nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-07-03 17:12:49 -05:00
Code Activity

[AC-1139] Modified CollectionsController.Get to check access before getting collections

Browse Source
This commit is contained in:
Rui Tome
2023-10-20 15:17:39 +01:00
parent 1e2908ba5e
commit dadf29f2c8
2 changed files with 22 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/Api/Controllers/CollectionsController.cs
View File

@ -135,10 +135,13 @@ public class CollectionsController : Controller
IEnumerable<Collection> orgCollections; IEnumerable<Collection> orgCollections;
if (FlexibleCollectionsIsEnabled) if (FlexibleCollectionsIsEnabled)
{
var readAll = (await _authorizationService.AuthorizeAsync(User, null, CollectionOperations.ReadAll(orgId))).Succeeded;
if (readAll)
{ {
orgCollections = await _collectionRepository.GetManyByOrganizationIdAsync(orgId); orgCollections = await _collectionRepository.GetManyByOrganizationIdAsync(orgId);
var readAllAuthorized = (await _authorizationService.AuthorizeAsync(User, orgCollections, CollectionOperations.ReadAll)).Succeeded; }
if (!readAllAuthorized) else
{ {
var collections = await _collectionRepository.GetManyByUserIdAsync(_currentContext.UserId.Value); var collections = await _collectionRepository.GetManyByUserIdAsync(_currentContext.UserId.Value);
orgCollections = collections.Where(c => c.OrganizationId == orgId); orgCollections = collections.Where(c => c.OrganizationId == orgId);

19
src/Api/Vault/AuthorizationHandlers/Collections/CollectionOperations.cs
View File

@ -2,13 +2,26 @@
namespace Bit.Api.Vault.AuthorizationHandlers.Collections; namespace Bit.Api.Vault.AuthorizationHandlers.Collections;
public class CollectionOperationRequirement : OperationAuthorizationRequirement { } public class CollectionOperationRequirement : OperationAuthorizationRequirement
{
public Guid OrganizationId { get; set; }
public CollectionOperationRequirement() { }
public CollectionOperationRequirement(string name, Guid organizationId)
{
Name = name;
OrganizationId = organizationId;
}
}
public static class CollectionOperations public static class CollectionOperations
{ {
public static readonly CollectionOperationRequirement Create = new() { Name = nameof(Create) }; public static readonly CollectionOperationRequirement Create = new() { Name = nameof(Create) };
public static readonly CollectionOperationRequirement ReadAll = new() { Name = nameof(ReadAll) }; public static CollectionOperationRequirement ReadAll(Guid organizationId)
public static readonly CollectionOperationRequirement Update = new() { Name = nameof(Update) }; {
return new CollectionOperationRequirement(nameof(ReadAll), organizationId);
}
public static readonly CollectionOperationRequirement Delete = new() { Name = nameof(Delete) }; public static readonly CollectionOperationRequirement Delete = new() { Name = nameof(Delete) };
/// <summary> /// <summary>
/// The operation that represents creating, updating, or removing collection access. /// The operation that represents creating, updating, or removing collection access.