nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-04-21 13:05:11 -05:00
Code

Admins are not limited by collection controls

Browse Source
This commit is contained in:
Kyle Spearrin 2017-09-06 13:01:22 -04:00
parent 06bdda5717
commit b06aae7cfd
8 changed files with 48 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/Api/Controllers/LoginsController.cs
View File

@ -54,8 +54,7 @@ namespace Bit.Api.Controllers
[HttpGet("{id}/admin")] [HttpGet("{id}/admin")]
public async Task<LoginResponseModel> GetAdmin(string id) public async Task<LoginResponseModel> GetAdmin(string id)
{ {
var userId = _userService.GetProperUserId(User).Value; var login = await _cipherRepository.GetDetailsByIdAsync(new Guid(id));
var login = await _cipherRepository.GetByIdAsync(new Guid(id), userId);
if(login == null || !login.OrganizationId.HasValue || if(login == null || !login.OrganizationId.HasValue ||
!_currentContext.OrganizationAdmin(login.OrganizationId.Value)) !_currentContext.OrganizationAdmin(login.OrganizationId.Value))
{ {
@ -131,7 +130,7 @@ namespace Bit.Api.Controllers
public async Task<LoginResponseModel> PutAdmin(string id, [FromBody]LoginRequestModel model) public async Task<LoginResponseModel> PutAdmin(string id, [FromBody]LoginRequestModel model)
{ {
var userId = _userService.GetProperUserId(User).Value; var userId = _userService.GetProperUserId(User).Value;
var login = await _cipherRepository.GetByIdAsync(new Guid(id), userId); var login = await _cipherRepository.GetDetailsByIdAsync(new Guid(id));
if(login == null || !login.OrganizationId.HasValue || if(login == null || !login.OrganizationId.HasValue ||
!_currentContext.OrganizationAdmin(login.OrganizationId.Value)) !_currentContext.OrganizationAdmin(login.OrganizationId.Value))
{ {

1
src/Core/Repositories/ICipherRepository.cs
View File

@ -10,6 +10,7 @@ namespace Bit.Core.Repositories
public interface ICipherRepository : IRepository<Cipher, Guid> public interface ICipherRepository : IRepository<Cipher, Guid>
{ {
Task<CipherDetails> GetByIdAsync(Guid id, Guid userId); Task<CipherDetails> GetByIdAsync(Guid id, Guid userId);
Task<CipherDetails> GetDetailsByIdAsync(Guid id);
Task<bool> GetCanEditByIdAsync(Guid userId, Guid cipherId); Task<bool> GetCanEditByIdAsync(Guid userId, Guid cipherId);
Task<ICollection<CipherDetails>> GetManyByUserIdAsync(Guid userId); Task<ICollection<CipherDetails>> GetManyByUserIdAsync(Guid userId);
Task<ICollection<CipherDetails>> GetManyByUserIdHasCollectionsAsync(Guid userId); Task<ICollection<CipherDetails>> GetManyByUserIdHasCollectionsAsync(Guid userId);

13
src/Core/Repositories/SqlServer/CipherRepository.cs
View File

@ -36,6 +36,19 @@ namespace Bit.Core.Repositories.SqlServer
} }
} }
public async Task<CipherDetails> GetDetailsByIdAsync(Guid id)
{
using(var connection = new SqlConnection(ConnectionString))
{
var results = await connection.QueryAsync<CipherDetails>(
$"[{Schema}].[CipherDetails_ReadById]",
new { Id = id },
commandType: CommandType.StoredProcedure);
return results.FirstOrDefault();
}
}
public async Task<bool> GetCanEditByIdAsync(Guid userId, Guid cipherId) public async Task<bool> GetCanEditByIdAsync(Guid userId, Guid cipherId)
{ {
using(var connection = new SqlConnection(ConnectionString)) using(var connection = new SqlConnection(ConnectionString))

1
src/Sql/Sql.sqlproj
View File

@ -212,5 +212,6 @@
<Build Include="dbo\Views\InstallationView.sql" /> <Build Include="dbo\Views\InstallationView.sql" />
<Build Include="dbo\Stored Procedures\Organization_ReadByEnabled.sql" /> <Build Include="dbo\Stored Procedures\Organization_ReadByEnabled.sql" />
<Build Include="dbo\Stored Procedures\User_ReadByPremium.sql" /> <Build Include="dbo\Stored Procedures\User_ReadByPremium.sql" />
<Build Include="dbo\Stored Procedures\CipherDetails_ReadById.sql" />
</ItemGroup> </ItemGroup>
</Project> </Project>

6
src/Sql/dbo/Functions/CipherDetails.sql
View File

@ -11,13 +11,15 @@ SELECT
C.[CreationDate], C.[CreationDate],
C.[RevisionDate], C.[RevisionDate],
CASE WHEN CASE WHEN
C.[Favorites] IS NULL @UserId IS NULL
OR C.[Favorites] IS NULL
OR JSON_VALUE(C.[Favorites], CONCAT('$."', @UserId, '"')) IS NULL OR JSON_VALUE(C.[Favorites], CONCAT('$."', @UserId, '"')) IS NULL
THEN 0 THEN 0
ELSE 1 ELSE 1
END [Favorite], END [Favorite],
CASE WHEN CASE WHEN
C.[Folders] IS NULL @UserId IS NULL
OR C.[Folders] IS NULL
THEN NULL THEN NULL
ELSE TRY_CONVERT(UNIQUEIDENTIFIER, JSON_VALUE(C.[Folders], CONCAT('$."', @UserId, '"'))) ELSE TRY_CONVERT(UNIQUEIDENTIFIER, JSON_VALUE(C.[Folders], CONCAT('$."', @UserId, '"')))
END [FolderId] END [FolderId]

20
src/Sql/dbo/Stored Procedures/CipherDetails_ReadById.sql Normal file
View File

@ -0,0 +1,20 @@
CREATE PROCEDURE [dbo].[CipherDetails_ReadById]
@Id UNIQUEIDENTIFIER
AS
BEGIN
SET NOCOUNT ON
SELECT
C.*,
1 [Edit],
CASE
WHEN O.[UseTotp] = 1 THEN 1
ELSE 0
END [OrganizationUseTotp]
FROM
[dbo].[CipherDetails](NULL) C
LEFT JOIN
[dbo].[Organization] O ON O.[Id] = C.[OrganizationId]
WHERE
C.[Id] = @Id
END

6
src/Sql/dbo/Stored Procedures/CipherDetails_ReadByUserIdHasCollection.sql
View File

@ -9,7 +9,11 @@ BEGIN
CASE CASE
WHEN C.[UserId] IS NOT NULL OR OU.[AccessAll] = 1 OR CU.[ReadOnly] = 0 OR G.[AccessAll] = 1 OR CG.[ReadOnly] = 0 THEN 1 WHEN C.[UserId] IS NOT NULL OR OU.[AccessAll] = 1 OR CU.[ReadOnly] = 0 OR G.[AccessAll] = 1 OR CG.[ReadOnly] = 0 THEN 1
ELSE 0 ELSE 0
END [Edit] END [Edit],
CASE
WHEN C.[UserId] IS NULL AND O.[UseTotp] = 1 THEN 1
ELSE 0
END [OrganizationUseTotp]
FROM FROM
[dbo].[CipherDetails](@UserId) C [dbo].[CipherDetails](@UserId) C
INNER JOIN INNER JOIN

2
src/Sql/dbo/Stored Procedures/Cipher_ReadCanEditByIdUserId.sql
View File

@ -14,7 +14,7 @@ BEGIN
ELSE 0 ELSE 0
END [Edit] END [Edit]
FROM FROM
[dbo].[CipherDetails](@UserId) C [dbo].[Cipher] C
LEFT JOIN LEFT JOIN
[dbo].[Organization] O ON C.[UserId] IS NULL AND O.[Id] = C.[OrganizationId] [dbo].[Organization] O ON C.[UserId] IS NULL AND O.[Id] = C.[OrganizationId]
LEFT JOIN LEFT JOIN