mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2026-04-10 03:41:30 -06:00
Fix org-details issue (#6811)
Some checks failed
Build / Build and Test ${{ matrix.channel }} (msrv) (push) Has been cancelled
Build / Build and Test ${{ matrix.channel }} (rust-toolchain) (push) Has been cancelled
Check templates / Validate docker templates (push) Has been cancelled
Hadolint / Validate Dockerfile syntax (push) Has been cancelled
Release / Build Vaultwarden containers (amd64, alpine) (push) Has been cancelled
Release / Build Vaultwarden containers (amd64, debian) (push) Has been cancelled
Release / Build Vaultwarden containers (arm/v6, alpine) (push) Has been cancelled
Release / Build Vaultwarden containers (arm/v6, debian) (push) Has been cancelled
Release / Build Vaultwarden containers (arm/v7, alpine) (push) Has been cancelled
Release / Build Vaultwarden containers (arm/v7, debian) (push) Has been cancelled
Release / Build Vaultwarden containers (arm64, alpine) (push) Has been cancelled
Release / Build Vaultwarden containers (arm64, debian) (push) Has been cancelled
Trivy / Trivy Scan (push) Has been cancelled
Code Spell Checking / Run typos spell checking (push) Has been cancelled
Security Analysis with zizmor / Run zizmor (push) Has been cancelled
Release / Merge manifests (alpine) (push) Has been cancelled
Release / Merge manifests (debian) (push) Has been cancelled
Some checks failed
Build / Build and Test ${{ matrix.channel }} (msrv) (push) Has been cancelled
Build / Build and Test ${{ matrix.channel }} (rust-toolchain) (push) Has been cancelled
Check templates / Validate docker templates (push) Has been cancelled
Hadolint / Validate Dockerfile syntax (push) Has been cancelled
Release / Build Vaultwarden containers (amd64, alpine) (push) Has been cancelled
Release / Build Vaultwarden containers (amd64, debian) (push) Has been cancelled
Release / Build Vaultwarden containers (arm/v6, alpine) (push) Has been cancelled
Release / Build Vaultwarden containers (arm/v6, debian) (push) Has been cancelled
Release / Build Vaultwarden containers (arm/v7, alpine) (push) Has been cancelled
Release / Build Vaultwarden containers (arm/v7, debian) (push) Has been cancelled
Release / Build Vaultwarden containers (arm64, alpine) (push) Has been cancelled
Release / Build Vaultwarden containers (arm64, debian) (push) Has been cancelled
Trivy / Trivy Scan (push) Has been cancelled
Code Spell Checking / Run typos spell checking (push) Has been cancelled
Security Analysis with zizmor / Run zizmor (push) Has been cancelled
Release / Merge manifests (alpine) (push) Has been cancelled
Release / Merge manifests (debian) (push) Has been cancelled
Fix an issue where it was possible for users who were not eligible to access all org ciphers to be able to download and extract the encrypted contents. Only Managers with full access and Admins and Owners should be able to access this endpoint. This change will block and prevent access for other users. Signed-off-by: BlackDex <black.dex@gmail.com>
This commit is contained in:
Mathijs van Veluw
GitHub
parent
3cd2d4afe7
commit
36f0620fd1
@ -929,11 +929,15 @@ struct OrgIdData {
|
||||
}
|
||||
|
||||
#[get("/ciphers/organization-details?<data..>")]
|
||||
async fn get_org_details(data: OrgIdData, headers: OrgMemberHeaders, conn: DbConn) -> JsonResult {
|
||||
async fn get_org_details(data: OrgIdData, headers: ManagerHeadersLoose, conn: DbConn) -> JsonResult {
|
||||
if data.organization_id != headers.membership.org_uuid {
|
||||
err_code!("Resource not found.", "Organization id's do not match", rocket::http::Status::NotFound.code);
|
||||
}
|
||||
|
||||
if !headers.membership.has_full_access() {
|
||||
err_code!("Resource not found.", "User does not have full access", rocket::http::Status::NotFound.code);
|
||||
}
|
||||
|
||||
Ok(Json(json!({
|
||||
"data": _get_org_details(&data.organization_id, &headers.host, &headers.user.uuid, &conn).await?,
|
||||
"object": "list",
|
||||
|
||||
Loading…
Reference in New Issue
Block a user