Add access checks to fetching project

3 years ago · 48d882d1e0
3 changed files with 45 additions and 3 deletions
--- a/bitwarden_license/src/Commercial.Infrastructure.EntityFramework/Repositories/ProjectRepository.cs
+++ b/bitwarden_license/src/Commercial.Infrastructure.EntityFramework/Repositories/ProjectRepository.cs
@ -86,6 +86,28 @@ public class ProjectRepository : Repository<Core.Entities.Project, Project, Guid
				@@ -86,6 +86,28 @@ public class ProjectRepository : Repository<Core.Entities.Project, Project, Guid
        }
    }

+    public async Task<bool> UserHasReadAccessToProject(Guid id, Guid userId)
+    {
+        using var scope = ServiceScopeFactory.CreateScope();
+        var dbContext = GetDatabaseContext(scope);
+        var query = dbContext.Project
+            .Where(p => p.Id == id)
+            .Where(UserHasReadAccessToProject(userId));
+
+        return await query.AnyAsync();
+    }
+
+    public async Task<bool> ServiceAccountHasReadAccessToProject(Guid id, Guid serviceAccountId)
+    {
+        using var scope = ServiceScopeFactory.CreateScope();
+        var dbContext = GetDatabaseContext(scope);
+        var query = dbContext.Project
+            .Where(p => p.Id == id)
+            .Where(ServiceAccountHasReadAccessToProject(serviceAccountId));
+
+        return await query.AnyAsync();
+    }
+
    public async Task<bool> UserHasWriteAccessToProject(Guid id, Guid userId)
    {
        using var scope = ServiceScopeFactory.CreateScope();
@ -97,7 +119,7 @@ public class ProjectRepository : Repository<Core.Entities.Project, Project, Guid
				@@ -97,7 +119,7 @@ public class ProjectRepository : Repository<Core.Entities.Project, Project, Guid
        return await query.AnyAsync();
    }

-    public async Task<bool> ServiceAccountHasAccessToProject(Guid id, Guid serviceAccountId)
+    public async Task<bool> ServiceAccountHasWriteAccessToProject(Guid id, Guid serviceAccountId)
    {
        using var scope = ServiceScopeFactory.CreateScope();
        var dbContext = GetDatabaseContext(scope);
--- a/src/Api/Controllers/ProjectsController.cs
+++ b/src/Api/Controllers/ProjectsController.cs
@ -64,9 +64,9 @@ public class ProjectsController : Controller
				@@ -64,9 +64,9 @@ public class ProjectsController : Controller
        [FromRoute] Guid organizationId)
    {
        var userId = _userService.GetProperUserId(User).Value;
-
        var orgAdmin = await _currentContext.OrganizationAdmin(organizationId);
        var accessClient = AccessClientHelper.ToAccessClient(_currentContext.ClientType, orgAdmin);
+
        var projects = await _projectRepository.GetManyByOrganizationIdAsync(organizationId, userId, accessClient);

        var responses = projects.Select(project => new ProjectResponseModel(project));
@ -81,6 +81,24 @@ public class ProjectsController : Controller
				@@ -81,6 +81,24 @@ public class ProjectsController : Controller
        {
            throw new NotFoundException();
        }
+
+        var userId = _userService.GetProperUserId(User).Value;
+        var orgAdmin = await _currentContext.OrganizationAdmin(project.OrganizationId);
+        var accessClient = AccessClientHelper.ToAccessClient(_currentContext.ClientType, orgAdmin);
+
+        var hasAccess = accessClient switch
+        {
+            AccessClientType.NoAccessCheck => true,
+            AccessClientType.User => await _projectRepository.UserHasReadAccessToProject(id, userId),
+            AccessClientType.ServiceAccount => await _projectRepository.ServiceAccountHasReadAccessToProject(id, userId),
+            _ => false,
+        };
+
+        if (!hasAccess)
+        {
+            throw new NotFoundException();
+        }
+
        return new ProjectResponseModel(project);
    }

--- a/src/Core/Repositories/IProjectRepository.cs
+++ b/src/Core/Repositories/IProjectRepository.cs
@ -11,6 +11,8 @@ public interface IProjectRepository
				@@ -11,6 +11,8 @@ public interface IProjectRepository
    Task<Project> CreateAsync(Project project);
    Task ReplaceAsync(Project project);
    Task DeleteManyByIdAsync(IEnumerable<Guid> ids);
+    Task<bool> UserHasReadAccessToProject(Guid id, Guid userId);
+    Task<bool> ServiceAccountHasReadAccessToProject(Guid id, Guid serviceAccountId);
    Task<bool> UserHasWriteAccessToProject(Guid id, Guid userId);
-    Task<bool> ServiceAccountHasAccessToProject(Guid id, Guid serviceAccountId);
+    Task<bool> ServiceAccountHasWriteAccessToProject(Guid id, Guid serviceAccountId);
 }