nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-05-03 10:42:21 -05:00
Code

validation checks on cipher move

Browse Source
This commit is contained in:
Kyle Spearrin 2017-03-25 16:25:10 -04:00
parent 5029af33c5
commit b144f8a686
4 changed files with 25 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/Api/Controllers/CiphersController.cs
View File

@ -119,12 +119,12 @@ namespace Bit.Api.Controllers
{
var userId = _userService.GetProperUserId(User).Value;
var cipher = await _cipherRepository.GetByIdAsync(new Guid(id), userId);
if(cipher == null)
if(cipher == null || cipher.OrganizationId.HasValue || cipher.UserId != userId)
{
throw new NotFoundException();
}
await _cipherService.MoveSubvaultAsync(model.Cipher.ToCipher(cipher),
await _cipherService.MoveSubvaultAsync(model.Cipher.ToCipher(cipher), new Guid(model.Cipher.OrganizationId),
model.SubvaultIds.Select(s => new Guid(s)), userId);
}

2
src/Api/IdentityServer/ResourceOwnerPasswordValidator.cs
View File

@ -121,7 +121,7 @@ namespace Bit.Api.IdentityServer
var customResponse = new Dictionary<string, object>();
if(!string.IsNullOrWhiteSpace(user.PrivateKey))
{
customResponse.Add("EncryptedPrivateKey", user.PrivateKey);
customResponse.Add("PrivateKey", user.PrivateKey);
}
context.Result = new GrantValidationResult(user.Id.ToString(), "Application",

2
src/Core/Services/ICipherService.cs
View File

@ -13,7 +13,7 @@ namespace Bit.Core.Services
Task DeleteAsync(CipherDetails cipher, Guid deletingUserId);
Task SaveFolderAsync(Folder folder);
Task DeleteFolderAsync(Folder folder);
Task MoveSubvaultAsync(Cipher cipher, IEnumerable<Guid> subvaultIds, Guid userId);
Task MoveSubvaultAsync(Cipher cipher, Guid organizationId, IEnumerable<Guid> subvaultIds, Guid userId);
Task ImportCiphersAsync(List<Folder> folders, List<CipherDetails> ciphers,
IEnumerable<KeyValuePair<int, int>> folderRelationships);
}

28
src/Core/Services/Implementations/CipherService.cs
View File

@ -112,24 +112,38 @@ namespace Bit.Core.Services
//await _pushService.PushSyncCipherDeleteAsync(cipher);
}
public async Task MoveSubvaultAsync(Cipher cipher, IEnumerable<Guid> subvaultIds, Guid userId)
public async Task MoveSubvaultAsync(Cipher cipher, Guid organizationId, IEnumerable<Guid> subvaultIds, Guid movingUserId)
{
if(cipher.Id == default(Guid))
{
throw new BadRequestException(nameof(cipher.Id));
}
if(!cipher.OrganizationId.HasValue)
if(organizationId == default(Guid))
{
throw new BadRequestException(nameof(cipher.OrganizationId));
throw new BadRequestException(nameof(organizationId));
}
var subvaultUserDetails = await _subvaultUserRepository.GetPermissionsByUserIdAsync(userId, subvaultIds,
cipher.OrganizationId.Value);
if(!cipher.UserId.HasValue || cipher.UserId.Value != movingUserId)
{
throw new NotFoundException();
}
// We do not need to check if the user belongs to this organization since this call will return no subvaults
// and therefore be caught by the .Any() check below.
var subvaultUserDetails = await _subvaultUserRepository.GetPermissionsByUserIdAsync(movingUserId, subvaultIds,
organizationId);
var adminSubvaults = subvaultUserDetails.Where(s => s.Admin).Select(s => s.SubvaultId);
if(!adminSubvaults.Any())
{
throw new BadRequestException("No subvaults.");
}
cipher.UserId = null;
cipher.OrganizationId = organizationId;
cipher.RevisionDate = DateTime.UtcNow;
await _cipherRepository.ReplaceAsync(cipher, subvaultUserDetails.Where(s => s.Admin).Select(s => s.SubvaultId));
await _cipherRepository.ReplaceAsync(cipher, adminSubvaults);
// push
//await _pushService.PushSyncCipherUpdateAsync(cipher);
@ -173,7 +187,7 @@ namespace Bit.Core.Services
}
}
private async Task<bool> UserCanEditAsync(CipherDetails cipher, Guid userId)
private async Task<bool> UserCanEditAsync(Cipher cipher, Guid userId)
{
if(!cipher.OrganizationId.HasValue && cipher.UserId.HasValue && cipher.UserId.Value == userId)
{