nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-04-14 17:48:12 -05:00
Code

change permission checks on cipher events

Browse Source
This commit is contained in:
Kyle Spearrin 2019-04-05 22:59:03 -04:00
parent 4b6edace09
commit fa463843bb
1 changed files with 18 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
src/Api/Controllers/EventsController.cs
View File

@ -52,10 +52,24 @@ namespace Bit.Api.Controllers
public async Task<ListResponseModel<EventResponseModel>> GetCipher(string id, public async Task<ListResponseModel<EventResponseModel>> GetCipher(string id,
[FromQuery]DateTime? start = null, [FromQuery]DateTime? end = null, [FromQuery]string continuationToken = null) [FromQuery]DateTime? start = null, [FromQuery]DateTime? end = null, [FromQuery]string continuationToken = null)
{ {
var userId = _userService.GetProperUserId(User).Value; var cipher = await _cipherRepository.GetByIdAsync(new Guid(id));
var cipher = await _cipherRepository.GetByIdAsync(new Guid(id), userId); if(cipher == null)
if(cipher == null || (cipher.UserId.HasValue && userId != cipher.UserId) || {
(cipher.OrganizationId.HasValue && !_currentContext.OrganizationAdmin(cipher.OrganizationId.Value))) throw new NotFoundException();
}
var canView = false;
if(cipher.OrganizationId.HasValue)
{
canView = _currentContext.OrganizationAdmin(cipher.OrganizationId.Value);
}
else if(cipher.UserId.HasValue)
{
var userId = _userService.GetProperUserId(User).Value;
canView = userId == cipher.UserId.Value;
}
if(!canView)
{ {
throw new NotFoundException(); throw new NotFoundException();
} }