commit e7ea5097f49bb1f42ffdb59a038a02fea093df10
parent 9f0357ce824b10bde6295a3fe83c7f037e66f899
Author: Andreas Schneider <aksdb@gmx.de>
Date: Fri, 28 Dec 2018 15:25:51 +0100
Restrict join on users_collections to current user (fixes #313)
Diffstat:
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/src/db/models/cipher.rs b/src/db/models/cipher.rs
@@ -293,7 +293,7 @@ impl Cipher {
.first::<Self>(&**conn).ok()
}
- // Find all ciphers accesible to user
+ // Find all ciphers accessible to user
pub fn find_by_user(user_uuid: &str, conn: &DbConn) -> Vec<Self> {
ciphers::table
.left_join(users_organizations::table.on(
@@ -303,7 +303,9 @@ impl Cipher {
)
)
))
- .left_join(ciphers_collections::table)
+ .left_join(ciphers_collections::table.on(
+ ciphers::uuid.eq(ciphers_collections::cipher_uuid)
+ ))
.left_join(users_collections::table.on(
ciphers_collections::collection_uuid.eq(users_collections::collection_uuid)
))
@@ -352,7 +354,9 @@ impl Cipher {
)
))
.left_join(users_collections::table.on(
- users_collections::collection_uuid.eq(ciphers_collections::collection_uuid)
+ users_collections::collection_uuid.eq(ciphers_collections::collection_uuid).and(
+ users_collections::user_uuid.eq(user_id)
+ )
))
.filter(ciphers_collections::cipher_uuid.eq(&self.uuid))
.filter(users_collections::user_uuid.eq(user_id).or( // User has access to collection
