1
0
mirror of https://github.com/bitwarden/server.git synced 2024-12-24 17:17:40 +01:00

[EC-160] Give Provider Users access to all org ciphers and collections (#1959)

This commit is contained in:
Thomas Rittson 2022-04-20 17:59:00 +10:00 committed by GitHub
parent e3b0196611
commit ec9dd8e16b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 26 additions and 4 deletions

View File

@ -224,8 +224,19 @@ namespace Bit.Api.Controllers
throw new NotFoundException(); throw new NotFoundException();
} }
var ciphers = await _cipherRepository.GetManyByUserIdAsync(userId, true); IEnumerable<Cipher> orgCiphers;
var orgCiphers = ciphers.Where(c => c.OrganizationId == orgIdGuid); if (await _currentContext.OrganizationOwner(orgIdGuid))
{
// User may be a Provider for the organization, in which case GetManyByUserIdAsync won't return any results
// But they have access to all organization ciphers, so we can safely get by orgId instead
orgCiphers = await _cipherRepository.GetManyByOrganizationIdAsync(orgIdGuid);
}
else
{
var ciphers = await _cipherRepository.GetManyByUserIdAsync(userId, true);
orgCiphers = ciphers.Where(c => c.OrganizationId == orgIdGuid);
}
var orgCipherIds = orgCiphers.Select(c => c.Id); var orgCipherIds = orgCiphers.Select(c => c.Id);
var collectionCiphers = await _collectionCipherRepository.GetManyByOrganizationIdAsync(orgIdGuid); var collectionCiphers = await _collectionCipherRepository.GetManyByOrganizationIdAsync(orgIdGuid);

View File

@ -87,8 +87,19 @@ namespace Bit.Api.Controllers
throw new NotFoundException(); throw new NotFoundException();
} }
var collections = await _collectionRepository.GetManyByUserIdAsync(_currentContext.UserId.Value); IEnumerable<Collection> orgCollections;
var orgCollections = collections.Where(c => c.OrganizationId == orgIdGuid); if (await _currentContext.OrganizationOwner(orgIdGuid))
{
// User may be a Provider for the organization, in which case GetManyByUserIdAsync won't return any results
// But they have access to all organization collections, so we can safely get by orgId instead
orgCollections = await _collectionRepository.GetManyByOrganizationIdAsync(orgIdGuid);
}
else
{
var collections = await _collectionRepository.GetManyByUserIdAsync(_currentContext.UserId.Value);
orgCollections = collections.Where(c => c.OrganizationId == orgIdGuid);
}
var responses = orgCollections.Select(c => new CollectionResponseModel(c)); var responses = orgCollections.Select(c => new CollectionResponseModel(c));
return new ListResponseModel<CollectionResponseModel>(responses); return new ListResponseModel<CollectionResponseModel>(responses);
} }