From d266da10843f61f0f3d193d0d63041406a612065 Mon Sep 17 00:00:00 2001 From: Kyle Spearrin Date: Tue, 21 Mar 2017 21:13:20 -0400 Subject: [PATCH] user checks on read procs --- src/Api/Controllers/CiphersController.cs | 7 +++--- .../SqlServer/CipherRepository.cs | 6 ++--- .../Services/Implementations/CipherService.cs | 8 +------ src/Sql/Sql.sqlproj | 1 + .../CipherDetails_ReadByIdUserId.sql | 24 +++++++++++++++++++ .../CipherDetails_ReadByTypeUserId.sql | 19 +++++++++++---- .../CipherDetails_ReadByUserId.sql | 2 +- .../CipherDetails_ReadByUserIdHasSubvault.sql | 3 ++- 8 files changed, 50 insertions(+), 20 deletions(-) create mode 100644 src/Sql/dbo/Stored Procedures/CipherDetails_ReadByIdUserId.sql diff --git a/src/Api/Controllers/CiphersController.cs b/src/Api/Controllers/CiphersController.cs index faa753abd2..0ee7490426 100644 --- a/src/Api/Controllers/CiphersController.cs +++ b/src/Api/Controllers/CiphersController.cs @@ -90,10 +90,10 @@ namespace Bit.Api.Controllers [HttpPut("{id}/move")] [HttpPost("{id}/move")] - public async Task PostMoveSubvault(string id, [FromBody]CipherMoveRequestModel model) + public async Task PostMove(string id, [FromBody]CipherMoveRequestModel model) { var userId = _userService.GetProperUserId(User).Value; - var cipher = await _cipherRepository.GetByIdAsync(new Guid(id)); + var cipher = await _cipherRepository.GetByIdAsync(new Guid(id), userId); if(cipher == null) { throw new NotFoundException(); @@ -107,7 +107,8 @@ namespace Bit.Api.Controllers [HttpPost("{id}/delete")] public async Task Delete(string id) { - var cipher = await _cipherRepository.GetByIdAsync(new Guid(id), _userService.GetProperUserId(User).Value); + var userId = _userService.GetProperUserId(User).Value; + var cipher = await _cipherRepository.GetByIdAsync(new Guid(id), userId); if(cipher == null) { throw new NotFoundException(); diff --git a/src/Core/Repositories/SqlServer/CipherRepository.cs b/src/Core/Repositories/SqlServer/CipherRepository.cs index d1e77f808f..f43bbce570 100644 --- a/src/Core/Repositories/SqlServer/CipherRepository.cs +++ b/src/Core/Repositories/SqlServer/CipherRepository.cs @@ -28,11 +28,11 @@ namespace Bit.Core.Repositories.SqlServer using(var connection = new SqlConnection(ConnectionString)) { var results = await connection.QueryAsync( - $"[{Schema}].[CipherDetails_ReadById]", - new { Id = id }, + $"[{Schema}].[CipherDetails_ReadByIdUserId]", + new { Id = id, UserId = userId }, commandType: CommandType.StoredProcedure); - return results.FirstOrDefault(c => c.UserId == userId); + return results.FirstOrDefault(); } } diff --git a/src/Core/Services/Implementations/CipherService.cs b/src/Core/Services/Implementations/CipherService.cs index fe64902bfb..a299570fe6 100644 --- a/src/Core/Services/Implementations/CipherService.cs +++ b/src/Core/Services/Implementations/CipherService.cs @@ -103,12 +103,6 @@ namespace Bit.Core.Services throw new BadRequestException(nameof(cipher.OrganizationId)); } - var existingCipher = await _cipherRepository.GetByIdAsync(cipher.Id); - if(existingCipher == null || (existingCipher.UserId.HasValue && existingCipher.UserId != userId)) - { - throw new NotFoundException(); - } - var subvaultUserDetails = await _subvaultUserRepository.GetPermissionsByUserIdAsync(userId, subvaultIds, cipher.OrganizationId.Value); @@ -117,7 +111,7 @@ namespace Bit.Core.Services await _cipherRepository.ReplaceAsync(cipher, subvaultUserDetails.Where(s => s.Admin).Select(s => s.SubvaultId)); // push - await _pushService.PushSyncCipherUpdateAsync(cipher); + //await _pushService.PushSyncCipherUpdateAsync(cipher); } public async Task ImportCiphersAsync( diff --git a/src/Sql/Sql.sqlproj b/src/Sql/Sql.sqlproj index adf7ad4678..f36e6a45e9 100644 --- a/src/Sql/Sql.sqlproj +++ b/src/Sql/Sql.sqlproj @@ -172,5 +172,6 @@ + \ No newline at end of file diff --git a/src/Sql/dbo/Stored Procedures/CipherDetails_ReadByIdUserId.sql b/src/Sql/dbo/Stored Procedures/CipherDetails_ReadByIdUserId.sql new file mode 100644 index 0000000000..8b7b1c18b6 --- /dev/null +++ b/src/Sql/dbo/Stored Procedures/CipherDetails_ReadByIdUserId.sql @@ -0,0 +1,24 @@ +CREATE PROCEDURE [dbo].[CipherDetails_ReadByIdUserId] + @Id UNIQUEIDENTIFIER, + @UserId UNIQUEIDENTIFIER +AS +BEGIN + SET NOCOUNT ON + + SELECT DISTINCT + C.* + FROM + [dbo].[CipherDetailsView] C + LEFT JOIN + [dbo].[SubvaultCipher] SC ON SC.[CipherId] = C.[Id] + LEFT JOIN + [dbo].[SubvaultUser] SU ON SU.[SubvaultId] = SC.[SubvaultId] + LEFT JOIN + [dbo].[OrganizationUser] OU ON OU.[Id] = SU.[OrganizationUserId] + WHERE + C.Id = @Id + AND ( + (C.[UserId] IS NOT NULL AND C.[UserId] = @UserId) + OR (OU.[UserId] = @UserId AND OU.[Status] = 2) -- 2 = Confirmed + ) +END \ No newline at end of file diff --git a/src/Sql/dbo/Stored Procedures/CipherDetails_ReadByTypeUserId.sql b/src/Sql/dbo/Stored Procedures/CipherDetails_ReadByTypeUserId.sql index a10772ce62..d46435977e 100644 --- a/src/Sql/dbo/Stored Procedures/CipherDetails_ReadByTypeUserId.sql +++ b/src/Sql/dbo/Stored Procedures/CipherDetails_ReadByTypeUserId.sql @@ -5,11 +5,20 @@ AS BEGIN SET NOCOUNT ON - SELECT - * + SELECT DISTINCT + C.* FROM - [dbo].[CipherDetailsView] + [dbo].[CipherDetailsView] C + LEFT JOIN + [dbo].[SubvaultCipher] SC ON SC.[CipherId] = C.[Id] + LEFT JOIN + [dbo].[SubvaultUser] SU ON SU.[SubvaultId] = SC.[SubvaultId] + LEFT JOIN + [dbo].[OrganizationUser] OU ON OU.[Id] = SU.[OrganizationUserId] WHERE - [Type] = @Type - AND [UserId] = @UserId + C.[Type] = @Type + AND ( + (C.[UserId] IS NOT NULL AND C.[UserId] = @UserId) + OR (OU.[UserId] = @UserId AND OU.[Status] = 2) -- 2 = Confirmed + ) END \ No newline at end of file diff --git a/src/Sql/dbo/Stored Procedures/CipherDetails_ReadByUserId.sql b/src/Sql/dbo/Stored Procedures/CipherDetails_ReadByUserId.sql index 74c2a44cbb..d9d44c1cc9 100644 --- a/src/Sql/dbo/Stored Procedures/CipherDetails_ReadByUserId.sql +++ b/src/Sql/dbo/Stored Procedures/CipherDetails_ReadByUserId.sql @@ -16,5 +16,5 @@ BEGIN [dbo].[OrganizationUser] OU ON OU.[Id] = SU.[OrganizationUserId] WHERE (C.[UserId] IS NOT NULL AND C.[UserId] = @UserId) - OR OU.[UserId] = @UserId + OR (OU.[UserId] = @UserId AND OU.[Status] = 2) -- 2 = Confirmed END \ No newline at end of file diff --git a/src/Sql/dbo/Stored Procedures/CipherDetails_ReadByUserIdHasSubvault.sql b/src/Sql/dbo/Stored Procedures/CipherDetails_ReadByUserIdHasSubvault.sql index 9507d97afb..1d212e4dc0 100644 --- a/src/Sql/dbo/Stored Procedures/CipherDetails_ReadByUserIdHasSubvault.sql +++ b/src/Sql/dbo/Stored Procedures/CipherDetails_ReadByUserIdHasSubvault.sql @@ -15,5 +15,6 @@ BEGIN INNER JOIN [dbo].[OrganizationUser] OU ON OU.[Id] = SU.[OrganizationUserId] WHERE - [OU].[UserId] = @UserId + OU.[UserId] = @UserId + AND OU.[Status] = 2 -- 2 = Confirmed END \ No newline at end of file