diff options
author | Daniel GarcĂa <[email protected]> | 2018-12-28 21:06:30 +0100 |
---|---|---|
committer | GitHub <[email protected]> | 2018-12-28 21:06:30 +0100 |
commit | 004a3f891f84f46e22afa62cc5ef95c1778cf440 (patch) | |
tree | af37f33c955e69097bab793b4b8ccf1d2d1e5fc9 | |
parent | e197f372b5d6f4e6ba97837f9ab077e7504e833d (diff) | |
parent | e7ea5097f49bb1f42ffdb59a038a02fea093df10 (diff) | |
download | vaultwarden-004a3f891f84f46e22afa62cc5ef95c1778cf440.tar.gz vaultwarden-004a3f891f84f46e22afa62cc5ef95c1778cf440.zip |
Merge pull request #315 from aksdb/master
Restrict join on users_collections to current user (fixes #313)
-rw-r--r-- | src/db/models/cipher.rs | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/src/db/models/cipher.rs b/src/db/models/cipher.rs index 3b7f2dbb..918252fe 100644 --- a/src/db/models/cipher.rs +++ b/src/db/models/cipher.rs @@ -293,7 +293,7 @@ impl Cipher { .first::<Self>(&**conn).ok() } - // Find all ciphers accesible to user + // Find all ciphers accessible to user pub fn find_by_user(user_uuid: &str, conn: &DbConn) -> Vec<Self> { ciphers::table .left_join(users_organizations::table.on( @@ -303,7 +303,9 @@ impl Cipher { ) ) )) - .left_join(ciphers_collections::table) + .left_join(ciphers_collections::table.on( + ciphers::uuid.eq(ciphers_collections::cipher_uuid) + )) .left_join(users_collections::table.on( ciphers_collections::collection_uuid.eq(users_collections::collection_uuid) )) @@ -352,7 +354,9 @@ impl Cipher { ) )) .left_join(users_collections::table.on( - users_collections::collection_uuid.eq(ciphers_collections::collection_uuid) + users_collections::collection_uuid.eq(ciphers_collections::collection_uuid).and( + users_collections::user_uuid.eq(user_id) + ) )) .filter(ciphers_collections::cipher_uuid.eq(&self.uuid)) .filter(users_collections::user_uuid.eq(user_id).or( // User has access to collection |