Fix editing members which have access-all rights (#5213)

With web-vault v2024.6.2 and lower, if a user has access-all rights either as an org-member or via a group it shouldn't return individual collections. This probably needs to be changed with newer versions which do not support the `access-all` feature anymore and work with manage. But with the current version this should solve access right issues. Fixes #5212 Signed-off-by: BlackDex <[email protected]>
dani-garcia · Nov 20, 2024 · 96813b1 · 96813b1
1 parent b0b953f
commit 96813b1
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/src/db/models/organization.rs b/src/db/models/organization.rs
@@ -462,7 +462,13 @@ impl UserOrganization {
             Vec::with_capacity(0)
         };
 
-        let collections: Vec<Value> = if include_collections {
+        // Check if a user is in a group which has access to all collections
+        // If that is the case, we should not return individual collections!
+        let full_access_group =
+            CONFIG.org_groups_enabled() && Group::is_in_full_access_group(&self.user_uuid, &self.org_uuid, conn).await;
+
+        // If collections are to be included, only include them if the user does not have full access via a group or defined to the user it self
+        let collections: Vec<Value> = if include_collections && !(full_access_group || self.has_full_access()) {
             // Get all collections for the user here already to prevent more queries
             let cu: HashMap<String, CollectionUser> =
                 CollectionUser::find_by_organization_and_user_uuid(&self.org_uuid, &self.user_uuid, conn)