improve permission check for collections (#6278)

2025-10-31 02:08:20 +02:00 · 2025-10-13 21:14:53 +02:00
parent b1d84298cc
commit a79cd40ea9
2 changed files with 13 additions and 4 deletions
--- a/src/api/core/ciphers.rs
+++ b/src/api/core/ciphers.rs
@@ -773,8 +773,8 @@ async fn post_collections_update(
        err!("Cipher doesn't exist")
    };

-    if !cipher.is_write_accessible_to_user(&headers.user.uuid, &mut conn).await {
-        err!("Cipher is not write accessible")
+    if !cipher.is_in_editable_collection_by_user(&headers.user.uuid, &mut conn).await {
+        err!("Collection cannot be changed")
    }

    let posted_collections = HashSet::<CollectionId>::from_iter(data.collection_ids);
@@ -850,8 +850,8 @@ async fn post_collections_admin(
        err!("Cipher doesn't exist")
    };

-    if !cipher.is_write_accessible_to_user(&headers.user.uuid, &mut conn).await {
-        err!("Cipher is not write accessible")
+    if !cipher.is_in_editable_collection_by_user(&headers.user.uuid, &mut conn).await {
+        err!("Collection cannot be changed")
    }

    let posted_collections = HashSet::<CollectionId>::from_iter(data.collection_ids);
--- a/src/db/models/cipher.rs
+++ b/src/db/models/cipher.rs
@@ -717,6 +717,15 @@ impl Cipher {
        }
    }

+    // used for checking if collection can be edited (only if user has access to a collection they
+    // can write to and also passwords are not hidden to prevent privilege escalation)
+    pub async fn is_in_editable_collection_by_user(&self, user_uuid: &UserId, conn: &mut DbConn) -> bool {
+        match self.get_access_restrictions(user_uuid, None, conn).await {
+            Some((read_only, hide_passwords, manage)) => (!read_only && !hide_passwords) || manage,
+            None => false,
+        }
+    }
+
    pub async fn is_accessible_to_user(&self, user_uuid: &UserId, conn: &mut DbConn) -> bool {
        self.get_access_restrictions(user_uuid, None, conn).await.is_some()
    }