New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[AC-2274] Restrict Admin POST/PUT/DELETE Cipher Endpoints for V1 FC #3879
[AC-2274] Restrict Admin POST/PUT/DELETE Cipher Endpoints for V1 FC #3879
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #3879 +/- ##
==========================================
+ Coverage 37.83% 38.02% +0.18%
==========================================
Files 1192 1192
Lines 57958 57981 +23
Branches 5549 5555 +6
==========================================
+ Hits 21930 22045 +115
+ Misses 34995 34896 -99
- Partials 1033 1040 +7 ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@gbubemismith I had to undo the change to the Purge endpoints as Owners should still be able to purge an organization vault regardless of the collection management setting. |
Fixed Issues
|
Type of change
Objective
#3676 focused on adding new endpoints to restrict admins from reading all organization ciphers when the
AllowAdminAccessToAllCollectionItems
setting is disabled. This prevents admins from editing/deleting ciphers when that setting is disabled.Code changes
CanEditAnyCipherAsAdminAsync()
HelperCreates a new helper to determine if the current user has admin capabilities based on the new logic defined in Flexible Collections V1. If Flexible Collections has not been enabled for the organization or the V1 flag is disabled fall back to current behavior (
_currentContext.EditAnyCollections(orgId);
).All instances of
_currentContext.EditAnyCollections(orgId)
are then replaced with the new helper.Before you submit
dotnet format --verify-no-changes
) (required)