saltyming/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2025-08-03 17:49:07 +00:00
Code Activity

Add some extra access checks for attachments and groups

Browse source
This commit is contained in:
Daniel García 2023-07-03 19:58:14 +02:00
commit 60964c07e6
No known key found for this signature in database
GPG key ID: FC8A7D14C3CD543A
7 changed files with 101 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

9
src/api/core/ciphers.rs
View file

@ -934,6 +934,15 @@ async fn share_cipher_by_uuid(
/// redirects to the same location as before the v2 API.
#[get("/ciphers/<uuid>/attachment/<attachment_id>")]
async fn get_attachment(uuid: &str, attachment_id: &str, headers: Headers, mut conn: DbConn) -> JsonResult {
let cipher = match Cipher::find_by_uuid(uuid, &mut conn).await {
Some(cipher) => cipher,
None => err!("Cipher doesn't exist"),
};
if !cipher.is_accessible_to_user(&headers.user.uuid, &mut conn).await {
err!("Cipher is not accessible")
}
match Attachment::find_by_id(attachment_id, &mut conn).await {
Some(attachment) if uuid == attachment.cipher_uuid => Ok(Json(attachment.to_json(&headers.host))),
Some(_) => err!("Attachment doesn't belong to cipher"),