nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-07-01 08:02:49 -05:00
Code Activity

[AC-1981] Fix CollectionsController.Get auth check by just checking collections for the requested orgId (#3575)

Browse Source 
* Fixed auth check by just checking collections for the requested orgId

* [AC-1139] Refactor collection authorization logic to check for manage permission

* [AC-1139] Remove unnecessary authorization check in CollectionsController

* [AC-1139] Remove unused test method

* [AC-1139] Remove unnecessary code for checking read permissions
This commit is contained in:
Rui Tomé
2023-12-20 16:34:09 +00:00
committed by GitHub
parent ca750e226f
commit 72ebb5e66f
4 changed files with 62 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
src/Api/Controllers/CollectionsController.cs
View File

@ -584,11 +584,6 @@ public class CollectionsController : Controller
// Filter the assigned collections to only return those where the user has Manage permission
var manageableOrgCollections = assignedOrgCollections.Where(c => c.Item1.Manage).ToList();
var readAssignedAuthorized = await _authorizationService.AuthorizeAsync(User, manageableOrgCollections.Select(c => c.Item1), BulkCollectionOperations.ReadWithAccess);
if (!readAssignedAuthorized.Succeeded)
{
throw new NotFoundException();
}
return new ListResponseModel<CollectionAccessDetailsResponseModel>(manageableOrgCollections.Select(c =>
new CollectionAccessDetailsResponseModel(c.Item1, c.Item2.Groups, c.Item2.Users)
@ -609,16 +604,8 @@ public class CollectionsController : Controller
}
else
{
var collections = await _collectionRepository.GetManyByUserIdAsync(_currentContext.UserId.Value, FlexibleCollectionsIsEnabled);
var readAuthorized = (await _authorizationService.AuthorizeAsync(User, collections, BulkCollectionOperations.Read)).Succeeded;
if (readAuthorized)
{
orgCollections = collections.Where(c => c.OrganizationId == orgId);
}
else
{
throw new NotFoundException();
}
var assignedCollections = await _collectionRepository.GetManyByUserIdAsync(_currentContext.UserId.Value, FlexibleCollectionsIsEnabled);
orgCollections = assignedCollections.Where(c => c.OrganizationId == orgId && c.Manage).ToList();
}
var responses = orgCollections.Select(c => new CollectionResponseModel(c));