From 663f88e7172d511c028aecd0e608a1703d2d56f8 Mon Sep 17 00:00:00 2001 From: Roman Ratiner Date: Wed, 29 Jan 2025 13:00:14 +0200 Subject: [PATCH 1/2] Fix Duo Field Names for Web Client (#5491) * Fix Duo Field Names for Web Client * Fix Api Validation * Rename Duo Labels In Admin --- src/api/core/two_factor/duo.rs | 22 +++++++++++----------- src/config.rs | 4 ++-- 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/src/api/core/two_factor/duo.rs b/src/api/core/two_factor/duo.rs index 289f01b3..aa281ae7 100644 --- a/src/api/core/two_factor/duo.rs +++ b/src/api/core/two_factor/duo.rs @@ -26,8 +26,8 @@ pub fn routes() -> Vec { #[derive(Serialize, Deserialize)] struct DuoData { host: String, // Duo API hostname - ik: String, // integration key - sk: String, // secret key + ik: String, // client id + sk: String, // client secret } impl DuoData { @@ -111,8 +111,8 @@ async fn get_duo(data: Json, headers: Headers, mut conn: DbCo json!({ "enabled": enabled, "host": data.host, - "secretKey": data.sk, - "integrationKey": data.ik, + "clientSecret": data.sk, + "clientId": data.ik, "object": "twoFactorDuo" }) } else { @@ -129,8 +129,8 @@ async fn get_duo(data: Json, headers: Headers, mut conn: DbCo #[serde(rename_all = "camelCase")] struct EnableDuoData { host: String, - secret_key: String, - integration_key: String, + client_secret: String, + client_id: String, master_password_hash: Option, otp: Option, } @@ -139,8 +139,8 @@ impl From for DuoData { fn from(d: EnableDuoData) -> Self { Self { host: d.host, - ik: d.integration_key, - sk: d.secret_key, + ik: d.client_id, + sk: d.client_secret, } } } @@ -151,7 +151,7 @@ fn check_duo_fields_custom(data: &EnableDuoData) -> bool { st.is_empty() || s == DISABLED_MESSAGE_DEFAULT } - !empty_or_default(&data.host) && !empty_or_default(&data.secret_key) && !empty_or_default(&data.integration_key) + !empty_or_default(&data.host) && !empty_or_default(&data.client_secret) && !empty_or_default(&data.client_id) } #[post("/two-factor/duo", data = "")] @@ -186,8 +186,8 @@ async fn activate_duo(data: Json, headers: Headers, mut conn: DbC Ok(Json(json!({ "enabled": true, "host": data.host, - "secretKey": data.sk, - "integrationKey": data.ik, + "clientSecret": data.sk, + "clientId": data.ik, "object": "twoFactorDuo" }))) } diff --git a/src/config.rs b/src/config.rs index 853f7cfa..09e6ac37 100644 --- a/src/config.rs +++ b/src/config.rs @@ -670,9 +670,9 @@ make_config! { _enable_duo: bool, true, def, true; /// Attempt to use deprecated iframe-based Traditional Prompt (Duo WebSDK 2) duo_use_iframe: bool, false, def, false; - /// Integration Key + /// Client Id duo_ikey: String, true, option; - /// Secret Key + /// Client Secret duo_skey: Pass, true, option; /// Host duo_host: String, true, option; From 3c29f8297450c6e43369bc210383bb2d455565c0 Mon Sep 17 00:00:00 2001 From: Mathijs van Veluw Date: Wed, 29 Jan 2025 20:41:31 +0100 Subject: [PATCH 2/2] Allow all manager to create collections again (#5488) * Allow all manager to create collections again This commit checks if the member is a manager or better, and if so allows it to createCollections. We actually check if it is less then a Manager, since the `limitCollectionCreation` should be set to false to allow it and true to prevent. This should fix an issue discussed in #5484 Signed-off-by: BlackDex * Fix some small issues Signed-off-by: BlackDex --------- Signed-off-by: BlackDex --- src/api/core/organizations.rs | 27 ++++++++++++++------------- src/db/models/collection.rs | 5 ++++- src/db/models/organization.rs | 2 +- 3 files changed, 19 insertions(+), 15 deletions(-) diff --git a/src/api/core/organizations.rs b/src/api/core/organizations.rs index 08305839..624ff590 100644 --- a/src/api/core/organizations.rs +++ b/src/api/core/organizations.rs @@ -485,7 +485,7 @@ async fn post_organization_collections( CollectionUser::save(&headers.membership.user_uuid, &collection.uuid, false, false, false, &mut conn).await?; } - Ok(Json(collection.to_json())) + Ok(Json(collection.to_json_details(&headers.membership.user_uuid, None, &mut conn).await)) } #[put("/organizations//collections/", data = "")] @@ -722,18 +722,19 @@ async fn get_org_collection_detail( .map(|m| (m.uuid, m.atype)) .collect(); - let users: Vec = - CollectionUser::find_by_collection_swap_user_uuid_with_member_uuid(&collection.uuid, &mut conn) - .await - .iter() - .map(|collection_member| { - collection_member.to_json_details_for_member( - *membership_type - .get(&collection_member.membership_uuid) - .unwrap_or(&(MembershipType::User as i32)), - ) - }) - .collect(); + let users: Vec = CollectionUser::find_by_org_and_coll_swap_user_uuid_with_member_uuid( + &org_id, + &collection.uuid, + &mut conn, + ) + .await + .iter() + .map(|collection_member| { + collection_member.to_json_details_for_member( + *membership_type.get(&collection_member.membership_uuid).unwrap_or(&(MembershipType::User as i32)), + ) + }) + .collect(); let assigned = Collection::can_access_collection(&member, &collection.uuid, &mut conn).await; diff --git a/src/db/models/collection.rs b/src/db/models/collection.rs index 2286ee04..abe5b400 100644 --- a/src/db/models/collection.rs +++ b/src/db/models/collection.rs @@ -589,6 +589,7 @@ impl CollectionUser { .inner_join(collections::table.on(collections::uuid.eq(users_collections::collection_uuid))) .filter(collections::org_uuid.eq(org_uuid)) .inner_join(users_organizations::table.on(users_organizations::user_uuid.eq(users_collections::user_uuid))) + .filter(users_organizations::org_uuid.eq(org_uuid)) .select((users_organizations::uuid, users_collections::collection_uuid, users_collections::read_only, users_collections::hide_passwords, users_collections::manage)) .load::(conn) .expect("Error loading users_collections") @@ -685,13 +686,15 @@ impl CollectionUser { }} } - pub async fn find_by_collection_swap_user_uuid_with_member_uuid( + pub async fn find_by_org_and_coll_swap_user_uuid_with_member_uuid( + org_uuid: &OrganizationId, collection_uuid: &CollectionId, conn: &mut DbConn, ) -> Vec { let col_users = db_run! { conn: { users_collections::table .filter(users_collections::collection_uuid.eq(collection_uuid)) + .filter(users_organizations::org_uuid.eq(org_uuid)) .inner_join(users_organizations::table.on(users_organizations::user_uuid.eq(users_collections::user_uuid))) .select((users_organizations::uuid, users_collections::collection_uuid, users_collections::read_only, users_collections::hide_passwords, users_collections::manage)) .load::(conn) diff --git a/src/db/models/organization.rs b/src/db/models/organization.rs index aa3e1d01..2b54e1d0 100644 --- a/src/db/models/organization.rs +++ b/src/db/models/organization.rs @@ -464,7 +464,7 @@ impl Membership { "familySponsorshipValidUntil": null, "familySponsorshipToDelete": null, "accessSecretsManager": false, - "limitCollectionCreation": true, + "limitCollectionCreation": self.atype < MembershipType::Manager, // If less then a manager return true, to limit collection creations "limitCollectionCreationDeletion": true, "limitCollectionDeletion": true, "allowAdminAccessToAllCollectionItems": true,