add group support for Cipher::get_collections()

join group infos assigned to a collection to check whether user has been given access to all collections via any group or they have access to a specific collection via any group membership
2024-11-05 02:28:00 +01:00 · 2024-05-25 22:35:56 +02:00 · 2024-05-25 22:35:56 +02:00 · 49d07ed5aa
Commit 49d07ed5aa
--- a/src/api/core/ciphers.rs
+++ b/src/api/core/ciphers.rs
@ -747,9 +747,9 @@ async fn post_collections_admin(
        err!("Cipher is not write accessible")
    }

-    let posted_collections: HashSet<String> = data.collection_ids.iter().cloned().collect();
-    let current_collections: HashSet<String> =
-        cipher.get_collections(headers.user.uuid.clone(), &mut conn).await.iter().cloned().collect();
+    let posted_collections = HashSet::<String>::from_iter(data.collection_ids);
+    let current_collections =
+        HashSet::<String>::from_iter(cipher.get_collections(headers.user.uuid.clone(), &mut conn).await);

    for collection in posted_collections.symmetric_difference(&current_collections) {
        match Collection::find_by_uuid(collection, &mut conn).await {
--- a/src/db/models/cipher.rs
+++ b/src/db/models/cipher.rs
@ -773,31 +773,60 @@ impl Cipher {
    }

    pub async fn get_collections(&self, user_id: String, conn: &mut DbConn) -> Vec<String> {
+        if CONFIG.org_groups_enabled() {
+            db_run! {conn: {
+                ciphers_collections::table
+                    .inner_join(collections::table.on(
+                        collections::uuid.eq(ciphers_collections::collection_uuid)
+                    ))
+                    .left_join(users_organizations::table.on(
+                        users_organizations::org_uuid.eq(collections::org_uuid)
+                        .and(users_organizations::user_uuid.eq(user_id.clone()))
+                    ))
+                    .left_join(users_collections::table.on(
+                        users_collections::collection_uuid.eq(ciphers_collections::collection_uuid)
+                        .and(users_collections::user_uuid.eq(user_id.clone()))
+                    ))
+                    .left_join(groups_users::table.on(
+                        groups_users::users_organizations_uuid.eq(users_organizations::uuid)
+                    ))
+                    .left_join(groups::table.on(groups::uuid.eq(groups_users::groups_uuid)))
+                    .left_join(collections_groups::table.on(
+                        collections_groups::collections_uuid.eq(ciphers_collections::collection_uuid)
+                        .and(collections_groups::groups_uuid.eq(groups::uuid))
+                    ))
+                    .filter(ciphers_collections::cipher_uuid.eq(&self.uuid))
+                    .filter(users_organizations::access_all.eq(true) // User has access all
+                        .or(users_collections::user_uuid.eq(user_id)) // User has access to collection
+                        .or(groups::access_all.eq(true)) // Access via groups
+                        .or(collections_groups::collections_uuid.is_not_null()) // Access via groups
+                    )
+                    .select(ciphers_collections::collection_uuid)
+                    .load::<String>(conn).unwrap_or_default()
+            }}
+        } else {
            db_run! {conn: {
                ciphers_collections::table
                .inner_join(collections::table.on(
                    collections::uuid.eq(ciphers_collections::collection_uuid)
                ))
                .inner_join(users_organizations::table.on(
-                users_organizations::org_uuid.eq(collections::org_uuid).and(
-                    users_organizations::user_uuid.eq(user_id.clone())
-                )
+                    users_organizations::org_uuid.eq(collections::org_uuid)
+                    .and(users_organizations::user_uuid.eq(user_id.clone()))
                ))
                .left_join(users_collections::table.on(
-                users_collections::collection_uuid.eq(ciphers_collections::collection_uuid).and(
-                    users_collections::user_uuid.eq(user_id.clone())
-                )
+                    users_collections::collection_uuid.eq(ciphers_collections::collection_uuid)
+                    .and(users_collections::user_uuid.eq(user_id.clone()))
                ))
                .filter(ciphers_collections::cipher_uuid.eq(&self.uuid))
-            .filter(users_collections::user_uuid.eq(user_id).or( // User has access to collection
-                users_organizations::access_all.eq(true).or( // User has access all
-                    users_organizations::atype.le(UserOrgType::Admin as i32) // User is admin or owner
+                .filter(users_organizations::access_all.eq(true) // User has access all
+                    .or(users_collections::user_uuid.eq(user_id)) // User has access to collection
                )
-            ))
                .select(ciphers_collections::collection_uuid)
                .load::<String>(conn).unwrap_or_default()
            }}
        }
+    }

    /// Return a Vec with (cipher_uuid, collection_uuid)
    /// This is used during a full sync so we only need one query for all collections accessible.