nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-04-15 10:08:14 -05:00
Code

remove admin checks from services for ctrl context

Browse Source
This commit is contained in:
Kyle Spearrin 2017-04-05 16:29:46 -04:00
parent 9a1e512020
commit c4ab901098
6 changed files with 48 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
src/Api/Controllers/OrganizationUsersController.cs
View File

@ -7,6 +7,7 @@ using Microsoft.AspNetCore.Authorization;
using Bit.Core.Models.Api; using Bit.Core.Models.Api;
using Bit.Core.Exceptions; using Bit.Core.Exceptions;
using Bit.Core.Services; using Bit.Core.Services;
using Bit.Core;
namespace Bit.Api.Controllers namespace Bit.Api.Controllers
{ {
@ -19,26 +20,29 @@ namespace Bit.Api.Controllers
private readonly IOrganizationService _organizationService; private readonly IOrganizationService _organizationService;
private readonly ISubvaultRepository _subvaultRepository; private readonly ISubvaultRepository _subvaultRepository;
private readonly IUserService _userService; private readonly IUserService _userService;
private readonly CurrentContext _currentContext;
public OrganizationUsersController( public OrganizationUsersController(
IOrganizationRepository organizationRepository, IOrganizationRepository organizationRepository,
IOrganizationUserRepository organizationUserRepository, IOrganizationUserRepository organizationUserRepository,
IOrganizationService organizationService, IOrganizationService organizationService,
ISubvaultRepository subvaultRepository, ISubvaultRepository subvaultRepository,
IUserService userService) IUserService userService,
CurrentContext currentContext)
{ {
_organizationRepository = organizationRepository; _organizationRepository = organizationRepository;
_organizationUserRepository = organizationUserRepository; _organizationUserRepository = organizationUserRepository;
_organizationService = organizationService; _organizationService = organizationService;
_subvaultRepository = subvaultRepository; _subvaultRepository = subvaultRepository;
_userService = userService; _userService = userService;
_currentContext = currentContext;
} }
[HttpGet("{id}")] [HttpGet("{id}")]
public async Task<OrganizationUserDetailsResponseModel> Get(string orgId, string id) public async Task<OrganizationUserDetailsResponseModel> Get(string orgId, string id)
{ {
var organizationUser = await _organizationUserRepository.GetDetailsByIdAsync(new Guid(id)); var organizationUser = await _organizationUserRepository.GetDetailsByIdAsync(new Guid(id));
if(organizationUser == null) if(organizationUser == null || !_currentContext.OrganizationAdmin(organizationUser.Item1.OrganizationId))
{ {
throw new NotFoundException(); throw new NotFoundException();
} }
@ -49,7 +53,13 @@ namespace Bit.Api.Controllers
[HttpGet("")] [HttpGet("")]
public async Task<ListResponseModel<OrganizationUserResponseModel>> Get(string orgId) public async Task<ListResponseModel<OrganizationUserResponseModel>> Get(string orgId)
{ {
var organizationUsers = await _organizationUserRepository.GetManyDetailsByOrganizationAsync(new Guid(orgId)); var orgGuidId = new Guid(orgId);
if(!_currentContext.OrganizationAdmin(orgGuidId))
{
throw new NotFoundException();
}
var organizationUsers = await _organizationUserRepository.GetManyDetailsByOrganizationAsync(orgGuidId);
var responses = organizationUsers.Select(o => new OrganizationUserResponseModel(o)); var responses = organizationUsers.Select(o => new OrganizationUserResponseModel(o));
return new ListResponseModel<OrganizationUserResponseModel>(responses); return new ListResponseModel<OrganizationUserResponseModel>(responses);
} }
@ -57,8 +67,14 @@ namespace Bit.Api.Controllers
[HttpPost("invite")] [HttpPost("invite")]
public async Task Invite(string orgId, [FromBody]OrganizationUserInviteRequestModel model) public async Task Invite(string orgId, [FromBody]OrganizationUserInviteRequestModel model)
{ {
var orgGuidId = new Guid(orgId);
if(!_currentContext.OrganizationAdmin(orgGuidId))
{
throw new NotFoundException();
}
var userId = _userService.GetProperUserId(User); var userId = _userService.GetProperUserId(User);
var result = await _organizationService.InviteUserAsync(new Guid(orgId), userId.Value, model.Email, model.Type.Value, var result = await _organizationService.InviteUserAsync(orgGuidId, userId.Value, model.Email, model.Type.Value,
model.Subvaults?.Select(s => s.ToSubvaultUser())); model.Subvaults?.Select(s => s.ToSubvaultUser()));
} }
@ -66,8 +82,14 @@ namespace Bit.Api.Controllers
[HttpPost("{id}/reinvite")] [HttpPost("{id}/reinvite")]
public async Task Reinvite(string orgId, string id) public async Task Reinvite(string orgId, string id)
{ {
var orgGuidId = new Guid(orgId);
if(!_currentContext.OrganizationAdmin(orgGuidId))
{
throw new NotFoundException();
}
var userId = _userService.GetProperUserId(User); var userId = _userService.GetProperUserId(User);
await _organizationService.ResendInviteAsync(new Guid(orgId), userId.Value, new Guid(id)); await _organizationService.ResendInviteAsync(orgGuidId, userId.Value, new Guid(id));
} }
[HttpPut("{id}/accept")] [HttpPut("{id}/accept")]
@ -82,16 +104,28 @@ namespace Bit.Api.Controllers
[HttpPost("{id}/confirm")] [HttpPost("{id}/confirm")]
public async Task Confirm(string orgId, string id, [FromBody]OrganizationUserConfirmRequestModel model) public async Task Confirm(string orgId, string id, [FromBody]OrganizationUserConfirmRequestModel model)
{ {
var orgGuidId = new Guid(orgId);
if(!_currentContext.OrganizationAdmin(orgGuidId))
{
throw new NotFoundException();
}
var userId = _userService.GetProperUserId(User); var userId = _userService.GetProperUserId(User);
var result = await _organizationService.ConfirmUserAsync(new Guid(orgId), new Guid(id), model.Key, userId.Value); var result = await _organizationService.ConfirmUserAsync(orgGuidId, new Guid(id), model.Key, userId.Value);
} }
[HttpPut("{id}")] [HttpPut("{id}")]
[HttpPost("{id}")] [HttpPost("{id}")]
public async Task Put(string orgId, string id, [FromBody]OrganizationUserUpdateRequestModel model) public async Task Put(string orgId, string id, [FromBody]OrganizationUserUpdateRequestModel model)
{ {
var orgGuidId = new Guid(orgId);
if(!_currentContext.OrganizationAdmin(orgGuidId))
{
throw new NotFoundException();
}
var organizationUser = await _organizationUserRepository.GetByIdAsync(new Guid(id)); var organizationUser = await _organizationUserRepository.GetByIdAsync(new Guid(id));
if(organizationUser == null) if(organizationUser == null || organizationUser.OrganizationId != orgGuidId)
{ {
throw new NotFoundException(); throw new NotFoundException();
} }
@ -105,8 +139,14 @@ namespace Bit.Api.Controllers
[HttpPost("{id}/delete")] [HttpPost("{id}/delete")]
public async Task Delete(string orgId, string id) public async Task Delete(string orgId, string id)
{ {
var orgGuidId = new Guid(orgId);
if(!_currentContext.OrganizationAdmin(orgGuidId))
{
throw new NotFoundException();
}
var userId = _userService.GetProperUserId(User); var userId = _userService.GetProperUserId(User);
await _organizationService.DeleteUserAsync(new Guid(orgId), new Guid(id), userId.Value); await _organizationService.DeleteUserAsync(orgGuidId, new Guid(id), userId.Value);
} }
} }
} }

1
src/Core/Repositories/IOrganizationUserRepository.cs
View File

@ -9,7 +9,6 @@ namespace Bit.Core.Repositories
{ {
public interface IOrganizationUserRepository : IRepository<OrganizationUser, Guid> public interface IOrganizationUserRepository : IRepository<OrganizationUser, Guid>
{ {
Task<OrganizationUser> GetByOrganizationAsync(Guid organizationId, Guid userId);
Task<ICollection<OrganizationUser>> GetManyByUserAsync(Guid userId); Task<ICollection<OrganizationUser>> GetManyByUserAsync(Guid userId);
Task<ICollection<OrganizationUser>> GetManyByOrganizationAsync(Guid organizationId, OrganizationUserType? type); Task<ICollection<OrganizationUser>> GetManyByOrganizationAsync(Guid organizationId, OrganizationUserType? type);
Task<OrganizationUser> GetByOrganizationAsync(Guid organizationId, string email); Task<OrganizationUser> GetByOrganizationAsync(Guid organizationId, string email);

13
src/Core/Repositories/SqlServer/OrganizationUserRepository.cs
View File

@ -21,19 +21,6 @@ namespace Bit.Core.Repositories.SqlServer
: base(connectionString) : base(connectionString)
{ } { }
public async Task<OrganizationUser> GetByOrganizationAsync(Guid organizationId, Guid userId)
{
using(var connection = new SqlConnection(ConnectionString))
{
var results = await connection.QueryAsync<OrganizationUser>(
"[dbo].[OrganizationUser_ReadByOrganizationIdUserId]",
new { OrganizationId = organizationId, UserId = userId },
commandType: CommandType.StoredProcedure);
return results.SingleOrDefault();
}
}
public async Task<OrganizationUser> GetByOrganizationAsync(Guid organizationId, string email) public async Task<OrganizationUser> GetByOrganizationAsync(Guid organizationId, string email)
{ {
using(var connection = new SqlConnection(ConnectionString)) using(var connection = new SqlConnection(ConnectionString))

38
src/Core/Services/Implementations/OrganizationService.cs
View File

@ -9,7 +9,6 @@ using Bit.Core.Exceptions;
using System.Collections.Generic; using System.Collections.Generic;
using Microsoft.AspNetCore.DataProtection; using Microsoft.AspNetCore.DataProtection;
using Stripe; using Stripe;
using Bit.Core.Models.StaticStore;
namespace Bit.Core.Services namespace Bit.Core.Services
{ {
@ -149,11 +148,6 @@ namespace Bit.Core.Services
public async Task<OrganizationUser> InviteUserAsync(Guid organizationId, Guid invitingUserId, string email, public async Task<OrganizationUser> InviteUserAsync(Guid organizationId, Guid invitingUserId, string email,
Enums.OrganizationUserType type, IEnumerable<SubvaultUser> subvaults) Enums.OrganizationUserType type, IEnumerable<SubvaultUser> subvaults)
{ {
if(!(await OrganizationUserHasAdminRightsAsync(organizationId, invitingUserId)))
{
throw new BadRequestException("Cannot invite users.");
}
// Make sure user is not already invited // Make sure user is not already invited
var existingOrgUser = await _organizationUserRepository.GetByOrganizationAsync(organizationId, email); var existingOrgUser = await _organizationUserRepository.GetByOrganizationAsync(organizationId, email);
if(existingOrgUser != null) if(existingOrgUser != null)
@ -185,11 +179,6 @@ namespace Bit.Core.Services
public async Task ResendInviteAsync(Guid organizationId, Guid invitingUserId, Guid organizationUserId) public async Task ResendInviteAsync(Guid organizationId, Guid invitingUserId, Guid organizationUserId)
{ {
if(!(await OrganizationUserHasAdminRightsAsync(organizationId, invitingUserId)))
{
throw new BadRequestException("Cannot invite users.");
}
var orgUser = await _organizationUserRepository.GetByIdAsync(organizationUserId); var orgUser = await _organizationUserRepository.GetByIdAsync(organizationUserId);
if(orgUser == null || orgUser.OrganizationId != organizationId || if(orgUser == null || orgUser.OrganizationId != organizationId ||
orgUser.Status != Enums.OrganizationUserStatusType.Invited) orgUser.Status != Enums.OrganizationUserStatusType.Invited)
@ -257,11 +246,6 @@ namespace Bit.Core.Services
public async Task<OrganizationUser> ConfirmUserAsync(Guid organizationId, Guid organizationUserId, string key, public async Task<OrganizationUser> ConfirmUserAsync(Guid organizationId, Guid organizationUserId, string key,
Guid confirmingUserId) Guid confirmingUserId)
{ {
if(!(await OrganizationUserHasAdminRightsAsync(organizationId, confirmingUserId)))
{
throw new BadRequestException("Cannot confirm users.");
}
var orgUser = await _organizationUserRepository.GetByIdAsync(organizationUserId); var orgUser = await _organizationUserRepository.GetByIdAsync(organizationUserId);
if(orgUser == null || orgUser.Status != Enums.OrganizationUserStatusType.Accepted || if(orgUser == null || orgUser.Status != Enums.OrganizationUserStatusType.Accepted ||
orgUser.OrganizationId != organizationId) orgUser.OrganizationId != organizationId)
@ -286,11 +270,6 @@ namespace Bit.Core.Services
throw new BadRequestException("Invite the user first."); throw new BadRequestException("Invite the user first.");
} }
if(!(await OrganizationUserHasAdminRightsAsync(user.OrganizationId, savingUserId)))
{
throw new BadRequestException("Cannot update users.");
}
var confirmedOwners = (await GetConfirmedOwnersAsync(user.OrganizationId)).ToList(); var confirmedOwners = (await GetConfirmedOwnersAsync(user.OrganizationId)).ToList();
if(user.Type != Enums.OrganizationUserType.Owner && confirmedOwners.Count == 1 && confirmedOwners[0].Id == user.Id) if(user.Type != Enums.OrganizationUserType.Owner && confirmedOwners.Count == 1 && confirmedOwners[0].Id == user.Id)
{ {
@ -306,11 +285,6 @@ namespace Bit.Core.Services
public async Task DeleteUserAsync(Guid organizationId, Guid organizationUserId, Guid deletingUserId) public async Task DeleteUserAsync(Guid organizationId, Guid organizationUserId, Guid deletingUserId)
{ {
if(!(await OrganizationUserHasAdminRightsAsync(organizationId, deletingUserId)))
{
throw new BadRequestException("Cannot delete users.");
}
var orgUser = await _organizationUserRepository.GetByIdAsync(organizationUserId); var orgUser = await _organizationUserRepository.GetByIdAsync(organizationUserId);
if(orgUser == null || orgUser.OrganizationId != organizationId) if(orgUser == null || orgUser.OrganizationId != organizationId)
{ {
@ -333,18 +307,6 @@ namespace Bit.Core.Services
return owners.Where(o => o.Status == Enums.OrganizationUserStatusType.Confirmed); return owners.Where(o => o.Status == Enums.OrganizationUserStatusType.Confirmed);
} }
private async Task<bool> OrganizationUserHasAdminRightsAsync(Guid organizationId, Guid userId)
{
var orgUser = await _organizationUserRepository.GetByOrganizationAsync(organizationId, userId);
if(orgUser == null)
{
return false;
}
return orgUser.Status == Enums.OrganizationUserStatusType.Confirmed &&
orgUser.Type != Enums.OrganizationUserType.User;
}
private async Task SaveUserSubvaultsAsync(OrganizationUser user, IEnumerable<SubvaultUser> subvaults, bool newUser) private async Task SaveUserSubvaultsAsync(OrganizationUser user, IEnumerable<SubvaultUser> subvaults, bool newUser)
{ {
if(subvaults == null) if(subvaults == null)

1
src/Sql/Sql.sqlproj
View File

@ -171,7 +171,6 @@
<Build Include="dbo\Stored Procedures\Grant_DeleteBySubjectIdClientId.sql" /> <Build Include="dbo\Stored Procedures\Grant_DeleteBySubjectIdClientId.sql" />
<Build Include="dbo\Stored Procedures\SubvaultUserUserDetails_ReadBySubvaultId.sql" /> <Build Include="dbo\Stored Procedures\SubvaultUserUserDetails_ReadBySubvaultId.sql" />
<Build Include="dbo\Stored Procedures\Grant_DeleteBySubjectIdClientIdType.sql" /> <Build Include="dbo\Stored Procedures\Grant_DeleteBySubjectIdClientIdType.sql" />
<Build Include="dbo\Stored Procedures\OrganizationUser_ReadByOrganizationIdUserId.sql" />
<Build Include="dbo\Stored Procedures\Grant_ReadByKey.sql" /> <Build Include="dbo\Stored Procedures\Grant_ReadByKey.sql" />
<Build Include="dbo\Stored Procedures\Grant_ReadBySubjectId.sql" /> <Build Include="dbo\Stored Procedures\Grant_ReadBySubjectId.sql" />
<Build Include="dbo\Stored Procedures\Grant_Save.sql" /> <Build Include="dbo\Stored Procedures\Grant_Save.sql" />

15
src/Sql/dbo/Stored Procedures/OrganizationUser_ReadByOrganizationIdUserId.sql
View File

@ -1,15 +0,0 @@
CREATE PROCEDURE [dbo].[OrganizationUser_ReadByOrganizationIdUserId]
@OrganizationId UNIQUEIDENTIFIER,
@UserId UNIQUEIDENTIFIER
AS
BEGIN
SET NOCOUNT ON
SELECT
*
FROM
[dbo].[OrganizationUserView]
WHERE
[OrganizationId] = @OrganizationId
AND [UserId] = @UserId
END