nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-07-03 17:12:49 -05:00
Code Activity

[AC-1139] Modified CollectionsController.Get to check access before getting collections

Browse Source
This commit is contained in:
Rui Tome
2023-10-20 15:17:39 +01:00
parent 1e2908ba5e
commit dadf29f2c8
2 changed files with 22 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
src/Api/Controllers/CollectionsController.cs
View File

@ -136,9 +136,12 @@ public class CollectionsController : Controller
if (FlexibleCollectionsIsEnabled)
{
orgCollections = await _collectionRepository.GetManyByOrganizationIdAsync(orgId);
var readAllAuthorized = (await _authorizationService.AuthorizeAsync(User, orgCollections, CollectionOperations.ReadAll)).Succeeded;
if (!readAllAuthorized)
var readAll = (await _authorizationService.AuthorizeAsync(User, null, CollectionOperations.ReadAll(orgId))).Succeeded;
if (readAll)
{
orgCollections = await _collectionRepository.GetManyByOrganizationIdAsync(orgId);
}
else
{
var collections = await _collectionRepository.GetManyByUserIdAsync(_currentContext.UserId.Value);
orgCollections = collections.Where(c => c.OrganizationId == orgId);