From 596c16731284b46a152a655f92bddd0103c632e6 Mon Sep 17 00:00:00 2001 From: Stefan Melmuk <509385+stefan0xC@users.noreply.github.com> Date: Wed, 10 Jan 2024 19:02:36 +0100 Subject: [PATCH] improve emergency access when not enabled (#4227) * improve emergency access when not enabled * display note that emergency access is disabled --- src/api/core/emergency_access.rs | 67 ++++++++++++++++++++------------ src/config.rs | 2 +- 2 files changed, 43 insertions(+), 26 deletions(-) diff --git a/src/api/core/emergency_access.rs b/src/api/core/emergency_access.rs index ba46291c..ba0c4577 100644 --- a/src/api/core/emergency_access.rs +++ b/src/api/core/emergency_access.rs @@ -38,42 +38,59 @@ pub fn routes() -> Vec { // region get #[get("/emergency-access/trusted")] -async fn get_contacts(headers: Headers, mut conn: DbConn) -> JsonResult { - check_emergency_access_allowed()?; +async fn get_contacts(headers: Headers, mut conn: DbConn) -> Json { + if !CONFIG.emergency_access_allowed() { + return Json(json!({ + "Data": [{ + "Id": "", + "Status": 2, + "Type": 0, + "WaitTimeDays": 0, + "GranteeId": "", + "Email": "", + "Name": "NOTE: Emergency Access is disabled!", + "Object": "emergencyAccessGranteeDetails", + }], + "Object": "list", + "ContinuationToken": null + })); + } let emergency_access_list = EmergencyAccess::find_all_by_grantor_uuid(&headers.user.uuid, &mut conn).await; let mut emergency_access_list_json = Vec::with_capacity(emergency_access_list.len()); for ea in emergency_access_list { emergency_access_list_json.push(ea.to_json_grantee_details(&mut conn).await); } - Ok(Json(json!({ + Json(json!({ "Data": emergency_access_list_json, "Object": "list", "ContinuationToken": null - }))) + })) } #[get("/emergency-access/granted")] -async fn get_grantees(headers: Headers, mut conn: DbConn) -> JsonResult { - check_emergency_access_allowed()?; - - let emergency_access_list = EmergencyAccess::find_all_by_grantee_uuid(&headers.user.uuid, &mut conn).await; +async fn get_grantees(headers: Headers, mut conn: DbConn) -> Json { + let emergency_access_list = if CONFIG.emergency_access_allowed() { + EmergencyAccess::find_all_by_grantee_uuid(&headers.user.uuid, &mut conn).await + } else { + Vec::new() + }; let mut emergency_access_list_json = Vec::with_capacity(emergency_access_list.len()); for ea in emergency_access_list { emergency_access_list_json.push(ea.to_json_grantor_details(&mut conn).await); } - Ok(Json(json!({ + Json(json!({ "Data": emergency_access_list_json, "Object": "list", "ContinuationToken": null - }))) + })) } #[get("/emergency-access/")] async fn get_emergency_access(emer_id: &str, mut conn: DbConn) -> JsonResult { - check_emergency_access_allowed()?; + check_emergency_access_enabled()?; match EmergencyAccess::find_by_uuid(emer_id, &mut conn).await { Some(emergency_access) => Ok(Json(emergency_access.to_json_grantee_details(&mut conn).await)), @@ -104,7 +121,7 @@ async fn post_emergency_access( data: JsonUpcase, mut conn: DbConn, ) -> JsonResult { - check_emergency_access_allowed()?; + check_emergency_access_enabled()?; let data: EmergencyAccessUpdateData = data.into_inner().data; @@ -134,7 +151,7 @@ async fn post_emergency_access( #[delete("/emergency-access/")] async fn delete_emergency_access(emer_id: &str, headers: Headers, mut conn: DbConn) -> EmptyResult { - check_emergency_access_allowed()?; + check_emergency_access_enabled()?; let grantor_user = headers.user; @@ -170,7 +187,7 @@ struct EmergencyAccessInviteData { #[post("/emergency-access/invite", data = "")] async fn send_invite(data: JsonUpcase, headers: Headers, mut conn: DbConn) -> EmptyResult { - check_emergency_access_allowed()?; + check_emergency_access_enabled()?; let data: EmergencyAccessInviteData = data.into_inner().data; let email = data.Email.to_lowercase(); @@ -253,7 +270,7 @@ async fn send_invite(data: JsonUpcase, headers: Heade #[post("/emergency-access//reinvite")] async fn resend_invite(emer_id: &str, headers: Headers, mut conn: DbConn) -> EmptyResult { - check_emergency_access_allowed()?; + check_emergency_access_enabled()?; let mut emergency_access = match EmergencyAccess::find_by_uuid(emer_id, &mut conn).await { Some(emer) => emer, @@ -313,7 +330,7 @@ struct AcceptData { #[post("/emergency-access//accept", data = "")] async fn accept_invite(emer_id: &str, data: JsonUpcase, headers: Headers, mut conn: DbConn) -> EmptyResult { - check_emergency_access_allowed()?; + check_emergency_access_enabled()?; let data: AcceptData = data.into_inner().data; let token = &data.Token; @@ -396,7 +413,7 @@ async fn confirm_emergency_access( headers: Headers, mut conn: DbConn, ) -> JsonResult { - check_emergency_access_allowed()?; + check_emergency_access_enabled()?; let confirming_user = headers.user; let data: ConfirmData = data.into_inner().data; @@ -445,7 +462,7 @@ async fn confirm_emergency_access( #[post("/emergency-access//initiate")] async fn initiate_emergency_access(emer_id: &str, headers: Headers, mut conn: DbConn) -> JsonResult { - check_emergency_access_allowed()?; + check_emergency_access_enabled()?; let initiating_user = headers.user; let mut emergency_access = match EmergencyAccess::find_by_uuid(emer_id, &mut conn).await { @@ -485,7 +502,7 @@ async fn initiate_emergency_access(emer_id: &str, headers: Headers, mut conn: Db #[post("/emergency-access//approve")] async fn approve_emergency_access(emer_id: &str, headers: Headers, mut conn: DbConn) -> JsonResult { - check_emergency_access_allowed()?; + check_emergency_access_enabled()?; let mut emergency_access = match EmergencyAccess::find_by_uuid(emer_id, &mut conn).await { Some(emer) => emer, @@ -523,7 +540,7 @@ async fn approve_emergency_access(emer_id: &str, headers: Headers, mut conn: DbC #[post("/emergency-access//reject")] async fn reject_emergency_access(emer_id: &str, headers: Headers, mut conn: DbConn) -> JsonResult { - check_emergency_access_allowed()?; + check_emergency_access_enabled()?; let mut emergency_access = match EmergencyAccess::find_by_uuid(emer_id, &mut conn).await { Some(emer) => emer, @@ -566,7 +583,7 @@ async fn reject_emergency_access(emer_id: &str, headers: Headers, mut conn: DbCo #[post("/emergency-access//view")] async fn view_emergency_access(emer_id: &str, headers: Headers, mut conn: DbConn) -> JsonResult { - check_emergency_access_allowed()?; + check_emergency_access_enabled()?; let emergency_access = match EmergencyAccess::find_by_uuid(emer_id, &mut conn).await { Some(emer) => emer, @@ -603,7 +620,7 @@ async fn view_emergency_access(emer_id: &str, headers: Headers, mut conn: DbConn #[post("/emergency-access//takeover")] async fn takeover_emergency_access(emer_id: &str, headers: Headers, mut conn: DbConn) -> JsonResult { - check_emergency_access_allowed()?; + check_emergency_access_enabled()?; let requesting_user = headers.user; let emergency_access = match EmergencyAccess::find_by_uuid(emer_id, &mut conn).await { @@ -646,7 +663,7 @@ async fn password_emergency_access( headers: Headers, mut conn: DbConn, ) -> EmptyResult { - check_emergency_access_allowed()?; + check_emergency_access_enabled()?; let data: EmergencyAccessPasswordData = data.into_inner().data; let new_master_password_hash = &data.NewMasterPasswordHash; @@ -723,9 +740,9 @@ fn is_valid_request( && emergency_access.atype == requested_access_type as i32 } -fn check_emergency_access_allowed() -> EmptyResult { +fn check_emergency_access_enabled() -> EmptyResult { if !CONFIG.emergency_access_allowed() { - err!("Emergency access is not allowed.") + err!("Emergency access is not enabled.") } Ok(()) } diff --git a/src/config.rs b/src/config.rs index 116adc98..ba897edd 100644 --- a/src/config.rs +++ b/src/config.rs @@ -480,7 +480,7 @@ make_config! { /// Invitation token expiration time (in hours) |> The number of hours after which an organization invite token, emergency access invite token, /// email verification token and deletion request token will expire (must be at least 1) invitation_expiration_hours: u32, false, def, 120; - /// Allow emergency access |> Controls whether users can enable emergency access to their accounts. This setting applies globally to all users. + /// Enable emergency access |> Controls whether users can enable emergency access to their accounts. This setting applies globally to all users. emergency_access_allowed: bool, true, def, true; /// Allow email change |> Controls whether users can change their email. This setting applies globally to all users. email_change_allowed: bool, true, def, true;