nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-04-21 04:55:08 -05:00
Code

Only owner can change the type of another owner.

Browse Source 
resolves #467
This commit is contained in:
Kyle Spearrin 2019-03-28 12:36:57 -04:00
parent 3f598c35fc
commit 54c46f716b
1 changed files with 11 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
src/Core/Services/Implementations/OrganizationService.cs
View File

@ -1012,12 +1012,20 @@ namespace Bit.Core.Services
throw new BadRequestException("Invite the user first."); throw new BadRequestException("Invite the user first.");
} }
if(savingUserId.HasValue && user.Type == OrganizationUserType.Owner) if(savingUserId.HasValue)
{ {
var savingUserOrgs = await _organizationUserRepository.GetManyByUserAsync(savingUserId.Value); var savingUserOrgs = await _organizationUserRepository.GetManyByUserAsync(savingUserId.Value);
if(!savingUserOrgs.Any(u => u.OrganizationId == user.OrganizationId && u.Type == OrganizationUserType.Owner)) var savingUserIsOrgOwner = savingUserOrgs
.Any(u => u.OrganizationId == user.OrganizationId && u.Type == OrganizationUserType.Owner);
if(!savingUserIsOrgOwner)
{ {
throw new BadRequestException("Only owners can update other owners."); var originalUser = await _organizationUserRepository.GetByIdAsync(user.Id);
var isOwner = originalUser.Type == OrganizationUserType.Owner;
var nowOwner = user.Type == OrganizationUserType.Owner;
if((isOwner && !nowOwner) || (!isOwner && nowOwner))
{
throw new BadRequestException("Only an owner can change the user type of another owner.");
}
} }
} }