nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-04-16 10:38:17 -05:00
Code

permission checks to subvault apis

Browse Source
This commit is contained in:
Kyle Spearrin 2017-04-06 09:50:40 -04:00
parent 67c0243f77
commit 1eaba7ac00
1 changed files with 19 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
src/Api/Controllers/SubvaultUsersController.cs
View File

@ -7,6 +7,7 @@ using Microsoft.AspNetCore.Authorization;
using Bit.Core.Models.Api; using Bit.Core.Models.Api;
using Bit.Core.Exceptions; using Bit.Core.Exceptions;
using Bit.Core.Services; using Bit.Core.Services;
using Bit.Core;
namespace Bit.Api.Controllers namespace Bit.Api.Controllers
{ {
@ -17,22 +18,31 @@ namespace Bit.Api.Controllers
private readonly ISubvaultRepository _subvaultRepository; private readonly ISubvaultRepository _subvaultRepository;
private readonly ISubvaultUserRepository _subvaultUserRepository; private readonly ISubvaultUserRepository _subvaultUserRepository;
private readonly IUserService _userService; private readonly IUserService _userService;
private readonly CurrentContext _currentContext;
public SubvaultUsersController( public SubvaultUsersController(
ISubvaultRepository subvaultRepository, ISubvaultRepository subvaultRepository,
ISubvaultUserRepository subvaultUserRepository, ISubvaultUserRepository subvaultUserRepository,
IUserService userService) IUserService userService,
CurrentContext currentContext)
{ {
_subvaultRepository = subvaultRepository; _subvaultRepository = subvaultRepository;
_subvaultUserRepository = subvaultUserRepository; _subvaultUserRepository = subvaultUserRepository;
_userService = userService; _userService = userService;
_currentContext = currentContext;
} }
[HttpGet("{subvaultId}")] [HttpGet("{subvaultId}")]
public async Task<ListResponseModel<SubvaultUserResponseModel>> GetBySubvault(string orgId, string subvaultId) public async Task<ListResponseModel<SubvaultUserResponseModel>> GetBySubvault(string orgId, string subvaultId)
{ {
// TODO: permission check var subvaultIdGuid = new Guid(subvaultId);
var subvaultUsers = await _subvaultUserRepository.GetManyDetailsBySubvaultIdAsync(new Guid(subvaultId)); var subvault = await _subvaultRepository.GetByIdAsync(subvaultIdGuid);
if(subvault == null || !_currentContext.OrganizationAdmin(subvault.OrganizationId))
{
throw new NotFoundException();
}
var subvaultUsers = await _subvaultUserRepository.GetManyDetailsBySubvaultIdAsync(subvaultIdGuid);
var responses = subvaultUsers.Select(s => new SubvaultUserResponseModel(s)); var responses = subvaultUsers.Select(s => new SubvaultUserResponseModel(s));
return new ListResponseModel<SubvaultUserResponseModel>(responses); return new ListResponseModel<SubvaultUserResponseModel>(responses);
} }
@ -47,7 +57,12 @@ namespace Bit.Api.Controllers
throw new NotFoundException(); throw new NotFoundException();
} }
// TODO: permission check var subvault = await _subvaultRepository.GetByIdAsync(user.SubvaultId);
if(subvault == null || !_currentContext.OrganizationAdmin(subvault.OrganizationId))
{
throw new NotFoundException();
}
await _subvaultUserRepository.DeleteAsync(user); await _subvaultUserRepository.DeleteAsync(user);
} }
} }