nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-05-20 19:14:32 -05:00
Code

Prevent user from adding themselves to collection (#4037)

Browse Source
This commit is contained in:
Thomas Rittson 2024-05-02 08:32:50 +10:00 committed by GitHub
parent bc0a35259d
commit f0b9391249
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 48 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
View File

@ -364,26 +364,35 @@ public class OrganizationUsersController : Controller
throw new NotFoundException(); throw new NotFoundException();
} }
var organizationUser = await _organizationUserRepository.GetByIdAsync(id); var (organizationUser, currentAccess) = await _organizationUserRepository.GetByIdWithCollectionsAsync(id);
if (organizationUser == null || organizationUser.OrganizationId != orgId) if (organizationUser == null || organizationUser.OrganizationId != orgId)
{ {
throw new NotFoundException(); throw new NotFoundException();
} }
// If admins are not allowed access to all collections, you cannot add yourself to a group
// In this case we just don't update groups
var userId = _userService.GetProperUserId(User).Value; var userId = _userService.GetProperUserId(User).Value;
var organizationAbility = await _applicationCacheService.GetOrganizationAbilityAsync(orgId);
var editingSelf = userId == organizationUser.UserId; var editingSelf = userId == organizationUser.UserId;
var groups = editingSelf && !organizationAbility.AllowAdminAccessToAllCollectionItems // If admins are not allowed access to all collections, you cannot add yourself to a group.
// In this case we just don't update groups.
var organizationAbility = await _applicationCacheService.GetOrganizationAbilityAsync(orgId);
var groupsToSave = editingSelf && !organizationAbility.AllowAdminAccessToAllCollectionItems
? null ? null
: model.Groups; : model.Groups;
// If admins are not allowed access to all collections, you cannot add yourself to collections.
// This is not caught by the requirement below that you can ModifyUserAccess and must be checked separately
var currentAccessIds = currentAccess.Select(c => c.Id).ToHashSet();
if (editingSelf &&
!organizationAbility.AllowAdminAccessToAllCollectionItems &&
model.Collections.Any(c => !currentAccessIds.Contains(c.Id)))
{
throw new BadRequestException("You cannot add yourself to a collection.");
}
// The client only sends collections that the saving user has permissions to edit. // The client only sends collections that the saving user has permissions to edit.
// On the server side, we need to (1) confirm this and (2) concat these with the collections that the user // On the server side, we need to (1) make sure the user has permissions for these collections, and
// can't edit before saving to the database. // (2) concat these with the collections that the user can't edit before saving to the database.
var (_, currentAccess) = await _organizationUserRepository.GetByIdWithCollectionsAsync(id);
var currentCollections = await _collectionRepository var currentCollections = await _collectionRepository
.GetManyByManyIdsAsync(currentAccess.Select(cas => cas.Id)); .GetManyByManyIdsAsync(currentAccess.Select(cas => cas.Id));
@ -411,7 +420,7 @@ public class OrganizationUsersController : Controller
.ToList(); .ToList();
await _updateOrganizationUserCommand.UpdateUserAsync(model.ToOrganizationUser(organizationUser), userId, await _updateOrganizationUserCommand.UpdateUserAsync(model.ToOrganizationUser(organizationUser), userId,
collectionsToSave, groups); collectionsToSave, groupsToSave);
} }
[HttpPut("{userId}/reset-password-enrollment")] [HttpPut("{userId}/reset-password-enrollment")]

30
test/Api.Test/AdminConsole/Controllers/OrganizationUsersControllerTests.cs
View File

@ -184,6 +184,36 @@ public class OrganizationUsersControllerTests
model.Groups); model.Groups);
} }
[Theory]
[BitAutoData]
public async Task Put_UpdateSelf_WithoutAllowAdminAccessToAllCollectionItems_CannotAddSelfToCollections(OrganizationUserUpdateRequestModel model,
OrganizationUser organizationUser, OrganizationAbility organizationAbility,
SutProvider<OrganizationUsersController> sutProvider, Guid savingUserId)
{
// Updating self
organizationUser.UserId = savingUserId;
organizationAbility.AllowAdminAccessToAllCollectionItems = false;
organizationAbility.FlexibleCollections = true;
sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1).Returns(true);
Put_Setup(sutProvider, organizationAbility, organizationUser, savingUserId, model, false);
// User is not currently assigned to any collections, which means they're adding themselves
sutProvider.GetDependency<IOrganizationUserRepository>()
.GetByIdWithCollectionsAsync(organizationUser.Id)
.Returns(new Tuple<OrganizationUser, ICollection<CollectionAccessSelection>>(organizationUser,
new List<CollectionAccessSelection>()));
sutProvider.GetDependency<ICollectionRepository>()
.GetManyByManyIdsAsync(Arg.Any<IEnumerable<Guid>>())
.Returns(new List<Collection>());
var orgUserId = organizationUser.Id;
var orgUserEmail = organizationUser.Email;
var exception = await Assert.ThrowsAsync<BadRequestException>(async () => await sutProvider.Sut.Put(organizationAbility.Id, organizationUser.Id, model));
Assert.Contains("You cannot add yourself to a collection.", exception.Message);
}
[Theory] [Theory]
[BitAutoData] [BitAutoData]
public async Task Put_UpdateSelf_WithoutAllowAdminAccessToAllCollectionItems_DoesNotUpdateGroups(OrganizationUserUpdateRequestModel model, public async Task Put_UpdateSelf_WithoutAllowAdminAccessToAllCollectionItems_DoesNotUpdateGroups(OrganizationUserUpdateRequestModel model,