From 96813b1317122e2e24d42dcad6c08e42548db9e4 Mon Sep 17 00:00:00 2001 From: Mathijs van Veluw Date: Wed, 20 Nov 2024 17:38:16 +0100 Subject: [PATCH] Fix editing members which have access-all rights (#5213) With web-vault v2024.6.2 and lower, if a user has access-all rights either as an org-member or via a group it shouldn't return individual collections. This probably needs to be changed with newer versions which do not support the `access-all` feature anymore and work with manage. But with the current version this should solve access right issues. Fixes #5212 Signed-off-by: BlackDex --- src/db/models/organization.rs | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/db/models/organization.rs b/src/db/models/organization.rs index 5426fff0..15f00991 100644 --- a/src/db/models/organization.rs +++ b/src/db/models/organization.rs @@ -462,7 +462,13 @@ impl UserOrganization { Vec::with_capacity(0) }; - let collections: Vec = if include_collections { + // Check if a user is in a group which has access to all collections + // If that is the case, we should not return individual collections! + let full_access_group = + CONFIG.org_groups_enabled() && Group::is_in_full_access_group(&self.user_uuid, &self.org_uuid, conn).await; + + // If collections are to be included, only include them if the user does not have full access via a group or defined to the user it self + let collections: Vec = if include_collections && !(full_access_group || self.has_full_access()) { // Get all collections for the user here already to prevent more queries let cu: HashMap = CollectionUser::find_by_organization_and_user_uuid(&self.org_uuid, &self.user_uuid, conn)