Fix dani-garcia#3624: fix manager permission within groups

matlink · Aug 4, 2023 · 462b067 · 462b067
1 parent 3dbfc48
commit 462b067
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 9 deletions.
diff --git a/src/api/core/organizations.rs b/src/api/core/organizations.rs
@@ -325,20 +325,17 @@ async fn get_org_collections_details(org_id: &str, headers: ManagerHeadersLoose,
     let coll_users = CollectionUser::find_by_organization(org_id, &mut conn).await;
 
     for col in Collection::find_by_organization(org_id, &mut conn).await {
-        let groups: Vec<Value> = if CONFIG.org_groups_enabled() {
-            CollectionGroup::find_by_collection(&col.uuid, &mut conn)
-                .await
-                .iter()
-                .map(|collection_group| {
-                    SelectionReadOnly::to_collection_group_details_read_only(collection_group).to_json()
-                })
-                .collect()
+        let groups = if CONFIG.org_groups_enabled() {
+            CollectionGroup::find_by_collection(&col.uuid, &mut conn).await
         } else {
             // The Bitwarden clients seem to call this API regardless of whether groups are enabled,
             // so just act as if there are no groups.
             Vec::with_capacity(0)
         };
 
+        // uuids of users belonging to a group of this collection
+        let group_users = GroupUser::get_collection_group_users_uuid(&col.uuid, &mut conn).await;
+
         let mut assigned = false;
         let users: Vec<Value> = coll_users
             .iter()
@@ -353,14 +350,24 @@ async fn get_org_collections_details(org_id: &str, headers: ManagerHeadersLoose,
             })
             .collect();
 
+        // if current user is in any collection-assigned group
+        if group_users.contains(&user_org.uuid) {
+            assigned = true;
+        }
+
         if user_org.access_all {
             assigned = true;
         }
 
         let mut json_object = col.to_json();
         json_object["Assigned"] = json!(assigned);
         json_object["Users"] = json!(users);
-        json_object["Groups"] = json!(groups);
+        json_object["Groups"] = json!(groups
+            .iter()
+            .map(|collection_group| {
+                SelectionReadOnly::to_collection_group_details_read_only(collection_group).to_json()
+            })
+            .collect::<Vec<Value>>());
         json_object["Object"] = json!("collectionAccessDetails");
         data.push(json_object)
     }

diff --git a/src/db/models/group.rs b/src/db/models/group.rs
@@ -1,3 +1,5 @@
+use std::collections::HashSet;
+
 use chrono::{NaiveDateTime, Utc};
 use serde_json::Value;
 
@@ -486,6 +488,29 @@ impl GroupUser {
         }}
     }
 
+    pub async fn find_by_collection(collection_uuid: &str, conn: &mut DbConn) -> Vec<Self> {
+        db_run! { conn: {
+            groups_users::table
+                .inner_join(collections_groups::table.on(
+                    collections_groups::groups_uuid.eq(groups_users::groups_uuid)
+                ))
+                .filter(collections_groups::collections_uuid.eq(collection_uuid))
+                .select(groups_users::all_columns)
+                .load::<GroupUserDb>(conn)
+                .expect("Error loading group users for collection")
+                .from_db()
+        }}
+    }
+
+    /// returns uuid of members of collection groups
+    pub async fn get_collection_group_users_uuid(collection_uuid: &str, conn: &mut DbConn) -> HashSet<String> {
+        GroupUser::find_by_collection(collection_uuid, conn)
+            .await
+            .iter()
+            .map(|u| u.users_organizations_uuid.clone())
+            .collect()
+    }
+
     pub async fn update_user_revision(&self, conn: &mut DbConn) {
         match UserOrganization::find_by_uuid(&self.users_organizations_uuid, conn).await {
             Some(user) => User::update_uuid_revision(&user.user_uuid, conn).await,