vw_small

Hardened fork of Vaultwarden (https://github.com/dani-garcia/vaultwarden) with fewer features.
git clone https://git.philomathiclife.com/repos/vw_small
Log | Files | Refs | README

commit e7ea5097f49bb1f42ffdb59a038a02fea093df10
parent 9f0357ce824b10bde6295a3fe83c7f037e66f899
Author: Andreas Schneider <aksdb@gmx.de>
Date:   Fri, 28 Dec 2018 15:25:51 +0100

Restrict join on users_collections to current user (fixes #313)

Diffstat:
Msrc/db/models/cipher.rs | 10+++++++---
1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/db/models/cipher.rs b/src/db/models/cipher.rs @@ -293,7 +293,7 @@ impl Cipher { .first::<Self>(&**conn).ok() } - // Find all ciphers accesible to user + // Find all ciphers accessible to user pub fn find_by_user(user_uuid: &str, conn: &DbConn) -> Vec<Self> { ciphers::table .left_join(users_organizations::table.on( @@ -303,7 +303,9 @@ impl Cipher { ) ) )) - .left_join(ciphers_collections::table) + .left_join(ciphers_collections::table.on( + ciphers::uuid.eq(ciphers_collections::cipher_uuid) + )) .left_join(users_collections::table.on( ciphers_collections::collection_uuid.eq(users_collections::collection_uuid) )) @@ -352,7 +354,9 @@ impl Cipher { ) )) .left_join(users_collections::table.on( - users_collections::collection_uuid.eq(ciphers_collections::collection_uuid) + users_collections::collection_uuid.eq(ciphers_collections::collection_uuid).and( + users_collections::user_uuid.eq(user_id) + ) )) .filter(ciphers_collections::cipher_uuid.eq(&self.uuid)) .filter(users_collections::user_uuid.eq(user_id).or( // User has access to collection