvaultView] S
INNER JOIN
[OrganizationUser] OU ON OU.[OrganizationId] = S.[OrganizationId]
WHERE
S.[Id] = @Id
AND OU.[UserId] = @UserId
AND OU.[Status] = 2 -- Confirmed
AND OU.[Type] <= 1 -- Owner and admin
END

19
src/Sql/dbo/Stored Procedures/Subvault_ReadByOrganizationIdAdminUserId.sql
View File

@ -1,19 +0,0 @@
CREATE PROCEDURE [dbo].[Subvault_ReadByOrganizationIdAdminUserId]
@OrganizationId UNIQUEIDENTIFIER,
@UserId UNIQUEIDENTIFIER
AS
BEGIN
SET NOCOUNT ON
SELECT
S.*
FROM
[dbo].[SubvaultView] S
INNER JOIN
[OrganizationUser] OU ON OU.[OrganizationId] = S.[OrganizationId]
WHERE
S.[OrganizationId] = @OrganizationId
AND OU.[UserId] = @UserId
AND OU.[Status] = 2 -- Confirmed
AND OU.[Type] <= 1 -- Owner and admin
END