nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-07-01 16:12:49 -05:00
Code Activity

[AC-1682] Update FC data migration scripts to clear AccessAll flags and set all Managers to Users

Browse Source
This commit is contained in:
Rui Tome
2024-01-10 11:34:31 +00:00
parent e7ce15fe1d
commit fcd2dd380d
3 changed files with 50 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
util/Migrator/DbScripts_transition/2023-12-06_00_AccessAllCollectionGroups.sql
View File

@ -1,10 +1,10 @@
-- Create a temporary table to store the groups with AccessAll = 1 -- Step 1: Create a temporary table to store the Groups with AccessAll = 1
SELECT [Id] AS [GroupId], [OrganizationId] SELECT [Id] AS [GroupId], [OrganizationId]
INTO #TempGroup INTO #TempGroup
FROM [dbo].[Group] FROM [dbo].[Group]
WHERE [AccessAll] = 1; WHERE [AccessAll] = 1;
-- Update existing rows in [dbo].[CollectionGroup] -- Step 2: Update existing rows in [dbo].[CollectionGroup]
UPDATE CG UPDATE CG
SET SET
CG.[ReadOnly] = 0, CG.[ReadOnly] = 0,
@ -15,7 +15,7 @@ INNER JOIN [dbo].[Collection] C ON CG.[CollectionId] = C.[Id]
INNER JOIN #TempGroup TG ON CG.[GroupId] = TG.[GroupId] INNER JOIN #TempGroup TG ON CG.[GroupId] = TG.[GroupId]
WHERE C.[OrganizationId] = TG.[OrganizationId]; WHERE C.[OrganizationId] = TG.[OrganizationId];
-- Insert new rows into [dbo].[CollectionGroup] -- Step 3: Insert new rows into [dbo].[CollectionGroup]
INSERT INTO [dbo].[CollectionGroup] ([CollectionId], [GroupId], [ReadOnly], [HidePasswords], [Manage]) INSERT INTO [dbo].[CollectionGroup] ([CollectionId], [GroupId], [ReadOnly], [HidePasswords], [Manage])
SELECT C.[Id], TG.[GroupId], 0, 0, 0 SELECT C.[Id], TG.[GroupId], 0, 0, 0
FROM [dbo].[Collection] C FROM [dbo].[Collection] C
@ -23,5 +23,11 @@ FROM [dbo].[Collection] C
LEFT JOIN [dbo].[CollectionGroup] CG ON CG.[CollectionId] = C.[Id] AND CG.[GroupId] = TG.[GroupId] LEFT JOIN [dbo].[CollectionGroup] CG ON CG.[CollectionId] = C.[Id] AND CG.[GroupId] = TG.[GroupId]
WHERE CG.[CollectionId] IS NULL; WHERE CG.[CollectionId] IS NULL;
-- Drop the temporary table -- Step 4: Update [dbo].[Group] to clear AccessAll flag
UPDATE G
SET [AccessAll] = 0
FROM [dbo].[Group] G
INNER JOIN #TempGroup TG ON G.[Id] = TG.[GroupId]
-- Step 5: Drop the temporary table
DROP TABLE #TempGroup; DROP TABLE #TempGroup;

65
util/Migrator/DbScripts_transition/2023-12-06_01_AccessAllCollectionUsers.sql
View File

@ -1,45 +1,40 @@
-- Step 1: Insert into a temporary table with an additional column for batch processing, update 50 k at a time -- Step 1: Create a temporary table to store the OrganizationUsers with AccessAll = 1
SELECT [Id] AS [OrganizationUserId], [OrganizationId], CAST(ROW_NUMBER() OVER(ORDER BY [Id]) / 50000 AS INT) AS Batch SELECT [Id] AS [OrganizationUserId], [OrganizationId]
INTO #TempOrgUser INTO #TempOrgUser
FROM [dbo].[OrganizationUser] FROM [dbo].[OrganizationUser]
WHERE [AccessAll] = 1; WHERE [AccessAll] = 1;
-- Step 2: Get the maximum batch number -- Step 2: Update existing rows in [dbo].[CollectionUser]
DECLARE @MaxBatch INT = (SELECT MAX(Batch) FROM #TempOrgUser); UPDATE target
DECLARE @CurrentBatch INT = 0; SET
target.[ReadOnly] = 0,
-- Step 3: Process each batch target.[HidePasswords] = 0,
WHILE @CurrentBatch <= @MaxBatch target.[Manage] = 0
BEGIN FROM [dbo].[CollectionUser] AS target
-- Update existing rows in [dbo].[CollectionUser] INNER JOIN (
UPDATE target SELECT C.[Id] AS [CollectionId], T.[OrganizationUserId]
SET FROM [dbo].[Collection] C
target.[ReadOnly] = 0, INNER JOIN #TempOrgUser T ON C.[OrganizationId] = T.[OrganizationId]
target.[HidePasswords] = 0, ) AS source
target.[Manage] = 0
FROM [dbo].[CollectionUser] AS target
INNER JOIN (
SELECT C.[Id] AS [CollectionId], T.[OrganizationUserId]
FROM [dbo].[Collection] C
INNER JOIN #TempOrgUser T ON C.[OrganizationId] = T.[OrganizationId] AND T.Batch = @CurrentBatch
) AS source
ON target.[CollectionId] = source.[CollectionId] AND target.[OrganizationUserId] = source.[OrganizationUserId]; ON target.[CollectionId] = source.[CollectionId] AND target.[OrganizationUserId] = source.[OrganizationUserId];
-- Insert new rows into [dbo].[CollectionUser] -- Step 3: Insert new rows into [dbo].[CollectionUser]
INSERT INTO [dbo].[CollectionUser] ([CollectionId], [OrganizationUserId], [ReadOnly], [HidePasswords], [Manage]) INSERT INTO [dbo].[CollectionUser] ([CollectionId], [OrganizationUserId], [ReadOnly], [HidePasswords], [Manage])
SELECT source.[CollectionId], source.[OrganizationUserId], 0, 0, 0 SELECT source.[CollectionId], source.[OrganizationUserId], 0, 0, 0
FROM ( FROM (
SELECT C.[Id] AS [CollectionId], T.[OrganizationUserId] SELECT C.[Id] AS [CollectionId], T.[OrganizationUserId]
FROM [dbo].[Collection] C FROM [dbo].[Collection] C
INNER JOIN #TempOrgUser T ON C.[OrganizationId] = T.[OrganizationId] AND T.Batch = @CurrentBatch INNER JOIN #TempOrgUser T ON C.[OrganizationId] = T.[OrganizationId]
) AS source ) AS source
LEFT JOIN [dbo].[CollectionUser] AS target LEFT JOIN [dbo].[CollectionUser] AS target
ON target.[CollectionId] = source.[CollectionId] AND target.[OrganizationUserId] = source.[OrganizationUserId] ON target.[CollectionId] = source.[CollectionId] AND target.[OrganizationUserId] = source.[OrganizationUserId]
WHERE target.[CollectionId] IS NULL; WHERE target.[CollectionId] IS NULL;
-- Move to the next batch -- Step 4: Update [dbo].[OrganizationUser] to clear AccessAll flag
SET @CurrentBatch = @CurrentBatch + 1; UPDATE OU
END; SET [AccessAll] = 0
FROM [dbo].[OrganizationUser] OU
INNER JOIN #TempOrgUser T ON OU.[Id] = T.[OrganizationUserId]
-- Step 4: Drop the temporary table -- Step 5: Drop the temporary table
DROP TABLE #TempOrgUser; DROP TABLE #TempOrgUser;

12
util/Migrator/DbScripts_transition/2023-12-06_02_ManagersEditAssignedCollectionUsers.sql
View File

@ -1,4 +1,4 @@
-- Update [dbo].[CollectionUser] with [Manage] = 1 for all users with Manager role or 'EditAssignedCollections' permission -- Step 1: Update [dbo].[CollectionUser] with [Manage] = 1 for all users with Manager role or 'EditAssignedCollections' permission
UPDATE cu UPDATE cu
SET cu.[ReadOnly] = 0, SET cu.[ReadOnly] = 0,
cu.[HidePasswords] = 0, cu.[HidePasswords] = 0,
@ -9,7 +9,7 @@ INNER JOIN [dbo].[OrganizationUser] ou
WHERE (ou.[Type] = 3 OR (ou.[Permissions] IS NOT NULL AND WHERE (ou.[Type] = 3 OR (ou.[Permissions] IS NOT NULL AND
ISJSON(ou.[Permissions]) > 0 AND JSON_VALUE(ou.[Permissions], '$.editAssignedCollections') = 'true')) ISJSON(ou.[Permissions]) > 0 AND JSON_VALUE(ou.[Permissions], '$.editAssignedCollections') = 'true'))
-- Insert rows to [dbo].[CollectionUser] for Managers and users with 'EditAssignedCollections' permission assigned to groups with collection access -- Step 2: Insert rows to [dbo].[CollectionUser] for Managers and users with 'EditAssignedCollections' permission assigned to groups with collection access
INSERT INTO [dbo].[CollectionUser] ([CollectionId], [OrganizationUserId], [ReadOnly], [HidePasswords], [Manage]) INSERT INTO [dbo].[CollectionUser] ([CollectionId], [OrganizationUserId], [ReadOnly], [HidePasswords], [Manage])
SELECT cg.[CollectionId], ou.[Id], 0, 0, 1 SELECT cg.[CollectionId], ou.[Id], 0, 0, 1
FROM [dbo].[CollectionGroup] cg FROM [dbo].[CollectionGroup] cg
@ -23,3 +23,11 @@ WHERE (ou.[Type] = 3 OR
SELECT 1 FROM [dbo].[CollectionUser] cu SELECT 1 FROM [dbo].[CollectionUser] cu
WHERE cu.[CollectionId] = cg.[CollectionId] AND cu.[OrganizationUserId] = ou.[Id] WHERE cu.[CollectionId] = cg.[CollectionId] AND cu.[OrganizationUserId] = ou.[Id]
) )
-- Step 3: Set all Managers to Users
UPDATE [dbo].[OrganizationUser]
SET [Type] = 2 -- User
WHERE [OrganizationId] = @OrganizationId
AND [Type] = 3; -- Manager
-- TODO: clear custom permissions JSON? Probably should, but not actually used by any code once we enable FC