nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-07-03 09:02:48 -05:00
Code Activity

[AC-1139] Modified CollectionsController.Get to check access before getting collections

Browse Source
This commit is contained in:
Rui Tome
2023-10-20 15:17:39 +01:00
parent 1e2908ba5e
commit dadf29f2c8
2 changed files with 22 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/Api/Controllers/CollectionsController.cs
View File

@ -135,10 +135,13 @@ public class CollectionsController : Controller
IEnumerable<Collection> orgCollections;
if (FlexibleCollectionsIsEnabled)
{
var readAll = (await _authorizationService.AuthorizeAsync(User, null, CollectionOperations.ReadAll(orgId))).Succeeded;
if (readAll)
{
orgCollections = await _collectionRepository.GetManyByOrganizationIdAsync(orgId);
var readAllAuthorized = (await _authorizationService.AuthorizeAsync(User, orgCollections, CollectionOperations.ReadAll)).Succeeded;
if (!readAllAuthorized)
}
else
{
var collections = await _collectionRepository.GetManyByUserIdAsync(_currentContext.UserId.Value);
orgCollections = collections.Where(c => c.OrganizationId == orgId);

19
src/Api/Vault/AuthorizationHandlers/Collections/CollectionOperations.cs
View File

@ -2,13 +2,26 @@
namespace Bit.Api.Vault.AuthorizationHandlers.Collections;
public class CollectionOperationRequirement : OperationAuthorizationRequirement { }
public class CollectionOperationRequirement : OperationAuthorizationRequirement
{
public Guid OrganizationId { get; set; }
public CollectionOperationRequirement() { }
public CollectionOperationRequirement(string name, Guid organizationId)
{
Name = name;
OrganizationId = organizationId;
}
}
public static class CollectionOperations
{
public static readonly CollectionOperationRequirement Create = new() { Name = nameof(Create) };
public static readonly CollectionOperationRequirement ReadAll = new() { Name = nameof(ReadAll) };
public static readonly CollectionOperationRequirement Update = new() { Name = nameof(Update) };
public static CollectionOperationRequirement ReadAll(Guid organizationId)
{
return new CollectionOperationRequirement(nameof(ReadAll), organizationId);
}
public static readonly CollectionOperationRequirement Delete = new() { Name = nameof(Delete) };
/// <summary>
/// The operation that represents creating, updating, or removing collection access.