diff options
author | BlackDex <[email protected]> | 2020-03-19 16:50:47 +0100 |
---|---|---|
committer | BlackDex <[email protected]> | 2020-03-19 16:50:47 +0100 |
commit | 669b101e6a68ab639526bc5b1405e8ced4a9f94e (patch) | |
tree | 4fac8e2e214491ed7426e44fae35780ed9324433 | |
parent | b85d548879204858325088fa1048e0b6b185600c (diff) | |
download | vaultwarden-669b101e6a68ab639526bc5b1405e8ced4a9f94e.tar.gz vaultwarden-669b101e6a68ab639526bc5b1405e8ced4a9f94e.zip |
Fixing issue #908
Sometimes an org-uuid is not within the path but in a query value,
This fixes the check for that.
-rw-r--r-- | src/auth.rs | 87 |
1 files changed, 53 insertions, 34 deletions
diff --git a/src/auth.rs b/src/auth.rs index f5aeaa1e..83845bc9 100644 --- a/src/auth.rs +++ b/src/auth.rs @@ -315,41 +315,60 @@ impl<'a, 'r> FromRequest<'a, 'r> for OrgHeaders { Outcome::Forward(_) => Outcome::Forward(()), Outcome::Failure(f) => Outcome::Failure(f), Outcome::Success(headers) => { - // org_id is expected to be the second param ("/organizations/<org_id>") - match request.get_param::<String>(1) { - Some(Ok(org_id)) => { - let conn = match request.guard::<DbConn>() { - Outcome::Success(conn) => conn, - _ => err_handler!("Error getting DB"), - }; - - let user = headers.user; - let org_user = match UserOrganization::find_by_user_and_org(&user.uuid, &org_id, &conn) { - Some(user) => { - if user.status == UserOrgStatus::Confirmed as i32 { - user - } else { - err_handler!("The current user isn't confirmed member of the organization") - } - } - None => err_handler!("The current user isn't member of the organization"), - }; - - Outcome::Success(Self { - host: headers.host, - device: headers.device, - user, - org_user_type: { - if let Some(org_usr_type) = UserOrgType::from_i32(org_user.atype) { - org_usr_type - } else { - // This should only happen if the DB is corrupted - err_handler!("Unknown user type in the database") - } - }, - }) + // org_id is usually the second param ("/organizations/<org_id>") + // But there are cases where it is located in a query value. + // First check the param, if this is not a valid uuid, we will try the query value. + let query_org_id = match request.get_query_value::<String>("organizationId") { + Some(Ok(query_org_id)) => { query_org_id } + _ => { "".into() } + }; + let param_org_id = match request.get_param::<String>(1) { + Some(Ok(param_org_id)) => { param_org_id } + _ => { "".into() } + }; + + let org_uuid: _ = match uuid::Uuid::parse_str(¶m_org_id) { + Ok(uuid) => uuid, + _ => match uuid::Uuid::parse_str(&query_org_id) { + Ok(uuid) => uuid, + _ => err_handler!("Error getting the organization id"), } - _ => err_handler!("Error getting the organization id"), + }; + + let org_id: &str = &org_uuid.to_string(); + if !org_id.is_empty() { + let conn = match request.guard::<DbConn>() { + Outcome::Success(conn) => conn, + _ => err_handler!("Error getting DB"), + }; + + let user = headers.user; + let org_user = match UserOrganization::find_by_user_and_org(&user.uuid, &org_id, &conn) { + Some(user) => { + if user.status == UserOrgStatus::Confirmed as i32 { + user + } else { + err_handler!("The current user isn't confirmed member of the organization") + } + } + None => err_handler!("The current user isn't member of the organization"), + }; + + Outcome::Success(Self { + host: headers.host, + device: headers.device, + user, + org_user_type: { + if let Some(org_usr_type) = UserOrgType::from_i32(org_user.atype) { + org_usr_type + } else { + // This should only happen if the DB is corrupted + err_handler!("Unknown user type in the database") + } + }, + }) + } else { + err_handler!("Error getting the organization id") } } } |