Fix dani-garcia#3624: fix manager permission within groups

matlink · Aug 4, 2023 · e59d646 · e59d646
1 parent 3dbfc48
commit e59d646
Showing 1 changed file with 19 additions and 9 deletions.
diff --git a/src/api/core/organizations.rs b/src/api/core/organizations.rs
@@ -325,20 +325,20 @@ async fn get_org_collections_details(org_id: &str, headers: ManagerHeadersLoose,
     let coll_users = CollectionUser::find_by_organization(org_id, &mut conn).await;
 
     for col in Collection::find_by_organization(org_id, &mut conn).await {
-        let groups: Vec<Value> = if CONFIG.org_groups_enabled() {
-            CollectionGroup::find_by_collection(&col.uuid, &mut conn)
-                .await
-                .iter()
-                .map(|collection_group| {
-                    SelectionReadOnly::to_collection_group_details_read_only(collection_group).to_json()
-                })
-                .collect()
+        let groups = if CONFIG.org_groups_enabled() {
+            CollectionGroup::find_by_collection(&col.uuid, &mut conn).await
         } else {
             // The Bitwarden clients seem to call this API regardless of whether groups are enabled,
             // so just act as if there are no groups.
             Vec::with_capacity(0)
         };
 
+        // groups memberships for this collection
+        let mut group_users: Vec<GroupUser> = vec![];
+        for g in groups.iter() {
+            group_users.extend(GroupUser::find_by_group(&g.groups_uuid, &mut conn).await);
+        }
+
         let mut assigned = false;
         let users: Vec<Value> = coll_users
             .iter()
@@ -353,14 +353,24 @@ async fn get_org_collections_details(org_id: &str, headers: ManagerHeadersLoose,
             })
             .collect();
 
+        // if user is in any collection-assigned group
+        if group_users.iter().any(|g| g.users_organizations_uuid == user_org.uuid) {
+            assigned = true;
+        }
+
         if user_org.access_all {
             assigned = true;
         }
 
         let mut json_object = col.to_json();
         json_object["Assigned"] = json!(assigned);
         json_object["Users"] = json!(users);
-        json_object["Groups"] = json!(groups);
+        json_object["Groups"] = json!(groups
+            .iter()
+            .map(|collection_group| {
+                SelectionReadOnly::to_collection_group_details_read_only(collection_group).to_json()
+            })
+            .collect::<Vec<Value>>());
         json_object["Object"] = json!("collectionAccessDetails");
         data.push(json_object)
     }