aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel GarcĂ­a <[email protected]>2018-12-28 21:06:30 +0100
committerGitHub <[email protected]>2018-12-28 21:06:30 +0100
commit004a3f891f84f46e22afa62cc5ef95c1778cf440 (patch)
treeaf37f33c955e69097bab793b4b8ccf1d2d1e5fc9
parente197f372b5d6f4e6ba97837f9ab077e7504e833d (diff)
parente7ea5097f49bb1f42ffdb59a038a02fea093df10 (diff)
downloadvaultwarden-004a3f891f84f46e22afa62cc5ef95c1778cf440.tar.gz
vaultwarden-004a3f891f84f46e22afa62cc5ef95c1778cf440.zip
Merge pull request #315 from aksdb/master
Restrict join on users_collections to current user (fixes #313)
-rw-r--r--src/db/models/cipher.rs10
1 files changed, 7 insertions, 3 deletions
diff --git a/src/db/models/cipher.rs b/src/db/models/cipher.rs
index 3b7f2dbb..918252fe 100644
--- a/src/db/models/cipher.rs
+++ b/src/db/models/cipher.rs
@@ -293,7 +293,7 @@ impl Cipher {
.first::<Self>(&**conn).ok()
}
- // Find all ciphers accesible to user
+ // Find all ciphers accessible to user
pub fn find_by_user(user_uuid: &str, conn: &DbConn) -> Vec<Self> {
ciphers::table
.left_join(users_organizations::table.on(
@@ -303,7 +303,9 @@ impl Cipher {
)
)
))
- .left_join(ciphers_collections::table)
+ .left_join(ciphers_collections::table.on(
+ ciphers::uuid.eq(ciphers_collections::cipher_uuid)
+ ))
.left_join(users_collections::table.on(
ciphers_collections::collection_uuid.eq(users_collections::collection_uuid)
))
@@ -352,7 +354,9 @@ impl Cipher {
)
))
.left_join(users_collections::table.on(
- users_collections::collection_uuid.eq(ciphers_collections::collection_uuid)
+ users_collections::collection_uuid.eq(ciphers_collections::collection_uuid).and(
+ users_collections::user_uuid.eq(user_id)
+ )
))
.filter(ciphers_collections::cipher_uuid.eq(&self.uuid))
.filter(users_collections::user_uuid.eq(user_id).or( // User has access to collection