Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[AC-2170] Group modal - limit admin access - collections tab #3998

Merged
merged 39 commits into from May 1, 2024
Merged

[AC-2170] Group modal - limit admin access - collections tab #3998

merged 39 commits into from May 1, 2024

Conversation

eliykat
Copy link
Member

@eliykat eliykat commented Apr 17, 2024
edited

Type of change

- [ ] Bug fix
- [ ] New feature development
- [ ] Tech debt (refactoring, code cleanup, dependency upgrades, etc)
- [ ] Build/deploy pipeline (DevOps)
- [ ] Other

Objective

This is equivalent to #3934 but for groups. If FC v1 is enabled, and admins cannot manage all collections and items, then a user can only grant collection access to a group if:

  • they can manage the collection, or
  • have the Manage Groups custom permission

Code changes

Before you submit

  • Please check for formatting errors (dotnet format --verify-no-changes) (required)
  • If making database changes - make sure you also update Entity Framework queries and/or migrations
  • Please add unit tests where it makes sense to do so (encouraged but not required)
  • If this change requires a documentation update - notify the documentation team
  • If this change has particular deployment requirements - notify the DevOps team

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Apr 17, 2024
edited

Logo
Checkmarx One – Scan Summary & Details54e6b3dd-c86f-47c1-881d-2d1a36943a70

New Issues

Severity Issue Source File / Package Checkmarx Insight
MEDIUM CSRF /src/Api/Public/Controllers/CollectionsController.cs: 87 Attack Vector
MEDIUM CSRF /src/Api/AdminConsole/Controllers/GroupsController.cs: 132 Attack Vector
MEDIUM CSRF /src/Api/Controllers/CollectionsController.cs: 212 Attack Vector
MEDIUM CSRF /src/Api/Controllers/CollectionsController.cs: 270 Attack Vector
MEDIUM CSRF /src/Api/Controllers/CollectionsController.cs: 270 Attack Vector
MEDIUM CSRF /src/Api/Controllers/CollectionsController.cs: 212 Attack Vector
MEDIUM CSRF /src/Api/AdminConsole/Controllers/GroupsController.cs: 132 Attack Vector
MEDIUM Privacy_Violation /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 703 Attack Vector
MEDIUM Privacy_Violation /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 650 Attack Vector
LOW Log_Forging /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 615 Attack Vector
LOW Log_Forging /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 678 Attack Vector
LOW Missing_CSP_Header /src/Core/MailTemplates/Handlebars/Provider/InitiateDeleteProvider.html.hbs: 10 Attack Vector

Fixed Issues

Severity Issue Source File / Package
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 587
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 587
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 587
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 587
MEDIUM CSRF /src/Api/AdminConsole/Controllers/ProvidersController.cs: 141
MEDIUM CSRF /src/Admin/AdminConsole/Controllers/ProvidersController.cs: 309
MEDIUM CSRF /src/Api/AdminConsole/Controllers/GroupsController.cs: 145
MEDIUM CSRF /src/Api/AdminConsole/Controllers/GroupsController.cs: 145
MEDIUM CSRF /src/Api/Billing/Controllers/ProviderClientsController.cs: 30
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 190
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 331
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 331
MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 678
MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 702
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 891
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 173
MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 744
MEDIUM CSRF /src/Api/Vault/Controllers/FoldersController.cs: 45
MEDIUM CSRF /src/Api/Controllers/SelfHosted/SelfHostedOrganizationLicensesController.cs: 51
MEDIUM CSRF /src/Api/Controllers/UsersController.cs: 22
MEDIUM CSRF /src/Api/Controllers/DevicesController.cs: 70
MEDIUM CSRF /src/Api/Controllers/DevicesController.cs: 57
MEDIUM CSRF /src/Api/AdminConsole/Public/Controllers/PoliciesController.cs: 69
MEDIUM CSRF /src/Api/AdminConsole/Public/Controllers/PoliciesController.cs: 49
MEDIUM CSRF /src/Api/AdminConsole/Public/Controllers/OrganizationController.cs: 42
MEDIUM CSRF /src/Api/AdminConsole/Public/Controllers/GroupsController.cs: 92
MEDIUM CSRF /src/Api/AdminConsole/Public/Controllers/GroupsController.cs: 49
MEDIUM CSRF /src/Api/AdminConsole/Controllers/ProviderUsersController.cs: 142
MEDIUM CSRF /src/Api/AdminConsole/Controllers/ProviderOrganizationsController.cs: 52
MEDIUM CSRF /src/Api/AdminConsole/Controllers/PoliciesController.cs: 148
MEDIUM CSRF /src/Api/AdminConsole/Controllers/PoliciesController.cs: 78
MEDIUM CSRF /src/Api/AdminConsole/Controllers/PoliciesController.cs: 61
MEDIUM CSRF /bitwarden_license/src/Sso/Controllers/AccountController.cs: 163
MEDIUM CSRF /bitwarden_license/src/Sso/Controllers/AccountController.cs: 96
MEDIUM CSRF /bitwarden_license/src/Scim/Controllers/v2/UsersController.cs: 50
MEDIUM CSRF /src/Api/AdminConsole/Public/Controllers/GroupsController.cs: 161
MEDIUM CSRF /src/Api/Auth/Controllers/EmergencyAccessController.cs: 159
MEDIUM CSRF /bitwarden_license/src/Scim/Controllers/v2/GroupsController.cs: 98
MEDIUM CSRF /bitwarden_license/src/Scim/Controllers/v2/GroupsController.cs: 88
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 563
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 563
MEDIUM CSRF /src/Api/Controllers/SettingsController.cs: 36
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 438
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 284
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 728
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 1080
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 997
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 997
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 222
MEDIUM CSRF /src/Api/AdminConsole/Controllers/GroupsController.cs: 205
MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 959
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 911
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 299
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 193
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 766
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 1100
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 550
MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 613
MEDIUM CSRF /src/Api/Controllers/CollectionsController.cs: 303
MEDIUM CSRF /src/Api/Controllers/CollectionsController.cs: 411
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 878
MEDIUM CSRF /src/Api/Controllers/CollectionsController.cs: 323
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 244
MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 222
MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 807
MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 288
MEDIUM CSRF /src/Api/Controllers/CollectionsController.cs: 375
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 284
MEDIUM CSRF /src/Api/AdminConsole/Public/Controllers/MembersController.cs: 187
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 159
MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 362
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 222
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 702
MEDIUM CSRF /src/Api/Auth/Controllers/TwoFactorController.cs: 403
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 193
MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 408
MEDIUM CSRF /src/Api/AdminConsole/Controllers/GroupsController.cs: 128
MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 900
MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 571
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 174
MEDIUM CSRF /src/Admin/AdminConsole/Controllers/OrganizationsController.cs: 308
MEDIUM CSRF /src/Admin/AdminConsole/Controllers/ProvidersController.cs: 232
MEDIUM CSRF /src/Api/AdminConsole/Controllers/GroupsController.cs: 77
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 316
MEDIUM CSRF /src/Api/Controllers/CollectionsController.cs: 411
MEDIUM CSRF /src/Api/AdminConsole/Public/Controllers/MembersController.cs: 150
MEDIUM CSRF /src/Api/AdminConsole/Public/Controllers/MembersController.cs: 150
MEDIUM CSRF /src/Api/AdminConsole/Public/Controllers/GroupsController.cs: 133
MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 586
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 590
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 590
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 590
MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 433
MEDIUM CSRF /src/Api/AdminConsole/Controllers/ProviderUsersController.cs: 175
MEDIUM CSRF /src/Api/AdminConsole/Public/Controllers/OrganizationController.cs: 42
MEDIUM CSRF /src/Api/AdminConsole/Public/Controllers/OrganizationController.cs: 42
MEDIUM CSRF /src/Api/AdminConsole/Public/Controllers/OrganizationController.cs: 42
MEDIUM CSRF /src/Api/Controllers/CollectionsController.cs: 375
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 1023
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 1023
MEDIUM CSRF /src/Api/AdminConsole/Controllers/GroupsController.cs: 188
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 805
MEDIUM CSRF /src/Api/AdminConsole/Controllers/ProviderUsersController.cs: 188
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 791
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 144
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 550
MEDIUM CSRF /src/Api/Controllers/CollectionsController.cs: 303
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 590
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 607
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 607
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 1046
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 1046
MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 313
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 244
MEDIUM CSRF /src/Api/AdminConsole/Controllers/GroupsController.cs: 114
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 230
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 331
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 590
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 86
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 216
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 298
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 942
MEDIUM CSRF /src/Api/Controllers/CollectionsController.cs: 187
MEDIUM CSRF /src/Api/AdminConsole/Public/Controllers/MembersController.cs: 127
MEDIUM CSRF /src/Api/Controllers/CollectionsController.cs: 156
MEDIUM CSRF /src/Identity/Controllers/AccountsController.cs: 72
MEDIUM CSRF /src/Identity/Controllers/AccountsController.cs: 50
MEDIUM CSRF /src/Api/Controllers/CollectionsController.cs: 196
MEDIUM CSRF

More results are available on AST platform

@codecov Codecov
Copy link

codecov bot commented Apr 23, 2024
edited

Codecov Report

Attention: Patch coverage is 83.33333% with 9 lines in your changes are missing coverage. Please review.

Project coverage is 38.34%. Comparing base (5012d56) to head (a5683ea).

Files Patch % Lines
...c/Api/AdminConsole/Controllers/GroupsController.cs 82.69% 6 Missing and 3 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3998      +/-   ##
==========================================
+ Coverage   38.30%   38.34%   +0.03%     
==========================================
  Files        1195     1195              
  Lines       58223    58268      +45     
  Branches     5583     5589       +6     
==========================================
+ Hits        22302    22342      +40     
- Misses      34871    34875       +4     
- Partials     1050     1051       +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@eliykat eliykat force-pushed the ac/ac-2172/member-modal---access-selector-changes branch from d4912be to b8faed7 Compare April 25, 2024 01:25
@eliykat eliykat force-pushed the ac/ac-2170/group-modal---collections-tab-changes branch from ae04971 to 5d8517d Compare April 25, 2024 01:49
Base automatically changed from ac/ac-2172/member-modal---access-selector-changes to main April 29, 2024 01:02
@eliykat eliykat mentioned this pull request Apr 30, 2024
Merged
@eliykat eliykat changed the base branch from main to ac/ac-2538/server-fix-manageusers-custom-permission April 30, 2024 02:56
Base automatically changed from ac/ac-2538/server-fix-manageusers-custom-permission to main May 1, 2024 00:06
@eliykat eliykat marked this pull request as ready for review May 1, 2024 01:44
@eliykat eliykat requested review from a team as code owners May 1, 2024 01:44
@eliykat eliykat requested review from r-tome, Jingo88 and vincentsalucci and removed request for r-tome May 1, 2024 01:44
@eliykat eliykat merged commit e302ee1 into main May 1, 2024
48 of 49 checks passed
@eliykat eliykat deleted the ac/ac-2170/group-modal---collections-tab-changes branch May 1, 2024 23:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vincentsalucci vincentsalucci vincentsalucci approved these changes

@Jingo88 Jingo88 Awaiting requested review from Jingo88 Jingo88 is a code owner automatically assigned from bitwarden/team-vault-dev

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@eliykat @vincentsalucci