mirror of
https://github.com/bitwarden/server.git
synced 2025-07-03 00:52:49 -05:00
[SM-670] Add permission context to project lists. (#2822)
* Attach permission context to project lists. * restrict service-account actions * Fix project permission details * Add getters and setters * dotnet format * Fix admin create unassigned secret (#2872)
This commit is contained in:
Thomas Avery
@ -118,7 +118,7 @@ public class CreateAccessPoliciesCommand : ICreateAccessPoliciesCommand
|
||||
case AccessClientType.User:
|
||||
if (projectIdToCheck.HasValue)
|
||||
{
|
||||
hasAccess = await _projectRepository.UserHasWriteAccessToProject(projectIdToCheck.Value, userId);
|
||||
hasAccess = (await _projectRepository.AccessToProjectAsync(projectIdToCheck.Value, userId, accessClient)).Write;
|
||||
}
|
||||
else if (serviceAccountIdToCheck.HasValue)
|
||||
{
|
||||
|
||||
@ -83,7 +83,7 @@ public class DeleteAccessPolicyCommand : IDeleteAccessPolicyCommand
|
||||
case AccessClientType.User:
|
||||
if (projectIdToCheck.HasValue)
|
||||
{
|
||||
hasAccess = await _projectRepository.UserHasWriteAccessToProject(projectIdToCheck.Value, userId);
|
||||
hasAccess = (await _projectRepository.AccessToProjectAsync(projectIdToCheck.Value, userId, accessClient)).Write;
|
||||
}
|
||||
else if (serviceAccountIdToCheck.HasValue)
|
||||
{
|
||||
|
||||
@ -87,7 +87,7 @@ public class UpdateAccessPolicyCommand : IUpdateAccessPolicyCommand
|
||||
case AccessClientType.User:
|
||||
if (projectIdToCheck.HasValue)
|
||||
{
|
||||
hasAccess = await _projectRepository.UserHasWriteAccessToProject(projectIdToCheck.Value, userId);
|
||||
hasAccess = (await _projectRepository.AccessToProjectAsync(projectIdToCheck.Value, userId, accessClient)).Write;
|
||||
}
|
||||
else if (serviceAccountIdToCheck.HasValue)
|
||||
{
|
||||
|
||||
@ -49,19 +49,13 @@ public class DeleteProjectCommand : IDeleteProjectCommand
|
||||
var orgAdmin = await _currentContext.OrganizationAdmin(organizationId);
|
||||
var accessClient = AccessClientHelper.ToAccessClient(_currentContext.ClientType, orgAdmin);
|
||||
|
||||
var results = new List<Tuple<Project, String>>(projects.Count);
|
||||
var results = new List<Tuple<Project, string>>(projects.Count);
|
||||
var deleteIds = new List<Guid>();
|
||||
|
||||
foreach (var project in projects)
|
||||
{
|
||||
var hasAccess = accessClient switch
|
||||
{
|
||||
AccessClientType.NoAccessCheck => true,
|
||||
AccessClientType.User => await _projectRepository.UserHasWriteAccessToProject(project.Id, userId),
|
||||
_ => false,
|
||||
};
|
||||
|
||||
if (!hasAccess)
|
||||
var access = await _projectRepository.AccessToProjectAsync(project.Id, userId, accessClient);
|
||||
if (!access.Write || accessClient == AccessClientType.ServiceAccount)
|
||||
{
|
||||
results.Add(new Tuple<Project, string>(project, "access denied"));
|
||||
}
|
||||
|
||||
@ -34,14 +34,8 @@ public class UpdateProjectCommand : IUpdateProjectCommand
|
||||
var orgAdmin = await _currentContext.OrganizationAdmin(project.OrganizationId);
|
||||
var accessClient = AccessClientHelper.ToAccessClient(_currentContext.ClientType, orgAdmin);
|
||||
|
||||
var hasAccess = accessClient switch
|
||||
{
|
||||
AccessClientType.NoAccessCheck => true,
|
||||
AccessClientType.User => await _projectRepository.UserHasWriteAccessToProject(updatedProject.Id, userId),
|
||||
_ => false,
|
||||
};
|
||||
|
||||
if (!hasAccess)
|
||||
var access = await _projectRepository.AccessToProjectAsync(updatedProject.Id, userId, accessClient);
|
||||
if (!access.Write || accessClient == AccessClientType.ServiceAccount)
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
@ -39,7 +39,7 @@ public class CreateSecretCommand : ICreateSecretCommand
|
||||
var hasAccess = accessClient switch
|
||||
{
|
||||
AccessClientType.NoAccessCheck => true,
|
||||
AccessClientType.User => await _projectRepository.UserHasWriteAccessToProject(project.Id, userId),
|
||||
AccessClientType.User => (await _projectRepository.AccessToProjectAsync(project.Id, userId, accessClient)).Write,
|
||||
_ => false,
|
||||
};
|
||||
|
||||
|
||||
@ -54,16 +54,10 @@ public class DeleteSecretCommand : IDeleteSecretCommand
|
||||
if (secret.Projects != null && secret.Projects?.Count > 0)
|
||||
{
|
||||
var projectId = secret.Projects.First().Id;
|
||||
|
||||
hasAccess = accessClient switch
|
||||
{
|
||||
AccessClientType.NoAccessCheck => true,
|
||||
AccessClientType.User => await _projectRepository.UserHasWriteAccessToProject(projectId, userId),
|
||||
_ => false,
|
||||
};
|
||||
hasAccess = (await _projectRepository.AccessToProjectAsync(projectId, userId, accessClient)).Write;
|
||||
}
|
||||
|
||||
if (!hasAccess)
|
||||
if (!hasAccess || accessClient == AccessClientType.ServiceAccount)
|
||||
{
|
||||
results.Add(new Tuple<Secret, string>(secret, "access denied"));
|
||||
}
|
||||
|
||||
@ -51,7 +51,7 @@ public class UpdateSecretCommand : IUpdateSecretCommand
|
||||
return secret;
|
||||
}
|
||||
|
||||
public async Task<bool> HasAccessToOriginalAndUpdatedProject(AccessClientType accessClient, Secret secret, Secret updatedSecret, Guid userId)
|
||||
private async Task<bool> HasAccessToOriginalAndUpdatedProject(AccessClientType accessClient, Secret secret, Secret updatedSecret, Guid userId)
|
||||
{
|
||||
switch (accessClient)
|
||||
{
|
||||
@ -60,8 +60,8 @@ public class UpdateSecretCommand : IUpdateSecretCommand
|
||||
case AccessClientType.User:
|
||||
var oldProject = secret.Projects?.FirstOrDefault();
|
||||
var newProject = updatedSecret.Projects?.FirstOrDefault();
|
||||
var accessToOld = oldProject != null && await _projectRepository.UserHasWriteAccessToProject(oldProject.Id, userId);
|
||||
var accessToNew = newProject != null && await _projectRepository.UserHasWriteAccessToProject(newProject.Id, userId);
|
||||
var accessToOld = oldProject != null && (await _projectRepository.AccessToProjectAsync(oldProject.Id, userId, accessClient)).Write;
|
||||
var accessToNew = newProject != null && (await _projectRepository.AccessToProjectAsync(newProject.Id, userId, accessClient)).Write;
|
||||
return accessToOld && accessToNew;
|
||||
default:
|
||||
return false;
|
||||
|
||||
Reference in New Issue
Block a user