nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-05-06 20:22:24 -05:00
Code

validation checks on cipher move

Browse Source
This commit is contained in:
Kyle Spearrin 2017-03-25 16:25:10 -04:00
parent 5029af33c5
commit b144f8a686
4 changed files with 25 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/Api/Controllers/CiphersController.cs
View File

@ -119,12 +119,12 @@ namespace Bit.Api.Controllers
{ {
var userId = _userService.GetProperUserId(User).Value; var userId = _userService.GetProperUserId(User).Value;
var cipher = await _cipherRepository.GetByIdAsync(new Guid(id), userId); var cipher = await _cipherRepository.GetByIdAsync(new Guid(id), userId);
if(cipher == null) if(cipher == null || cipher.OrganizationId.HasValue || cipher.UserId != userId)
{ {
throw new NotFoundException(); throw new NotFoundException();
} }
await _cipherService.MoveSubvaultAsync(model.Cipher.ToCipher(cipher), await _cipherService.MoveSubvaultAsync(model.Cipher.ToCipher(cipher), new Guid(model.Cipher.OrganizationId),
model.SubvaultIds.Select(s => new Guid(s)), userId); model.SubvaultIds.Select(s => new Guid(s)), userId);
} }

2
src/Api/IdentityServer/ResourceOwnerPasswordValidator.cs
View File

@ -121,7 +121,7 @@ namespace Bit.Api.IdentityServer
var customResponse = new Dictionary<string, object>(); var customResponse = new Dictionary<string, object>();
if(!string.IsNullOrWhiteSpace(user.PrivateKey)) if(!string.IsNullOrWhiteSpace(user.PrivateKey))
{ {
customResponse.Add("EncryptedPrivateKey", user.PrivateKey); customResponse.Add("PrivateKey", user.PrivateKey);
} }
context.Result = new GrantValidationResult(user.Id.ToString(), "Application", context.Result = new GrantValidationResult(user.Id.ToString(), "Application",

2
src/Core/Services/ICipherService.cs
View File

@ -13,7 +13,7 @@ namespace Bit.Core.Services
Task DeleteAsync(CipherDetails cipher, Guid deletingUserId); Task DeleteAsync(CipherDetails cipher, Guid deletingUserId);
Task SaveFolderAsync(Folder folder); Task SaveFolderAsync(Folder folder);
Task DeleteFolderAsync(Folder folder); Task DeleteFolderAsync(Folder folder);
Task MoveSubvaultAsync(Cipher cipher, IEnumerable<Guid> subvaultIds, Guid userId); Task MoveSubvaultAsync(Cipher cipher, Guid organizationId, IEnumerable<Guid> subvaultIds, Guid userId);
Task ImportCiphersAsync(List<Folder> folders, List<CipherDetails> ciphers, Task ImportCiphersAsync(List<Folder> folders, List<CipherDetails> ciphers,
IEnumerable<KeyValuePair<int, int>> folderRelationships); IEnumerable<KeyValuePair<int, int>> folderRelationships);
} }

28
src/Core/Services/Implementations/CipherService.cs
View File

@ -112,24 +112,38 @@ namespace Bit.Core.Services
//await _pushService.PushSyncCipherDeleteAsync(cipher); //await _pushService.PushSyncCipherDeleteAsync(cipher);
} }
public async Task MoveSubvaultAsync(Cipher cipher, IEnumerable<Guid> subvaultIds, Guid userId) public async Task MoveSubvaultAsync(Cipher cipher, Guid organizationId, IEnumerable<Guid> subvaultIds, Guid movingUserId)
{ {
if(cipher.Id == default(Guid)) if(cipher.Id == default(Guid))
{ {
throw new BadRequestException(nameof(cipher.Id)); throw new BadRequestException(nameof(cipher.Id));
} }
if(!cipher.OrganizationId.HasValue) if(organizationId == default(Guid))
{ {
throw new BadRequestException(nameof(cipher.OrganizationId)); throw new BadRequestException(nameof(organizationId));
} }
var subvaultUserDetails = await _subvaultUserRepository.GetPermissionsByUserIdAsync(userId, subvaultIds, if(!cipher.UserId.HasValue || cipher.UserId.Value != movingUserId)
cipher.OrganizationId.Value); {
throw new NotFoundException();
}
// We do not need to check if the user belongs to this organization since this call will return no subvaults
// and therefore be caught by the .Any() check below.
var subvaultUserDetails = await _subvaultUserRepository.GetPermissionsByUserIdAsync(movingUserId, subvaultIds,
organizationId);
var adminSubvaults = subvaultUserDetails.Where(s => s.Admin).Select(s => s.SubvaultId);
if(!adminSubvaults.Any())
{
throw new BadRequestException("No subvaults.");
}
cipher.UserId = null; cipher.UserId = null;
cipher.OrganizationId = organizationId;
cipher.RevisionDate = DateTime.UtcNow; cipher.RevisionDate = DateTime.UtcNow;
await _cipherRepository.ReplaceAsync(cipher, subvaultUserDetails.Where(s => s.Admin).Select(s => s.SubvaultId)); await _cipherRepository.ReplaceAsync(cipher, adminSubvaults);
// push // push
//await _pushService.PushSyncCipherUpdateAsync(cipher); //await _pushService.PushSyncCipherUpdateAsync(cipher);
@ -173,7 +187,7 @@ namespace Bit.Core.Services
} }
} }
private async Task<bool> UserCanEditAsync(CipherDetails cipher, Guid userId) private async Task<bool> UserCanEditAsync(Cipher cipher, Guid userId)
{ {
if(!cipher.OrganizationId.HasValue && cipher.UserId.HasValue && cipher.UserId.Value == userId) if(!cipher.OrganizationId.HasValue && cipher.UserId.HasValue && cipher.UserId.Value == userId)
{ {