vw_small

Hardened fork of Vaultwarden (https://github.com/dani-garcia/vaultwarden) with fewer features.
git clone https://git.philomathiclife.com/repos/vw_small
Log | Files | Refs | README

commit baac8d9627945c7a307d8c617558eb9be07308b0
parent 669b101e6a68ab639526bc5b1405e8ced4a9f94e
Author: BlackDex <black.dex@gmail.com>
Date:   Thu, 19 Mar 2020 17:37:10 +0100

Fixed issue #908

The organization uuid is most of the time within the uri path as a
parameter. But sometimes it only is there as a query value.

This fix checks both, and returns the uuid when possible.

Diffstat:
Msrc/auth.rs | 105+++++++++++++++++++++++++++++++++++++++----------------------------------------
1 file changed, 52 insertions(+), 53 deletions(-)

diff --git a/src/auth.rs b/src/auth.rs @@ -307,6 +307,25 @@ pub struct OrgHeaders { pub org_user_type: UserOrgType, } +// org_id is usually the second param ("/organizations/<org_id>") +// But there are cases where it is located in a query value. +// First check the param, if this is not a valid uuid, we will try the query value. +fn get_org_id(request: &Request) -> Option<String> { + if let Some(Ok(org_id)) = request.get_param::<String>(1) { + if uuid::Uuid::parse_str(&org_id).is_ok() { + return Some(org_id); + } + } + + if let Some(Ok(org_id)) = request.get_query_value::<String>("organizationId") { + if uuid::Uuid::parse_str(&org_id).is_ok() { + return Some(org_id); + } + } + + None +} + impl<'a, 'r> FromRequest<'a, 'r> for OrgHeaders { type Error = &'static str; @@ -315,60 +334,40 @@ impl<'a, 'r> FromRequest<'a, 'r> for OrgHeaders { Outcome::Forward(_) => Outcome::Forward(()), Outcome::Failure(f) => Outcome::Failure(f), Outcome::Success(headers) => { - // org_id is usually the second param ("/organizations/<org_id>") - // But there are cases where it is located in a query value. - // First check the param, if this is not a valid uuid, we will try the query value. - let query_org_id = match request.get_query_value::<String>("organizationId") { - Some(Ok(query_org_id)) => { query_org_id } - _ => { "".into() } - }; - let param_org_id = match request.get_param::<String>(1) { - Some(Ok(param_org_id)) => { param_org_id } - _ => { "".into() } - }; - - let org_uuid: _ = match uuid::Uuid::parse_str(&param_org_id) { - Ok(uuid) => uuid, - _ => match uuid::Uuid::parse_str(&query_org_id) { - Ok(uuid) => uuid, - _ => err_handler!("Error getting the organization id"), - } - }; - - let org_id: &str = &org_uuid.to_string(); - if !org_id.is_empty() { - let conn = match request.guard::<DbConn>() { - Outcome::Success(conn) => conn, - _ => err_handler!("Error getting DB"), - }; - - let user = headers.user; - let org_user = match UserOrganization::find_by_user_and_org(&user.uuid, &org_id, &conn) { - Some(user) => { - if user.status == UserOrgStatus::Confirmed as i32 { - user - } else { - err_handler!("The current user isn't confirmed member of the organization") + match get_org_id(request) { + Some(org_id) => { + let conn = match request.guard::<DbConn>() { + Outcome::Success(conn) => conn, + _ => err_handler!("Error getting DB"), + }; + + let user = headers.user; + let org_user = match UserOrganization::find_by_user_and_org(&user.uuid, &org_id, &conn) { + Some(user) => { + if user.status == UserOrgStatus::Confirmed as i32 { + user + } else { + err_handler!("The current user isn't confirmed member of the organization") + } } - } - None => err_handler!("The current user isn't member of the organization"), - }; - - Outcome::Success(Self { - host: headers.host, - device: headers.device, - user, - org_user_type: { - if let Some(org_usr_type) = UserOrgType::from_i32(org_user.atype) { - org_usr_type - } else { - // This should only happen if the DB is corrupted - err_handler!("Unknown user type in the database") - } - }, - }) - } else { - err_handler!("Error getting the organization id") + None => err_handler!("The current user isn't member of the organization"), + }; + + Outcome::Success(Self { + host: headers.host, + device: headers.device, + user, + org_user_type: { + if let Some(org_usr_type) = UserOrgType::from_i32(org_user.atype) { + org_usr_type + } else { + // This should only happen if the DB is corrupted + err_handler!("Unknown user type in the database") + } + }, + }) + }, + _ => err_handler!("Error getting the organization id"), } } }