permissions validation

9 years ago · 382be7a90b
5 changed files with 22 additions and 16 deletions
--- a/src/Api/Controllers/CiphersController.cs
+++ b/src/Api/Controllers/CiphersController.cs
@ -134,7 +134,7 @@ namespace Bit.Api.Controllers
				@@ -134,7 +134,7 @@ namespace Bit.Api.Controllers
        {
            var userId = _userService.GetProperUserId(User).Value;
            var cipher = await _cipherRepository.GetByIdAsync(new Guid(id), userId);
-            if(cipher == null || cipher.OrganizationId.HasValue || cipher.UserId != userId)
+            if(cipher == null || cipher.UserId != userId)
            {
                throw new NotFoundException();
            }
--- a/src/Core/Models/Api/Request/CipherRequestModel.cs
+++ b/src/Core/Models/Api/Request/CipherRequestModel.cs
@ -5,6 +5,7 @@ using Bit.Core.Models.Table;
				@@ -5,6 +5,7 @@ using Bit.Core.Models.Table;
 using Bit.Core.Enums;
 using Newtonsoft.Json;
 using System.Collections.Generic;
+using System.Linq;

 namespace Bit.Core.Models.Api
 {
@ -48,12 +49,11 @@ namespace Bit.Core.Models.Api
				@@ -48,12 +49,11 @@ namespace Bit.Core.Models.Api

        public Cipher ToCipher(Cipher existingCipher)
        {
-            existingCipher.OrganizationId = string.IsNullOrWhiteSpace(OrganizationId) ? null : (Guid?)new Guid(OrganizationId);
-
            switch(existingCipher.Type)
            {
                case CipherType.Login:
-                    existingCipher.Data = JsonConvert.SerializeObject(new LoginDataModel(this), new JsonSerializerSettings { NullValueHandling = NullValueHandling.Ignore });
+                    existingCipher.Data = JsonConvert.SerializeObject(new LoginDataModel(this),
+                        new JsonSerializerSettings { NullValueHandling = NullValueHandling.Ignore });
                    break;
                default:
                    throw new ArgumentException("Unsupported " + nameof(Type) + ".");
@ -63,10 +63,20 @@ namespace Bit.Core.Models.Api
				@@ -63,10 +63,20 @@ namespace Bit.Core.Models.Api
        }
    }

-    public class CipherMoveRequestModel
+    public class CipherMoveRequestModel : IValidatableObject
    {
+        [Required]
        public IEnumerable<string> SubvaultIds { get; set; }
        [Required]
        public CipherRequestModel Cipher { get; set; }
+
+        public IEnumerable<ValidationResult> Validate(ValidationContext validationContext)
+        {
+            if(!SubvaultIds?.Any() ?? false)
+            {
+                yield return new ValidationResult("You must select at least one subvault.",
+                    new string[] { nameof(SubvaultIds) });
+            }
+        }
    }
 }
--- a/src/Core/Services/Implementations/CipherService.cs
+++ b/src/Core/Services/Implementations/CipherService.cs
@ -119,9 +119,9 @@ namespace Bit.Core.Services
				@@ -119,9 +119,9 @@ namespace Bit.Core.Services
                throw new BadRequestException(nameof(cipher.Id));
            }

-            if(organizationId == default(Guid))
+            if(cipher.OrganizationId.HasValue)
            {
-                throw new BadRequestException(nameof(organizationId));
+                throw new BadRequestException("Already belongs to an organization.");
            }

            if(!cipher.UserId.HasValue || cipher.UserId.Value != movingUserId)
@ -134,8 +134,8 @@ namespace Bit.Core.Services
				@@ -134,8 +134,8 @@ namespace Bit.Core.Services
            var subvaultUserDetails = await _subvaultUserRepository.GetPermissionsByUserIdAsync(movingUserId, subvaultIds,
                organizationId);

-            var adminSubvaults = subvaultUserDetails.Where(s => s.Admin).Select(s => s.SubvaultId);
-            if(!adminSubvaults.Any())
+            var writeableSubvaults = subvaultUserDetails.Where(s => !s.ReadOnly).Select(s => s.SubvaultId);
+            if(!writeableSubvaults.Any())
            {
                throw new BadRequestException("No subvaults.");
            }
@ -143,7 +143,7 @@ namespace Bit.Core.Services
				@@ -143,7 +143,7 @@ namespace Bit.Core.Services
            cipher.UserId = null;
            cipher.OrganizationId = organizationId;
            cipher.RevisionDate = DateTime.UtcNow;
-            await _cipherRepository.ReplaceAsync(cipher, adminSubvaults);
+            await _cipherRepository.ReplaceAsync(cipher, writeableSubvaults);

            // push
            //await _pushService.PushSyncCipherUpdateAsync(cipher);
--- a/src/Sql/dbo/Functions/UserCanEditCipher.sql
+++ b/src/Sql/dbo/Functions/UserCanEditCipher.sql
@ -5,11 +5,7 @@ BEGIN
				@@ -5,11 +5,7 @@ BEGIN

    ;WITH [CTE] AS(
        SELECT
-            CASE
-                WHEN OU.[Type] = 2 AND SU.[Admin] = 1 THEN 1 -- 2 = Regular User
-                WHEN SU.[ReadOnly] = 0 THEN 1
-                ELSE 0
-            END [CanEdit]
+            CASE WHEN SU.[ReadOnly] = 0 THEN 1 ELSE 0 END [CanEdit]
        FROM
            [dbo].[SubvaultUser] SU
        INNER JOIN
--- a/Procedures/SubvaultUser_ReadPermissionsBySubvaultUserId.sql
+++ b/Procedures/SubvaultUser_ReadPermissionsBySubvaultUserId.sql
@ -9,7 +9,7 @@ BEGIN
				@@ -9,7 +9,7 @@ BEGIN
    SELECT
        SU.[SubvaultId],
        CASE WHEN OU.[Type] = 2 THEN SU.[Admin] ELSE 1 END AS [Admin], -- 2 = Regular User
-        CASE WHEN OU.[Type] = 2 THEN SU.[ReadOnly] ELSE 0 END AS [ReadOnly] -- 2 = Regular User
+        SU.[ReadOnly]
    FROM
        [dbo].[SubvaultUser] SU
    INNER JOIN