prevent side effects if groups are disabled (#4265)

pull/4275/head
Stefan Melmuk 10 months ago committed by GitHub
parent 5e46a43306
commit 1b801406d6
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

@ -1788,15 +1788,22 @@ impl CipherSyncData {
.collect(); .collect();
// Generate a HashMap with the collections_uuid as key and the CollectionGroup record // Generate a HashMap with the collections_uuid as key and the CollectionGroup record
let user_collections_groups: HashMap<String, CollectionGroup> = CollectionGroup::find_by_user(user_uuid, conn) let user_collections_groups: HashMap<String, CollectionGroup> = if CONFIG.org_groups_enabled() {
.await CollectionGroup::find_by_user(user_uuid, conn)
.into_iter() .await
.map(|collection_group| (collection_group.collections_uuid.clone(), collection_group)) .into_iter()
.collect(); .map(|collection_group| (collection_group.collections_uuid.clone(), collection_group))
.collect()
} else {
HashMap::new()
};
// Get all organizations that the user has full access to via group assignment // Get all organizations that the user has full access to via group assignment
let user_group_full_access_for_organizations: HashSet<String> = let user_group_full_access_for_organizations: HashSet<String> = if CONFIG.org_groups_enabled() {
Group::gather_user_organizations_full_access(user_uuid, conn).await.into_iter().collect(); Group::gather_user_organizations_full_access(user_uuid, conn).await.into_iter().collect()
} else {
HashSet::new()
};
Self { Self {
cipher_attachments, cipher_attachments,

@ -294,7 +294,7 @@ async fn post_organization(
async fn get_user_collections(headers: Headers, mut conn: DbConn) -> Json<Value> { async fn get_user_collections(headers: Headers, mut conn: DbConn) -> Json<Value> {
Json(json!({ Json(json!({
"Data": "Data":
Collection::find_by_user_uuid(headers.user.uuid.clone(), &mut conn).await Collection::find_by_user_uuid(headers.user.uuid, &mut conn).await
.iter() .iter()
.map(Collection::to_json) .map(Collection::to_json)
.collect::<Value>(), .collect::<Value>(),

@ -426,6 +426,9 @@ impl Cipher {
cipher_sync_data: Option<&CipherSyncData>, cipher_sync_data: Option<&CipherSyncData>,
conn: &mut DbConn, conn: &mut DbConn,
) -> bool { ) -> bool {
if !CONFIG.org_groups_enabled() {
return false;
}
if let Some(ref org_uuid) = self.organization_uuid { if let Some(ref org_uuid) = self.organization_uuid {
if let Some(cipher_sync_data) = cipher_sync_data { if let Some(cipher_sync_data) = cipher_sync_data {
return cipher_sync_data.user_group_full_access_for_organizations.get(org_uuid).is_some(); return cipher_sync_data.user_group_full_access_for_organizations.get(org_uuid).is_some();
@ -521,6 +524,9 @@ impl Cipher {
} }
async fn get_group_collections_access_flags(&self, user_uuid: &str, conn: &mut DbConn) -> Vec<(bool, bool)> { async fn get_group_collections_access_flags(&self, user_uuid: &str, conn: &mut DbConn) -> Vec<(bool, bool)> {
if !CONFIG.org_groups_enabled() {
return Vec::new();
}
db_run! {conn: { db_run! {conn: {
ciphers::table ciphers::table
.filter(ciphers::uuid.eq(&self.uuid)) .filter(ciphers::uuid.eq(&self.uuid))
@ -602,50 +608,84 @@ impl Cipher {
// result, those ciphers will not appear in "My Vault" for the org // result, those ciphers will not appear in "My Vault" for the org
// owner/admin, but they can still be accessed via the org vault view. // owner/admin, but they can still be accessed via the org vault view.
pub async fn find_by_user(user_uuid: &str, visible_only: bool, conn: &mut DbConn) -> Vec<Self> { pub async fn find_by_user(user_uuid: &str, visible_only: bool, conn: &mut DbConn) -> Vec<Self> {
db_run! {conn: { if CONFIG.org_groups_enabled() {
let mut query = ciphers::table db_run! {conn: {
.left_join(ciphers_collections::table.on( let mut query = ciphers::table
ciphers::uuid.eq(ciphers_collections::cipher_uuid) .left_join(ciphers_collections::table.on(
)) ciphers::uuid.eq(ciphers_collections::cipher_uuid)
.left_join(users_organizations::table.on( ))
ciphers::organization_uuid.eq(users_organizations::org_uuid.nullable()) .left_join(users_organizations::table.on(
.and(users_organizations::user_uuid.eq(user_uuid)) ciphers::organization_uuid.eq(users_organizations::org_uuid.nullable())
.and(users_organizations::status.eq(UserOrgStatus::Confirmed as i32)) .and(users_organizations::user_uuid.eq(user_uuid))
)) .and(users_organizations::status.eq(UserOrgStatus::Confirmed as i32))
.left_join(users_collections::table.on( ))
ciphers_collections::collection_uuid.eq(users_collections::collection_uuid) .left_join(users_collections::table.on(
// Ensure that users_collections::user_uuid is NULL for unconfirmed users. ciphers_collections::collection_uuid.eq(users_collections::collection_uuid)
.and(users_organizations::user_uuid.eq(users_collections::user_uuid)) // Ensure that users_collections::user_uuid is NULL for unconfirmed users.
)) .and(users_organizations::user_uuid.eq(users_collections::user_uuid))
.left_join(groups_users::table.on( ))
groups_users::users_organizations_uuid.eq(users_organizations::uuid) .left_join(groups_users::table.on(
)) groups_users::users_organizations_uuid.eq(users_organizations::uuid)
.left_join(groups::table.on( ))
groups::uuid.eq(groups_users::groups_uuid) .left_join(groups::table.on(
)) groups::uuid.eq(groups_users::groups_uuid)
.left_join(collections_groups::table.on( ))
collections_groups::collections_uuid.eq(ciphers_collections::collection_uuid).and( .left_join(collections_groups::table.on(
collections_groups::groups_uuid.eq(groups::uuid) collections_groups::collections_uuid.eq(ciphers_collections::collection_uuid).and(
) collections_groups::groups_uuid.eq(groups::uuid)
)) )
.filter(ciphers::user_uuid.eq(user_uuid)) // Cipher owner ))
.or_filter(users_organizations::access_all.eq(true)) // access_all in org .filter(ciphers::user_uuid.eq(user_uuid)) // Cipher owner
.or_filter(users_collections::user_uuid.eq(user_uuid)) // Access to collection .or_filter(users_organizations::access_all.eq(true)) // access_all in org
.or_filter(groups::access_all.eq(true)) // Access via groups .or_filter(users_collections::user_uuid.eq(user_uuid)) // Access to collection
.or_filter(collections_groups::collections_uuid.is_not_null()) // Access via groups .or_filter(groups::access_all.eq(true)) // Access via groups
.into_boxed(); .or_filter(collections_groups::collections_uuid.is_not_null()) // Access via groups
.into_boxed();
if !visible_only {
query = query.or_filter( if !visible_only {
users_organizations::atype.le(UserOrgType::Admin as i32) // Org admin/owner query = query.or_filter(
); users_organizations::atype.le(UserOrgType::Admin as i32) // Org admin/owner
} );
}
query query
.select(ciphers::all_columns) .select(ciphers::all_columns)
.distinct() .distinct()
.load::<CipherDb>(conn).expect("Error loading ciphers").from_db() .load::<CipherDb>(conn).expect("Error loading ciphers").from_db()
}} }}
} else {
db_run! {conn: {
let mut query = ciphers::table
.left_join(ciphers_collections::table.on(
ciphers::uuid.eq(ciphers_collections::cipher_uuid)
))
.left_join(users_organizations::table.on(
ciphers::organization_uuid.eq(users_organizations::org_uuid.nullable())
.and(users_organizations::user_uuid.eq(user_uuid))
.and(users_organizations::status.eq(UserOrgStatus::Confirmed as i32))
))
.left_join(users_collections::table.on(
ciphers_collections::collection_uuid.eq(users_collections::collection_uuid)
// Ensure that users_collections::user_uuid is NULL for unconfirmed users.
.and(users_organizations::user_uuid.eq(users_collections::user_uuid))
))
.filter(ciphers::user_uuid.eq(user_uuid)) // Cipher owner
.or_filter(users_organizations::access_all.eq(true)) // access_all in org
.or_filter(users_collections::user_uuid.eq(user_uuid)) // Access to collection
.into_boxed();
if !visible_only {
query = query.or_filter(
users_organizations::atype.le(UserOrgType::Admin as i32) // Org admin/owner
);
}
query
.select(ciphers::all_columns)
.distinct()
.load::<CipherDb>(conn).expect("Error loading ciphers").from_db()
}}
}
} }
// Find all ciphers visible to the specified user. // Find all ciphers visible to the specified user.

@ -1,6 +1,7 @@
use serde_json::Value; use serde_json::Value;
use super::{CollectionGroup, User, UserOrgStatus, UserOrgType, UserOrganization}; use super::{CollectionGroup, User, UserOrgStatus, UserOrgType, UserOrganization};
use crate::CONFIG;
db_object! { db_object! {
#[derive(Identifiable, Queryable, Insertable, AsChangeset)] #[derive(Identifiable, Queryable, Insertable, AsChangeset)]
@ -181,47 +182,74 @@ impl Collection {
} }
pub async fn find_by_user_uuid(user_uuid: String, conn: &mut DbConn) -> Vec<Self> { pub async fn find_by_user_uuid(user_uuid: String, conn: &mut DbConn) -> Vec<Self> {
db_run! { conn: { if CONFIG.org_groups_enabled() {
collections::table db_run! { conn: {
.left_join(users_collections::table.on( collections::table
users_collections::collection_uuid.eq(collections::uuid).and( .left_join(users_collections::table.on(
users_collections::user_uuid.eq(user_uuid.clone()) users_collections::collection_uuid.eq(collections::uuid).and(
users_collections::user_uuid.eq(user_uuid.clone())
)
))
.left_join(users_organizations::table.on(
collections::org_uuid.eq(users_organizations::org_uuid).and(
users_organizations::user_uuid.eq(user_uuid.clone())
)
))
.left_join(groups_users::table.on(
groups_users::users_organizations_uuid.eq(users_organizations::uuid)
))
.left_join(groups::table.on(
groups::uuid.eq(groups_users::groups_uuid)
))
.left_join(collections_groups::table.on(
collections_groups::groups_uuid.eq(groups_users::groups_uuid).and(
collections_groups::collections_uuid.eq(collections::uuid)
)
))
.filter(
users_organizations::status.eq(UserOrgStatus::Confirmed as i32)
) )
)) .filter(
.left_join(users_organizations::table.on( users_collections::user_uuid.eq(user_uuid).or( // Directly accessed collection
collections::org_uuid.eq(users_organizations::org_uuid).and( users_organizations::access_all.eq(true) // access_all in Organization
users_organizations::user_uuid.eq(user_uuid.clone()) ).or(
groups::access_all.eq(true) // access_all in groups
).or( // access via groups
groups_users::users_organizations_uuid.eq(users_organizations::uuid).and(
collections_groups::collections_uuid.is_not_null()
)
)
) )
)) .select(collections::all_columns)
.left_join(groups_users::table.on( .distinct()
groups_users::users_organizations_uuid.eq(users_organizations::uuid) .load::<CollectionDb>(conn).expect("Error loading collections").from_db()
)) }}
.left_join(groups::table.on( } else {
groups::uuid.eq(groups_users::groups_uuid) db_run! { conn: {
)) collections::table
.left_join(collections_groups::table.on( .left_join(users_collections::table.on(
collections_groups::groups_uuid.eq(groups_users::groups_uuid).and( users_collections::collection_uuid.eq(collections::uuid).and(
collections_groups::collections_uuid.eq(collections::uuid) users_collections::user_uuid.eq(user_uuid.clone())
)
))
.left_join(users_organizations::table.on(
collections::org_uuid.eq(users_organizations::org_uuid).and(
users_organizations::user_uuid.eq(user_uuid.clone())
)
))
.filter(
users_organizations::status.eq(UserOrgStatus::Confirmed as i32)
) )
)) .filter(
.filter( users_collections::user_uuid.eq(user_uuid).or( // Directly accessed collection
users_organizations::status.eq(UserOrgStatus::Confirmed as i32) users_organizations::access_all.eq(true) // access_all in Organization
)
.filter(
users_collections::user_uuid.eq(user_uuid).or( // Directly accessed collection
users_organizations::access_all.eq(true) // access_all in Organization
).or(
groups::access_all.eq(true) // access_all in groups
).or( // access via groups
groups_users::users_organizations_uuid.eq(users_organizations::uuid).and(
collections_groups::collections_uuid.is_not_null()
) )
) )
) .select(collections::all_columns)
.select(collections::all_columns) .distinct()
.distinct() .load::<CollectionDb>(conn).expect("Error loading collections").from_db()
.load::<CollectionDb>(conn).expect("Error loading collections").from_db() }}
}} }
} }
// Check if a user has access to a specific collection // Check if a user has access to a specific collection
@ -277,45 +305,70 @@ impl Collection {
} }
pub async fn find_by_uuid_and_user(uuid: &str, user_uuid: String, conn: &mut DbConn) -> Option<Self> { pub async fn find_by_uuid_and_user(uuid: &str, user_uuid: String, conn: &mut DbConn) -> Option<Self> {
db_run! { conn: { if CONFIG.org_groups_enabled() {
collections::table db_run! { conn: {
.left_join(users_collections::table.on( collections::table
users_collections::collection_uuid.eq(collections::uuid).and( .left_join(users_collections::table.on(
users_collections::user_uuid.eq(user_uuid.clone()) users_collections::collection_uuid.eq(collections::uuid).and(
) users_collections::user_uuid.eq(user_uuid.clone())
))
.left_join(users_organizations::table.on(
collections::org_uuid.eq(users_organizations::org_uuid).and(
users_organizations::user_uuid.eq(user_uuid)
)
))
.left_join(groups_users::table.on(
groups_users::users_organizations_uuid.eq(users_organizations::uuid)
))
.left_join(groups::table.on(
groups::uuid.eq(groups_users::groups_uuid)
))
.left_join(collections_groups::table.on(
collections_groups::groups_uuid.eq(groups_users::groups_uuid).and(
collections_groups::collections_uuid.eq(collections::uuid)
)
))
.filter(collections::uuid.eq(uuid))
.filter(
users_collections::collection_uuid.eq(uuid).or( // Directly accessed collection
users_organizations::access_all.eq(true).or( // access_all in Organization
users_organizations::atype.le(UserOrgType::Admin as i32) // Org admin or owner
)).or(
groups::access_all.eq(true) // access_all in groups
).or( // access via groups
groups_users::users_organizations_uuid.eq(users_organizations::uuid).and(
collections_groups::collections_uuid.is_not_null()
) )
) ))
).select(collections::all_columns) .left_join(users_organizations::table.on(
.first::<CollectionDb>(conn).ok() collections::org_uuid.eq(users_organizations::org_uuid).and(
.from_db() users_organizations::user_uuid.eq(user_uuid)
}} )
))
.left_join(groups_users::table.on(
groups_users::users_organizations_uuid.eq(users_organizations::uuid)
))
.left_join(groups::table.on(
groups::uuid.eq(groups_users::groups_uuid)
))
.left_join(collections_groups::table.on(
collections_groups::groups_uuid.eq(groups_users::groups_uuid).and(
collections_groups::collections_uuid.eq(collections::uuid)
)
))
.filter(collections::uuid.eq(uuid))
.filter(
users_collections::collection_uuid.eq(uuid).or( // Directly accessed collection
users_organizations::access_all.eq(true).or( // access_all in Organization
users_organizations::atype.le(UserOrgType::Admin as i32) // Org admin or owner
)).or(
groups::access_all.eq(true) // access_all in groups
).or( // access via groups
groups_users::users_organizations_uuid.eq(users_organizations::uuid).and(
collections_groups::collections_uuid.is_not_null()
)
)
).select(collections::all_columns)
.first::<CollectionDb>(conn).ok()
.from_db()
}}
} else {
db_run! { conn: {
collections::table
.left_join(users_collections::table.on(
users_collections::collection_uuid.eq(collections::uuid).and(
users_collections::user_uuid.eq(user_uuid.clone())
)
))
.left_join(users_organizations::table.on(
collections::org_uuid.eq(users_organizations::org_uuid).and(
users_organizations::user_uuid.eq(user_uuid)
)
))
.filter(collections::uuid.eq(uuid))
.filter(
users_collections::collection_uuid.eq(uuid).or( // Directly accessed collection
users_organizations::access_all.eq(true).or( // access_all in Organization
users_organizations::atype.le(UserOrgType::Admin as i32) // Org admin or owner
))
).select(collections::all_columns)
.first::<CollectionDb>(conn).ok()
.from_db()
}}
}
} }
pub async fn is_writable_by_user(&self, user_uuid: &str, conn: &mut DbConn) -> bool { pub async fn is_writable_by_user(&self, user_uuid: &str, conn: &mut DbConn) -> bool {

Loading…
Cancel
Save