diff --git a/src/Api/Controllers/SubvaultsController.cs b/src/Api/Controllers/SubvaultsController.cs index c1dc9e2f07..4d8b60986b 100644 --- a/src/Api/Controllers/SubvaultsController.cs +++ b/src/Api/Controllers/SubvaultsController.cs @@ -7,6 +7,7 @@ using Microsoft.AspNetCore.Authorization; using Bit.Core.Models.Api; using Bit.Core.Exceptions; using Bit.Core.Services; +using Bit.Core; namespace Bit.Api.Controllers { @@ -16,21 +17,23 @@ namespace Bit.Api.Controllers { private readonly ISubvaultRepository _subvaultRepository; private readonly IUserService _userService; + private readonly CurrentContext _currentContext; public SubvaultsController( ISubvaultRepository subvaultRepository, - IUserService userService) + IUserService userService, + CurrentContext currentContext) { _subvaultRepository = subvaultRepository; _userService = userService; + _currentContext = currentContext; } [HttpGet("{id}")] public async Task Get(string orgId, string id) { - var userId = _userService.GetProperUserId(User).Value; - var subvault = await _subvaultRepository.GetByIdAdminUserIdAsync(new Guid(id), userId); - if(subvault == null) + var subvault = await _subvaultRepository.GetByIdAsync(new Guid(id)); + if(subvault == null || !_currentContext.OrganizationAdmin(subvault.OrganizationId)) { throw new NotFoundException(); } @@ -38,19 +41,24 @@ namespace Bit.Api.Controllers return new SubvaultResponseModel(subvault); } - [HttpGet("~/subvaults")] - public async Task> Get() + [HttpGet("")] + public async Task> Get(string orgId) { - var subvaults = await _subvaultRepository.GetManyByUserIdAsync(_userService.GetProperUserId(User).Value); + var orgIdGuid = new Guid(orgId); + if(!_currentContext.OrganizationAdmin(orgIdGuid)) + { + throw new NotFoundException(); + } + + var subvaults = await _subvaultRepository.GetManyByOrganizationIdAsync(orgIdGuid); var responses = subvaults.Select(s => new SubvaultResponseModel(s)); return new ListResponseModel(responses); } - [HttpGet("")] - public async Task> GetByOrganization(string orgId) + [HttpGet("~/subvaults")] + public async Task> GetUser() { - var subvaults = await _subvaultRepository.GetManyByOrganizationIdAdminUserIdAsync(new Guid(orgId), - _userService.GetProperUserId(User).Value); + var subvaults = await _subvaultRepository.GetManyByUserIdAsync(_userService.GetProperUserId(User).Value); var responses = subvaults.Select(s => new SubvaultResponseModel(s)); return new ListResponseModel(responses); } @@ -58,8 +66,13 @@ namespace Bit.Api.Controllers [HttpPost("")] public async Task Post(string orgId, [FromBody]SubvaultRequestModel model) { - // TODO: permission check - var subvault = model.ToSubvault(new Guid(orgId)); + var orgIdGuid = new Guid(orgId); + if(!_currentContext.OrganizationAdmin(orgIdGuid)) + { + throw new NotFoundException(); + } + + var subvault = model.ToSubvault(orgIdGuid); await _subvaultRepository.CreateAsync(subvault); return new SubvaultResponseModel(subvault); } @@ -68,9 +81,8 @@ namespace Bit.Api.Controllers [HttpPost("{id}")] public async Task Put(string orgId, string id, [FromBody]SubvaultRequestModel model) { - var subvault = await _subvaultRepository.GetByIdAdminUserIdAsync(new Guid(id), - _userService.GetProperUserId(User).Value); - if(subvault == null) + var subvault = await _subvaultRepository.GetByIdAsync(new Guid(id)); + if(subvault == null || !_currentContext.OrganizationAdmin(subvault.OrganizationId)) { throw new NotFoundException(); } @@ -83,9 +95,8 @@ namespace Bit.Api.Controllers [HttpPost("{id}/delete")] public async Task Delete(string orgId, string id) { - var subvault = await _subvaultRepository.GetByIdAdminUserIdAsync(new Guid(id), - _userService.GetProperUserId(User).Value); - if(subvault == null) + var subvault = await _subvaultRepository.GetByIdAsync(new Guid(id)); + if(subvault == null || !_currentContext.OrganizationAdmin(subvault.OrganizationId)) { throw new NotFoundException(); } diff --git a/src/Core/Repositories/ISubvaultRepository.cs b/src/Core/Repositories/ISubvaultRepository.cs index 1b1232a691..b74d9222e9 100644 --- a/src/Core/Repositories/ISubvaultRepository.cs +++ b/src/Core/Repositories/ISubvaultRepository.cs @@ -7,8 +7,6 @@ namespace Bit.Core.Repositories { public interface ISubvaultRepository : IRepository { - Task GetByIdAdminUserIdAsync(Guid id, Guid userId); - Task> GetManyByOrganizationIdAdminUserIdAsync(Guid organizationId, Guid userId); Task> GetManyByOrganizationIdAsync(Guid organizationId); Task> GetManyByUserIdAsync(Guid userId); diff --git a/src/Core/Repositories/SqlServer/SubvaultRepository.cs b/src/Core/Repositories/SqlServer/SubvaultRepository.cs index 95b06c2ee3..b89ac86f7b 100644 --- a/src/Core/Repositories/SqlServer/SubvaultRepository.cs +++ b/src/Core/Repositories/SqlServer/SubvaultRepository.cs @@ -19,32 +19,6 @@ namespace Bit.Core.Repositories.SqlServer : base(connectionString) { } - public async Task GetByIdAdminUserIdAsync(Guid id, Guid userId) - { - using(var connection = new SqlConnection(ConnectionString)) - { - var results = await connection.QueryAsync( - $"[{Schema}].[{Table}_ReadByIdAdminUserId]", - new { Id = id, UserId = userId }, - commandType: CommandType.StoredProcedure); - - return results.FirstOrDefault(); - } - } - - public async Task> GetManyByOrganizationIdAdminUserIdAsync(Guid organizationId, Guid userId) - { - using(var connection = new SqlConnection(ConnectionString)) - { - var results = await connection.QueryAsync( - $"[{Schema}].[{Table}_ReadByOrganizationIdAdminUserId]", - new { OrganizationId = organizationId, UserId = userId }, - commandType: CommandType.StoredProcedure); - - return results.ToList(); - } - } - public async Task> GetManyByOrganizationIdAsync(Guid organizationId) { using(var connection = new SqlConnection(ConnectionString)) diff --git a/src/Sql/Sql.sqlproj b/src/Sql/Sql.sqlproj index eeea3951de..8ead6e47cf 100644 --- a/src/Sql/Sql.sqlproj +++ b/src/Sql/Sql.sqlproj @@ -165,7 +165,6 @@ - @@ -178,7 +177,6 @@ - diff --git a/src/Sql/dbo/Stored Procedures/Subvault_ReadByIdAdminUserId.sql b/src/Sql/dbo/Stored Procedures/Subvault_ReadByIdAdminUserId.sql deleted file mode 100644 index ecdb7af403..0000000000 --- a/src/Sql/dbo/Stored Procedures/Subvault_ReadByIdAdminUserId.sql +++ /dev/null @@ -1,19 +0,0 @@ -CREATE PROCEDURE [dbo].[Subvault_ReadByIdAdminUserId] - @Id UNIQUEIDENTIFIER, - @UserId UNIQUEIDENTIFIER -AS -BEGIN - SET NOCOUNT ON - - SELECT - S.* - FROM - [dbo].[SubvaultView] S - INNER JOIN - [OrganizationUser] OU ON OU.[OrganizationId] = S.[OrganizationId] - WHERE - S.[Id] = @Id - AND OU.[UserId] = @UserId - AND OU.[Status] = 2 -- Confirmed - AND OU.[Type] <= 1 -- Owner and admin -END \ No newline at end of file diff --git a/src/Sql/dbo/Stored Procedures/Subvault_ReadByOrganizationIdAdminUserId.sql b/src/Sql/dbo/Stored Procedures/Subvault_ReadByOrganizationIdAdminUserId.sql deleted file mode 100644 index 17662dd872..0000000000 --- a/src/Sql/dbo/Stored Procedures/Subvault_ReadByOrganizationIdAdminUserId.sql +++ /dev/null @@ -1,19 +0,0 @@ -CREATE PROCEDURE [dbo].[Subvault_ReadByOrganizationIdAdminUserId] - @OrganizationId UNIQUEIDENTIFIER, - @UserId UNIQUEIDENTIFIER -AS -BEGIN - SET NOCOUNT ON - - SELECT - S.* - FROM - [dbo].[SubvaultView] S - INNER JOIN - [OrganizationUser] OU ON OU.[OrganizationId] = S.[OrganizationId] - WHERE - S.[OrganizationId] = @OrganizationId - AND OU.[UserId] = @UserId - AND OU.[Status] = 2 -- Confirmed - AND OU.[Type] <= 1 -- Owner and admin -END \ No newline at end of file