diff options
author | Matlink <[email protected]> | 2024-03-17 22:11:34 +0100 |
---|---|---|
committer | GitHub <[email protected]> | 2024-03-17 22:11:34 +0100 |
commit | 7c3cad197c9144977164d2b66e70c206b3b771d9 (patch) | |
tree | 8b26cf72cd10508419d126a850154705bd392ab4 /src/db | |
parent | 000c6060297cf96d4f3d3891ebf53d72c2064e72 (diff) | |
download | vaultwarden-7c3cad197c9144977164d2b66e70c206b3b771d9.tar.gz vaultwarden-7c3cad197c9144977164d2b66e70c206b3b771d9.zip |
Fix #3624: fix manager permission within groups (#3754)
* Fix #3624: fix manager permission within groups
* Query returns UUID only
* Fix issue when user is manager and in a group having access to all collections
* optimize condition check
* fix(groups): renaming and optimizations
* fix: wrong organization group membership detection
* Simplify group membership check
Co-authored-by: Stefan Melmuk <[email protected]>
* Remove unused statement
* improve check if the user has access via groups
instead of returning the two lists of member ids and later checking if
they contain the uuid of the current user, we really only care if
the current user has full access via a group or if they have
access to a given collection via a group
* improve comments for get_org_collections_details
* small refactor to make it easier to review
* fix(groups): query full access via group only when necessary
Co-authored-by: Mathijs van Veluw <[email protected]>
* chore(fmt): apply rustfmt
---------
Co-authored-by: Stefan Melmuk <[email protected]>
Co-authored-by: Stefan Melmuk <[email protected]>
Co-authored-by: Mathijs van Veluw <[email protected]>
Diffstat (limited to 'src/db')
-rw-r--r-- | src/db/models/group.rs | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/src/db/models/group.rs b/src/db/models/group.rs index 670e3114..e50853e2 100644 --- a/src/db/models/group.rs +++ b/src/db/models/group.rs @@ -486,6 +486,39 @@ impl GroupUser { }} } + pub async fn has_access_to_collection_by_member( + collection_uuid: &str, + member_uuid: &str, + conn: &mut DbConn, + ) -> bool { + db_run! { conn: { + groups_users::table + .inner_join(collections_groups::table.on( + collections_groups::groups_uuid.eq(groups_users::groups_uuid) + )) + .filter(collections_groups::collections_uuid.eq(collection_uuid)) + .filter(groups_users::users_organizations_uuid.eq(member_uuid)) + .count() + .first::<i64>(conn) + .unwrap_or(0) != 0 + }} + } + + pub async fn has_full_access_by_member(org_uuid: &str, member_uuid: &str, conn: &mut DbConn) -> bool { + db_run! { conn: { + groups_users::table + .inner_join(groups::table.on( + groups::uuid.eq(groups_users::groups_uuid) + )) + .filter(groups::organizations_uuid.eq(org_uuid)) + .filter(groups::access_all.eq(true)) + .filter(groups_users::users_organizations_uuid.eq(member_uuid)) + .count() + .first::<i64>(conn) + .unwrap_or(0) != 0 + }} + } + pub async fn update_user_revision(&self, conn: &mut DbConn) { match UserOrganization::find_by_uuid(&self.users_organizations_uuid, conn).await { Some(user) => User::update_uuid_revision(&user.user_uuid, conn).await, |