From 80f23e6d78d24c166ebf28a48a02815aac38b1e1 Mon Sep 17 00:00:00 2001 From: Jeremy Lin Date: Wed, 8 Sep 2021 23:26:15 -0700 Subject: [PATCH] Enforce Personal Ownership policy on imports Upstream PR: https://github.com/bitwarden/server/pull/1565 --- src/api/core/ciphers.rs | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/src/api/core/ciphers.rs b/src/api/core/ciphers.rs index e4e8491f..b5a9737a 100644 --- a/src/api/core/ciphers.rs +++ b/src/api/core/ciphers.rs @@ -248,7 +248,7 @@ fn post_ciphers_create(data: JsonUpcase, headers: Headers, conn // This check is usually only needed in update_cipher_from_data(), but we // need it here as well to avoid creating an empty cipher in the call to // cipher.save() below. - enforce_personal_ownership_policy(&data.Cipher, &headers, &conn)?; + enforce_personal_ownership_policy(Some(&data.Cipher), &headers, &conn)?; let mut cipher = Cipher::new(data.Cipher.Type, data.Cipher.Name.clone()); cipher.user_uuid = Some(headers.user.uuid.clone()); @@ -289,8 +289,8 @@ fn post_ciphers(data: JsonUpcase, headers: Headers, conn: DbConn, nt /// allowed to delete or share such ciphers to an org, however. /// /// Ref: https://bitwarden.com/help/article/policies/#personal-ownership -fn enforce_personal_ownership_policy(data: &CipherData, headers: &Headers, conn: &DbConn) -> EmptyResult { - if data.OrganizationId.is_none() { +fn enforce_personal_ownership_policy(data: Option<&CipherData>, headers: &Headers, conn: &DbConn) -> EmptyResult { + if data.is_none() || data.unwrap().OrganizationId.is_none() { let user_uuid = &headers.user.uuid; let policy_type = OrgPolicyType::PersonalOwnership; if OrgPolicy::is_applicable_to_user(user_uuid, policy_type, conn) { @@ -309,7 +309,7 @@ pub fn update_cipher_from_data( nt: &Notify, ut: UpdateType, ) -> EmptyResult { - enforce_personal_ownership_policy(&data, headers, conn)?; + enforce_personal_ownership_policy(Some(&data), headers, conn)?; // Check that the client isn't updating an existing cipher with stale data. if let Some(dt) = data.LastKnownRevisionDate { @@ -458,6 +458,8 @@ struct RelationsData { #[post("/ciphers/import", data = "")] fn post_ciphers_import(data: JsonUpcase, headers: Headers, conn: DbConn, nt: Notify) -> EmptyResult { + enforce_personal_ownership_policy(None, &headers, &conn)?; + let data: ImportData = data.into_inner().data; // Read and create the folders