From 462b0677f7b9fa817c40744a8449398eb202cda0 Mon Sep 17 00:00:00 2001 From: Matlink Date: Fri, 4 Aug 2023 21:27:30 +0200 Subject: [PATCH] Fix #3624: fix manager permission within groups --- src/api/core/organizations.rs | 25 ++++++++++++++++--------- src/db/models/group.rs | 25 +++++++++++++++++++++++++ 2 files changed, 41 insertions(+), 9 deletions(-) diff --git a/src/api/core/organizations.rs b/src/api/core/organizations.rs index 0bcf262ff7d..d87e7d62857 100644 --- a/src/api/core/organizations.rs +++ b/src/api/core/organizations.rs @@ -325,20 +325,17 @@ async fn get_org_collections_details(org_id: &str, headers: ManagerHeadersLoose, let coll_users = CollectionUser::find_by_organization(org_id, &mut conn).await; for col in Collection::find_by_organization(org_id, &mut conn).await { - let groups: Vec = if CONFIG.org_groups_enabled() { - CollectionGroup::find_by_collection(&col.uuid, &mut conn) - .await - .iter() - .map(|collection_group| { - SelectionReadOnly::to_collection_group_details_read_only(collection_group).to_json() - }) - .collect() + let groups = if CONFIG.org_groups_enabled() { + CollectionGroup::find_by_collection(&col.uuid, &mut conn).await } else { // The Bitwarden clients seem to call this API regardless of whether groups are enabled, // so just act as if there are no groups. Vec::with_capacity(0) }; + // uuids of users belonging to a group of this collection + let group_users = GroupUser::get_collection_group_users_uuid(&col.uuid, &mut conn).await; + let mut assigned = false; let users: Vec = coll_users .iter() @@ -353,6 +350,11 @@ async fn get_org_collections_details(org_id: &str, headers: ManagerHeadersLoose, }) .collect(); + // if current user is in any collection-assigned group + if group_users.contains(&user_org.uuid) { + assigned = true; + } + if user_org.access_all { assigned = true; } @@ -360,7 +362,12 @@ async fn get_org_collections_details(org_id: &str, headers: ManagerHeadersLoose, let mut json_object = col.to_json(); json_object["Assigned"] = json!(assigned); json_object["Users"] = json!(users); - json_object["Groups"] = json!(groups); + json_object["Groups"] = json!(groups + .iter() + .map(|collection_group| { + SelectionReadOnly::to_collection_group_details_read_only(collection_group).to_json() + }) + .collect::>()); json_object["Object"] = json!("collectionAccessDetails"); data.push(json_object) } diff --git a/src/db/models/group.rs b/src/db/models/group.rs index 670e3114542..43393ddd30f 100644 --- a/src/db/models/group.rs +++ b/src/db/models/group.rs @@ -1,3 +1,5 @@ +use std::collections::HashSet; + use chrono::{NaiveDateTime, Utc}; use serde_json::Value; @@ -486,6 +488,29 @@ impl GroupUser { }} } + pub async fn find_by_collection(collection_uuid: &str, conn: &mut DbConn) -> Vec { + db_run! { conn: { + groups_users::table + .inner_join(collections_groups::table.on( + collections_groups::groups_uuid.eq(groups_users::groups_uuid) + )) + .filter(collections_groups::collections_uuid.eq(collection_uuid)) + .select(groups_users::all_columns) + .load::(conn) + .expect("Error loading group users for collection") + .from_db() + }} + } + + /// returns uuid of members of collection groups + pub async fn get_collection_group_users_uuid(collection_uuid: &str, conn: &mut DbConn) -> HashSet { + GroupUser::find_by_collection(collection_uuid, conn) + .await + .iter() + .map(|u| u.users_organizations_uuid.clone()) + .collect() + } + pub async fn update_user_revision(&self, conn: &mut DbConn) { match UserOrganization::find_by_uuid(&self.users_organizations_uuid, conn).await { Some(user) => User::update_uuid_revision(&user.user_uuid, conn).await,