-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[AC-1124] Restrict admins from accessing items in Collections tab #3676
[AC-1124] Restrict admins from accessing items in Collections tab #3676
Conversation
…nc to the CipherRepository
…erService queries
- Add new endpoint for assigned ciphers - Update existing endpoint to only return all ciphers when feature flag is enabled the user has access
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## main #3676 +/- ##
==========================================
- Coverage 39.32% 39.17% -0.15%
==========================================
Files 1032 1034 +2
Lines 51056 51274 +218
Branches 4581 4602 +21
==========================================
+ Hits 20076 20086 +10
- Misses 30036 30244 +208
Partials 944 944 ☔ View full report in Codecov by Sentry. |
No New Or Fixed Issues Found |
AS | ||
BEGIN | ||
SET NOCOUNT ON | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be more efficient to not use the not in clause and do where null:
SELECT
C.*,
CASE
WHEN O.[UseTotp] = 1 THEN 1
ELSE 0
END [OrganizationUseTotp]
FROM
[dbo].[CipherView] C
LEFT JOIN
[dbo].[OrganizationView] O ON O.[Id] = C.[OrganizationId]
LEFT JOIN
[dbo].[CollectionCipher] CC ON C.[Id] = CC.[CipherId]
LEFT JOIN
[dbo].[Collection] S ON S.[Id] = CC.[CollectionId]
AND S.[OrganizationId] = C.[OrganizationId]
WHERE
C.[UserId] IS NULL
AND C.[OrganizationId] = @OrganizationId
AND CC.[CipherId] IS NULL
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the suggestion! Updated in f29ea21
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me
Type of change
Objective
Restrict admins from accessing organization ciphers when the organization collection setting is disabled.
See corresponding client PR: bitwarden/clients#7537
Code changes
src/Api/Vault/Controllers/CiphersController.cs
/ciphers/organization-details
endpoint to always return all collections for admins when flexible collections V1 is enabled. Otherwise, continue with existing behavior./ciphers/organization-details/assigned
endpoint./ciphers/organization-details/assigned
endpoint to return all ciphers the requesting user has access to for an organization. This includes unassigned ciphers for admin/owners/providers.src/Core/Vault/Models/Data/CipherDetails.cs
CipherDetailsWithCollections
domain model to include both cipher permissions and collectionIds in the new endpoint response. Normally the admin endpoints have excluded the permission info as it was unnecessary and available via sync data. The new/ciphers/organization-details/assigned
endpoint is now expected to include this info so the appropriate edit/delete options can be presented to the user in the admin console when admins are restricted from editing ciphers.src/Core/Vault/Queries/IOrganizationCiphersQuery.csc
IOrganizationCiphersQuery
service to group cipher queries related to a specific organization. This should ultimately replace organizational cipher query methods in theCipherService
once flexible collections is fully release.src/Core/Vault/VaultServiceCollectionExtensions.cs
AddVaultServices
service collection extension method to add additional Vault services (currently only theIOrganizationCiphersQuery
).src/Core/Vault/Repositories/ICipherRepository.cs
GetManyUnassignedOrganizationDetailsByOrganizationIdAsync
method to retrieved organization ciphers that are not assigned to any collections.EntityFramework/Vault/Repositories/Queries/CipherOrganizationDetailsReadByOrganizationIdQuery.cs
src/Sql/Vault/dbo/Stored Procedures/Cipher/CipherOrganizationDetails_ReadUnassignedByOrganizationId.sql
Before you submit
dotnet format --verify-no-changes
) (required)