From dfb12320817a58484d259011e49d9552b450f2bc Mon Sep 17 00:00:00 2001
From: Miroslav Prasil <miroslav@prasil.info>
Date: Fri, 11 May 2018 14:24:41 +0100
Subject: [PATCH] Filter collection lists based on user

---
 src/api/core/ciphers.rs |  2 +-
 src/db/models/cipher.rs | 22 +++++++++++++++++++---
 2 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/src/api/core/ciphers.rs b/src/api/core/ciphers.rs
index d3d4717..a8ba1c5 100644
--- a/src/api/core/ciphers.rs
+++ b/src/api/core/ciphers.rs
@@ -318,7 +318,7 @@ fn post_collections_admin(uuid: String, data: Json<CollectionsAdminData>, header
     }
 
     let posted_collections: HashSet<String> = data.collectionIds.iter().cloned().collect();
-    let current_collections: HashSet<String> = cipher.get_collections(&conn).iter().cloned().collect();
+    let current_collections: HashSet<String> = cipher.get_collections(&headers.user.uuid ,&conn).iter().cloned().collect();
 
     for collection in posted_collections.symmetric_difference(&current_collections) {
         match Collection::find_by_uuid(&collection, &conn) {
diff --git a/src/db/models/cipher.rs b/src/db/models/cipher.rs
index 94077e5..e72c2ab 100644
--- a/src/db/models/cipher.rs
+++ b/src/db/models/cipher.rs
@@ -3,7 +3,7 @@ use serde_json::Value as JsonValue;
 
 use uuid::Uuid;
 
-use super::{User, Organization, UserOrganization, FolderCipher};
+use super::{User, Organization, UserOrganization, FolderCipher, UserOrgType};
 
 #[derive(Debug, Identifiable, Queryable, Insertable, Associations)]
 #[table_name = "ciphers"]
@@ -98,7 +98,7 @@ impl Cipher {
             "OrganizationId": self.organization_uuid,
             "Attachments": attachments_json,
             "OrganizationUseTotp": false,
-            "CollectionIds": self.get_collections(&conn),
+            "CollectionIds": self.get_collections(user_uuid, &conn),
 
             "Name": self.name,
             "Notes": self.notes,
@@ -242,9 +242,25 @@ impl Cipher {
             .load::<Self>(&**conn).expect("Error loading ciphers")
     }
 
-    pub fn get_collections(&self, conn: &DbConn) -> Vec<String> {
+    pub fn get_collections(&self, user_id: &str, conn: &DbConn) -> Vec<String> {
         ciphers_collections::table
+        .inner_join(collections::table.on(
+            collections::uuid.eq(ciphers_collections::collection_uuid)
+        ))
+        .inner_join(users_organizations::table.on(
+            users_organizations::org_uuid.eq(collections::org_uuid).and(
+                users_organizations::user_uuid.eq(user_id)
+            )
+        ))
+        .left_join(users_collections::table.on(
+            users_collections::collection_uuid.eq(ciphers_collections::collection_uuid)
+        ))
         .filter(ciphers_collections::cipher_uuid.eq(&self.uuid))
+        .filter(users_collections::user_uuid.eq(user_id).or( // User has access to collection
+            users_organizations::access_all.eq(true).or( // User has access all
+                users_organizations::type_.le(UserOrgType::Admin as i32) // User is admin or owner
+            )
+        ))
         .select(ciphers_collections::collection_uuid)
         .load::<String>(&**conn).unwrap_or(vec![])
     }