mirrored/vaultwarden
1
0
Fork 1
Spiegel von https://github.com/dani-garcia/vaultwarden.git synchronisiert 2024-06-30 19:24:42 +02:00
Code Issues Releases Aktivität

Enabled unused variable warning again, fixed some possible bugs where we didn't check some parameters, and explicitly marked all unused parameters (mostly orgheaders)

Quellcode durchsuchen
Dieser Commit ist enthalten in:
Daniel García 2018-05-30 22:30:45 +02:00
Ursprung cbe73a31ea
Commit 1a4b1a8254
6 geänderte Dateien mit 41 neuen und 20 gelöschten Zeilen
Statistiken anzeigen Patch-Datei herunterladen Diff-Datei herunterladen Alle Dateien ausklappen Alle Dateien einklappen

2
src/api/core/accounts.rs
Datei anzeigen

@ -65,7 +65,7 @@ fn profile(headers: Headers, conn: DbConn) -> JsonResult {
} }
#[get("/users/<uuid>/public-key")] #[get("/users/<uuid>/public-key")]
fn get_public_keys(uuid: String, headers: Headers, conn: DbConn) -> JsonResult { fn get_public_keys(uuid: String, _headers: Headers, conn: DbConn) -> JsonResult {
let user = match User::find_by_uuid(&uuid, &conn) { let user = match User::find_by_uuid(&uuid, &conn) {
Some(user) => user, Some(user) => user,
None => err!("User doesn't exist") None => err!("User doesn't exist")

6
src/api/core/mod.rs
Datei anzeigen

@ -104,12 +104,14 @@ use api::{JsonResult, EmptyResult};
use auth::Headers; use auth::Headers;
#[put("/devices/identifier/<uuid>/clear-token")] #[put("/devices/identifier/<uuid>/clear-token")]
fn clear_device_token(uuid: String, conn: DbConn) -> JsonResult { fn clear_device_token(uuid: String, _conn: DbConn) -> JsonResult {
println!("{}", uuid);
err!("Not implemented") err!("Not implemented")
} }
#[put("/devices/identifier/<uuid>/token")] #[put("/devices/identifier/<uuid>/token")]
fn put_device_token(uuid: String, conn: DbConn) -> JsonResult { fn put_device_token(uuid: String, _conn: DbConn) -> JsonResult {
println!("{}", uuid);
err!("Not implemented") err!("Not implemented")
} }

47
src/api/core/organizations.rs
Datei anzeigen

@ -16,7 +16,8 @@ struct OrgData {
collectionName: String, collectionName: String,
key: String, key: String,
name: String, name: String,
planType: String, #[serde(rename = "planType")]
_planType: String, // Ignored, always use the same plan
} }
#[derive(Deserialize, Debug)] #[derive(Deserialize, Debug)]
@ -73,7 +74,7 @@ fn delete_organization(org_id: String, data: Json<PasswordData>, headers: OwnerH
} }
#[get("/organizations/<org_id>")] #[get("/organizations/<org_id>")]
fn get_organization(org_id: String, headers: OwnerHeaders, conn: DbConn) -> JsonResult { fn get_organization(org_id: String, _headers: OwnerHeaders, conn: DbConn) -> JsonResult {
match Organization::find_by_uuid(&org_id, &conn) { match Organization::find_by_uuid(&org_id, &conn) {
Some(organization) => Ok(Json(organization.to_json())), Some(organization) => Ok(Json(organization.to_json())),
None => err!("Can't find organization details") None => err!("Can't find organization details")
@ -81,7 +82,7 @@ fn get_organization(org_id: String, headers: OwnerHeaders, conn: DbConn) -> Json
} }
#[post("/organizations/<org_id>", data = "<data>")] #[post("/organizations/<org_id>", data = "<data>")]
fn post_organization(org_id: String, headers: OwnerHeaders, data: Json<OrganizationUpdateData>, conn: DbConn) -> JsonResult { fn post_organization(org_id: String, _headers: OwnerHeaders, data: Json<OrganizationUpdateData>, conn: DbConn) -> JsonResult {
let data: OrganizationUpdateData = data.into_inner(); let data: OrganizationUpdateData = data.into_inner();
let mut org = match Organization::find_by_uuid(&org_id, &conn) { let mut org = match Organization::find_by_uuid(&org_id, &conn) {
@ -112,7 +113,7 @@ fn get_user_collections(headers: Headers, conn: DbConn) -> JsonResult {
} }
#[get("/organizations/<org_id>/collections")] #[get("/organizations/<org_id>/collections")]
fn get_org_collections(org_id: String, headers: AdminHeaders, conn: DbConn) -> JsonResult { fn get_org_collections(org_id: String, _headers: AdminHeaders, conn: DbConn) -> JsonResult {
Ok(Json(json!({ Ok(Json(json!({
"Data": "Data":
Collection::find_by_organization(&org_id, &conn) Collection::find_by_organization(&org_id, &conn)
@ -125,7 +126,7 @@ fn get_org_collections(org_id: String, headers: AdminHeaders, conn: DbConn) -> J
} }
#[post("/organizations/<org_id>/collections", data = "<data>")] #[post("/organizations/<org_id>/collections", data = "<data>")]
fn post_organization_collections(org_id: String, headers: AdminHeaders, data: Json<NewCollectionData>, conn: DbConn) -> JsonResult { fn post_organization_collections(org_id: String, _headers: AdminHeaders, data: Json<NewCollectionData>, conn: DbConn) -> JsonResult {
let data: NewCollectionData = data.into_inner(); let data: NewCollectionData = data.into_inner();
let org = match Organization::find_by_uuid(&org_id, &conn) { let org = match Organization::find_by_uuid(&org_id, &conn) {
@ -141,7 +142,7 @@ fn post_organization_collections(org_id: String, headers: AdminHeaders, data: Js
} }
#[post("/organizations/<org_id>/collections/<col_id>", data = "<data>")] #[post("/organizations/<org_id>/collections/<col_id>", data = "<data>")]
fn post_organization_collection_update(org_id: String, col_id: String, headers: AdminHeaders, data: Json<NewCollectionData>, conn: DbConn) -> JsonResult { fn post_organization_collection_update(org_id: String, col_id: String, _headers: AdminHeaders, data: Json<NewCollectionData>, conn: DbConn) -> JsonResult {
let data: NewCollectionData = data.into_inner(); let data: NewCollectionData = data.into_inner();
let org = match Organization::find_by_uuid(&org_id, &conn) { let org = match Organization::find_by_uuid(&org_id, &conn) {
@ -154,6 +155,10 @@ fn post_organization_collection_update(org_id: String, col_id: String, headers:
None => err!("Collection not found") None => err!("Collection not found")
}; };
if collection.org_uuid != org.uuid {
err!("Collection is not owned by organization");
}
collection.name = data.name.clone(); collection.name = data.name.clone();
collection.save(&conn); collection.save(&conn);
@ -161,7 +166,7 @@ fn post_organization_collection_update(org_id: String, col_id: String, headers:
} }
#[post("/organizations/<org_id>/collections/<col_id>/delete-user/<org_user_id>")] #[post("/organizations/<org_id>/collections/<col_id>/delete-user/<org_user_id>")]
fn post_organization_collection_delete_user(org_id: String, col_id: String, org_user_id: String, headers: AdminHeaders, conn: DbConn) -> EmptyResult { fn post_organization_collection_delete_user(org_id: String, col_id: String, org_user_id: String, _headers: AdminHeaders, conn: DbConn) -> EmptyResult {
let collection = match Collection::find_by_uuid(&col_id, &conn) { let collection = match Collection::find_by_uuid(&col_id, &conn) {
None => err!("Collection not found"), None => err!("Collection not found"),
Some(collection) => if collection.org_uuid == org_id { Some(collection) => if collection.org_uuid == org_id {
@ -195,7 +200,9 @@ struct DeleteCollectionData {
} }
#[post("/organizations/<org_id>/collections/<col_id>/delete", data = "<data>")] #[post("/organizations/<org_id>/collections/<col_id>/delete", data = "<data>")]
fn post_organization_collection_delete(org_id: String, col_id: String, headers: AdminHeaders, data: Json<DeleteCollectionData>, conn: DbConn) -> EmptyResult { fn post_organization_collection_delete(org_id: String, col_id: String, _headers: AdminHeaders, data: Json<DeleteCollectionData>, conn: DbConn) -> EmptyResult {
let _data: DeleteCollectionData = data.into_inner();
match Collection::find_by_uuid(&col_id, &conn) { match Collection::find_by_uuid(&col_id, &conn) {
None => err!("Collection not found"), None => err!("Collection not found"),
Some(collection) => if collection.org_uuid == org_id { Some(collection) => if collection.org_uuid == org_id {
@ -213,12 +220,18 @@ fn post_organization_collection_delete(org_id: String, col_id: String, headers:
fn get_org_collection_detail(org_id: String, coll_id: String, headers: AdminHeaders, conn: DbConn) -> JsonResult { fn get_org_collection_detail(org_id: String, coll_id: String, headers: AdminHeaders, conn: DbConn) -> JsonResult {
match Collection::find_by_uuid_and_user(&coll_id, &headers.user.uuid, &conn) { match Collection::find_by_uuid_and_user(&coll_id, &headers.user.uuid, &conn) {
None => err!("Collection not found"), None => err!("Collection not found"),
Some(collection) => Ok(Json(collection.to_json())) Some(collection) => {
if collection.org_uuid != org_id {
err!("Collection is not owned by organization")
}
Ok(Json(collection.to_json()))
}
} }
} }
#[get("/organizations/<org_id>/collections/<coll_id>/users")] #[get("/organizations/<org_id>/collections/<coll_id>/users")]
fn get_collection_users(org_id: String, coll_id: String, headers: AdminHeaders, conn: DbConn) -> JsonResult { fn get_collection_users(org_id: String, coll_id: String, _headers: AdminHeaders, conn: DbConn) -> JsonResult {
// Get org and collection, check that collection is from org // Get org and collection, check that collection is from org
let collection = match Collection::find_by_uuid_and_org(&coll_id, &org_id, &conn) { let collection = match Collection::find_by_uuid_and_org(&coll_id, &org_id, &conn) {
None => err!("Collection not found in Organization"), None => err!("Collection not found in Organization"),
@ -344,9 +357,13 @@ fn send_invite(org_id: String, data: Json<InviteData>, headers: AdminHeaders, co
fn confirm_invite(org_id: String, user_id: String, data: Json<Value>, headers: AdminHeaders, conn: DbConn) -> EmptyResult { fn confirm_invite(org_id: String, user_id: String, data: Json<Value>, headers: AdminHeaders, conn: DbConn) -> EmptyResult {
let mut user_to_confirm = match UserOrganization::find_by_uuid(&user_id, &conn) { let mut user_to_confirm = match UserOrganization::find_by_uuid(&user_id, &conn) {
Some(user) => user, Some(user) => user,
None => err!("User to confirm isn't member of the organization") None => err!("User to confirm doesn't exist")
}; };
if user_to_confirm.org_uuid != org_id {
err!("The specified user isn't a member of the organization")
}
if user_to_confirm.type_ != UserOrgType::User as i32 && if user_to_confirm.type_ != UserOrgType::User as i32 &&
headers.org_user_type != UserOrgType::Owner as i32 { headers.org_user_type != UserOrgType::Owner as i32 {
err!("Only Owners can confirm Admins or Owners") err!("Only Owners can confirm Admins or Owners")
@ -368,12 +385,16 @@ fn confirm_invite(org_id: String, user_id: String, data: Json<Value>, headers: A
} }
#[get("/organizations/<org_id>/users/<user_id>")] #[get("/organizations/<org_id>/users/<user_id>")]
fn get_user(org_id: String, user_id: String, headers: AdminHeaders, conn: DbConn) -> JsonResult { fn get_user(org_id: String, user_id: String, _headers: AdminHeaders, conn: DbConn) -> JsonResult {
let user = match UserOrganization::find_by_uuid(&user_id, &conn) { let user = match UserOrganization::find_by_uuid(&user_id, &conn) {
Some(user) => user, Some(user) => user,
None => err!("The specified user isn't member of the organization") None => err!("The specified user doesn't exist")
}; };
if user.org_uuid != org_id {
err!("The specified user isn't a member of the organization")
}
Ok(Json(user.to_json_details(&conn))) Ok(Json(user.to_json_details(&conn)))
} }

2
src/api/core/two_factor.rs
Datei anzeigen

@ -157,7 +157,7 @@ fn activate_authenticator(data: Json<EnableTwoFactorData>, headers: Headers, con
struct DisableTwoFactorData { struct DisableTwoFactorData {
masterPasswordHash: String, masterPasswordHash: String,
#[serde(rename = "type")] #[serde(rename = "type")]
type_: NumberOrString, _type: NumberOrString,
} }
#[post("/two-factor/disable", data = "<data>")] #[post("/two-factor/disable", data = "<data>")]

2
src/db/models/organization.rs
Datei anzeigen

@ -26,7 +26,7 @@ pub struct UserOrganization {
} }
pub enum UserOrgStatus { pub enum UserOrgStatus {
Invited = 0, _Invited = 0, // Unused, users are accepted automatically
Accepted = 1, Accepted = 1,
Confirmed = 2, Confirmed = 2,
} }

2
src/main.rs
Datei anzeigen

@ -1,5 +1,3 @@
#![allow(unused_variables, dead_code)]
#![feature(plugin, custom_derive)] #![feature(plugin, custom_derive)]
#![plugin(rocket_codegen)] #![plugin(rocket_codegen)]
extern crate rocket; extern crate rocket;