Skip to content

Commit

Permalink
WIP: Convert Manager to Custom Role
Browse files Browse the repository at this point in the history
  • Loading branch information
BlackDex committed Oct 29, 2024
1 parent 33bae5f commit bb3328b
Show file tree
Hide file tree
Showing 2 changed files with 48 additions and 15 deletions.
15 changes: 13 additions & 2 deletions src/api/core/organizations.rs
Original file line number Diff line number Diff line change
Expand Up @@ -1308,6 +1308,8 @@ struct EditUserData {
groups: Option<Vec<String>>,
#[serde(default)]
access_all: bool,
#[serde(default)]
permissions: HashMap<String, Value>,
}

#[put("/organizations/<org_id>/users/<org_user_id>", data = "<data>", rank = 1)]
Expand All @@ -1329,13 +1331,22 @@ async fn edit_user(
headers: AdminHeaders,
mut conn: DbConn,
) -> EmptyResult {
let data: EditUserData = data.into_inner();
let mut data: EditUserData = data.into_inner();

let new_type = match UserOrgType::from_str(&data.r#type.into_string()) {
let raw_type = &data.r#type.into_string();
let new_type = match UserOrgType::from_str(raw_type) {
Some(new_type) => new_type,
None => err!("Invalid type"),
};

if raw_type.eq("4")
&& data.permissions.get("editAnyCollection") == Some(&json!(true))
&& data.permissions.get("deleteAnyCollection") == Some(&json!(true))
&& data.permissions.get("createNewCollections") == Some(&json!(true))
{
data.access_all = true;
}

let mut user_to_edit = match UserOrganization::find_by_uuid_and_org(org_user_id, org_id, &mut conn).await {
Some(user) => user,
None => err!("The specified user isn't member of the organization"),
Expand Down
48 changes: 35 additions & 13 deletions src/db/models/organization.rs
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@ impl UserOrgType {
"1" | "Admin" => Some(UserOrgType::Admin),
"2" | "User" => Some(UserOrgType::User),
"3" | "Manager" => Some(UserOrgType::Manager),
"4" | "Custom" => Some(UserOrgType::Manager), // Link the Custom type to Manager
_ => None,
}
}
Expand All @@ -85,7 +86,7 @@ impl Ord for UserOrgType {
3, // Owner
2, // Admin
0, // User
1, // Manager
1, // Manager && Custom
];
ACCESS_LEVEL[*self as usize].cmp(&ACCESS_LEVEL[*other as usize])
}
Expand Down Expand Up @@ -158,33 +159,46 @@ impl Organization {
pub fn to_json(&self) -> Value {
json!({
"id": self.uuid,
"identifier": null, // not supported by us
"name": self.name,
"seats": null,
"maxCollections": null,
"maxStorageGb": i16::MAX, // The value doesn't matter, we don't check server-side
"use2fa": true,
"useCustomPermissions": false,
"useCustomPermissions": true,
"useDirectory": false, // Is supported, but this value isn't checked anywhere (yet)
"useEvents": CONFIG.org_events_enabled(),
"useGroups": CONFIG.org_groups_enabled(),
"useTotp": true,
"usePolicies": true,
// "useScim": false, // Not supported (Not AGPLv3 Licensed)
"useScim": false, // Not supported (Not AGPLv3 Licensed)
"useSso": false, // Not supported
// "useKeyConnector": false, // Not supported
"useKeyConnector": false, // Not supported
"usePasswordManager": true,
"useSecretsManager": false, // Not supported (Not AGPLv3 Licensed)
"selfHost": true,
"useApi": true,
"hasPublicAndPrivateKeys": self.private_key.is_some() && self.public_key.is_some(),
"useResetPassword": CONFIG.mail_enabled(),
"allowAdminAccessToAllCollectionItems": true,
"limitCollectionCreation": true,
"limitCollectionCreationDeletion": true,
"limitCollectionDeletion": true,

"businessName": null,
"businessName": self.name,
"businessAddress1": null,
"businessAddress2": null,
"businessAddress3": null,
"businessCountry": null,
"businessTaxNumber": null,

"maxAutoscaleSeats": null,
"maxAutoscaleSmSeats": null,
"maxAutoscaleSmServiceAccounts": null,

"secretsManagerPlan": null,
"smSeats": null,
"smServiceAccounts": null,

"billingEmail": self.billing_email,
"planType": 6, // Custom plan
"usersGetPremium": true,
Expand Down Expand Up @@ -398,9 +412,9 @@ impl UserOrganization {
"ssoBound": false, // Not supported
"useSso": false, // Not supported
"useKeyConnector": false,
"useSecretsManager": false,
"useSecretsManager": false, // Not supported (Not AGPLv3 Licensed)
"usePasswordManager": true,
"useCustomPermissions": false,
"useCustomPermissions": true,
"useActivateAutofillPolicy": false,

"organizationUserId": self.uuid,
Expand All @@ -417,9 +431,12 @@ impl UserOrganization {
"familySponsorshipValidUntil": null,
"familySponsorshipToDelete": null,
"accessSecretsManager": false,
"limitCollectionCreationDeletion": false, // This should be set to true only when we can handle roles like createNewCollections
"limitCollectionCreation": true,
"limitCollectionCreationDeletion": true,
"limitCollectionDeletion": true,
"allowAdminAccessToAllCollectionItems": true,
"flexibleCollections": false,
"userIsManagedByOrganization": false, // Means not managed via the Members UI, like SSO

"permissions": permissions,

Expand Down Expand Up @@ -510,15 +527,20 @@ impl UserOrganization {
Vec::with_capacity(0)
};

let user_org_type = match self.atype {
3 => 4,
_ => self.atype,
};

let permissions = json!({
// TODO: Add support for Custom User Roles
// See: https://bitwarden.com/help/article/user-types-access-control/#custom-role
"accessEventLogs": false,
"accessImportExport": false,
"accessReports": false,
"createNewCollections": false,
"editAnyCollection": false,
"deleteAnyCollection": false,
"createNewCollections": user_org_type == 4 && self.access_all,
"editAnyCollection": user_org_type == 4 && self.access_all,
"deleteAnyCollection": user_org_type == 4 && self.access_all,
"editAssignedCollections": false,
"deleteAssignedCollections": false,
"manageGroups": false,
Expand All @@ -540,7 +562,7 @@ impl UserOrganization {
"collections": collections,

"status": status,
"type": self.atype,
"type": user_org_type,
"accessAll": self.access_all,
"twoFactorEnabled": twofactor_enabled,
"resetPasswordEnrolled": self.reset_password_key.is_some(),
Expand Down

0 comments on commit bb3328b

Please sign in to comment.