Add some extra access checks for attachments and groups

2025-09-11 11:15:58 +03:00 · 2023-07-03 19:58:14 +02:00
parent e7f083dee9
commit 60964c07e6
7 changed files with 101 additions and 28 deletions
--- a/src/api/core/organizations.rs
+++ b/src/api/core/organizations.rs
@@ -2578,11 +2578,15 @@ async fn put_user_groups(
        err!("Group support is disabled");
    }

-    match UserOrganization::find_by_uuid(org_user_id, &mut conn).await {
-        Some(_) => { /* Do nothing */ }
+    let user_org = match UserOrganization::find_by_uuid(org_user_id, &mut conn).await {
+        Some(uo) => uo,
        _ => err!("User could not be found!"),
    };

+    if user_org.org_uuid != org_id {
+        err!("Group doesn't belong to organization");
+    }
+
    GroupUser::delete_all_by_user(org_user_id, &mut conn).await?;

    let assigned_group_ids = data.into_inner().data;
@@ -2628,16 +2632,24 @@ async fn delete_group_user(
        err!("Group support is disabled");
    }

-    match UserOrganization::find_by_uuid(org_user_id, &mut conn).await {
-        Some(_) => { /* Do nothing */ }
+    let user_org = match UserOrganization::find_by_uuid(org_user_id, &mut conn).await {
+        Some(uo) => uo,
        _ => err!("User could not be found!"),
    };

-    match Group::find_by_uuid(group_id, &mut conn).await {
-        Some(_) => { /* Do nothing */ }
+    if user_org.org_uuid != org_id {
+        err!("User doesn't belong to organization");
+    }
+
+    let group = match Group::find_by_uuid(group_id, &mut conn).await {
+        Some(g) => g,
        _ => err!("Group could not be found!"),
    };

+    if group.organizations_uuid != org_id {
+        err!("Group doesn't belong to organization");
+    }
+
    log_event(
        EventType::OrganizationUserUpdatedGroups as i32,
        org_user_id,