Add project access checks for listing

3 years ago · 82f568d91c
3 changed files with 29 additions and 4 deletions
--- a/bitwarden_license/src/Commercial.Infrastructure.EntityFramework/Repositories/ProjectRepository.cs
+++ b/bitwarden_license/src/Commercial.Infrastructure.EntityFramework/Repositories/ProjectRepository.cs
@ -26,14 +26,24 @@ public class ProjectRepository : Repository<Core.Entities.Project, Project, Guid
				@@ -26,14 +26,24 @@ public class ProjectRepository : Repository<Core.Entities.Project, Project, Guid
        }
    }

+    public async Task<IEnumerable<Core.Entities.Project>> GetAllByOrganizationIdAsync(Guid organizationId)
+    {
+        using var scope = ServiceScopeFactory.CreateScope();
+        var dbContext = GetDatabaseContext(scope);
+        var project = await dbContext.Project
+            .Where(p => p.OrganizationId == organizationId && p.DeletedDate == null)
+            .OrderBy(p => p.RevisionDate)
+            .ToListAsync();
+        return Mapper.Map<List<Core.Entities.Project>>(project);
+    }
+
    public async Task<IEnumerable<Core.Entities.Project>> GetManyByOrganizationIdAsync(Guid organizationId, Guid userId)
    {
        using var scope = ServiceScopeFactory.CreateScope();
        var dbContext = GetDatabaseContext(scope);
        var project = await dbContext.Project
            .Where(p => p.OrganizationId == organizationId && p.DeletedDate == null)
-            // TODO: Enable this + Handle Admins
-            //.Where(UserHasAccessToProject(userId))
+            .Where(UserHasAccessToProject(userId))
            .OrderBy(p => p.RevisionDate)
            .ToListAsync();
        return Mapper.Map<List<Core.Entities.Project>>(project);
--- a/src/Api/Controllers/ProjectsController.cs
+++ b/src/Api/Controllers/ProjectsController.cs
@ -2,6 +2,8 @@
				@@ -2,6 +2,8 @@
 using Bit.Api.SecretManagerFeatures.Models.Request;
 using Bit.Api.SecretManagerFeatures.Models.Response;
 using Bit.Api.Utilities;
+using Bit.Core.Context;
+using Bit.Core.Entities;
 using Bit.Core.Exceptions;
 using Bit.Core.Repositories;
 using Bit.Core.SecretManagerFeatures.Projects.Interfaces;
@ -18,19 +20,22 @@ public class ProjectsController : Controller
				@@ -18,19 +20,22 @@ public class ProjectsController : Controller
    private readonly ICreateProjectCommand _createProjectCommand;
    private readonly IUpdateProjectCommand _updateProjectCommand;
    private readonly IDeleteProjectCommand _deleteProjectCommand;
+    private readonly ICurrentContext _currentContext;

    public ProjectsController(
        IUserService userService,
        IProjectRepository projectRepository,
        ICreateProjectCommand createProjectCommand,
        IUpdateProjectCommand updateProjectCommand,
-        IDeleteProjectCommand deleteProjectCommand)
+        IDeleteProjectCommand deleteProjectCommand,
+        ICurrentContext currentContext)
    {
        _userService = userService;
        _projectRepository = projectRepository;
        _createProjectCommand = createProjectCommand;
        _updateProjectCommand = updateProjectCommand;
        _deleteProjectCommand = deleteProjectCommand;
+        _currentContext = currentContext;
    }

    [HttpPost("organizations/{organizationId}/projects")]
@ -51,7 +56,16 @@ public class ProjectsController : Controller
				@@ -51,7 +56,16 @@ public class ProjectsController : Controller
    public async Task<ListResponseModel<ProjectResponseModel>> GetProjectsByOrganizationAsync([FromRoute] Guid organizationId)
    {
        var userId = _userService.GetProperUserId(User).Value;
-        var projects = await _projectRepository.GetManyByOrganizationIdAsync(organizationId, userId);
+        IEnumerable<Project> projects;
+        if (await _currentContext.OrganizationAdmin(organizationId))
+        {
+            // Fetch all projects without access checks since admins have access to all
+            projects = await _projectRepository.GetAllByOrganizationIdAsync(organizationId);
+        }
+        else
+        {
+            projects = await _projectRepository.GetManyByOrganizationIdAsync(organizationId, userId);
+        }
        var responses = projects.Select(project => new ProjectResponseModel(project));
        return new ListResponseModel<ProjectResponseModel>(responses);
    }
--- a/src/Core/Repositories/IProjectRepository.cs
+++ b/src/Core/Repositories/IProjectRepository.cs
@ -4,6 +4,7 @@ namespace Bit.Core.Repositories;
				@@ -4,6 +4,7 @@ namespace Bit.Core.Repositories;

 public interface IProjectRepository
 {
+    Task<IEnumerable<Project>> GetAllByOrganizationIdAsync(Guid organizationId);
    Task<IEnumerable<Project>> GetManyByOrganizationIdAsync(Guid organizationId, Guid userId);
    Task<IEnumerable<Project>> GetManyByIds(IEnumerable<Guid> ids);
    Task<Project> GetByIdAsync(Guid id);