From 044cf199135b00e0fee27a8bc0e820baeb0988b6 Mon Sep 17 00:00:00 2001 From: Miroslav Prasil Date: Fri, 16 Nov 2018 14:21:26 +0000 Subject: [PATCH] Prevent accepted user from seeing ciphers until confirmed (fixes #196) --- src/db/models/cipher.rs | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/db/models/cipher.rs b/src/db/models/cipher.rs index db0db473..b723dcbb 100644 --- a/src/db/models/cipher.rs +++ b/src/db/models/cipher.rs @@ -318,7 +318,9 @@ impl Cipher { .filter(ciphers::user_uuid.eq(user_uuid).or( // Cipher owner users_organizations::access_all.eq(true).or( // access_all in Organization users_organizations::type_.le(UserOrgType::Admin as i32).or( // Org admin or owner - users_collections::user_uuid.eq(user_uuid) // Access to Collection + users_collections::user_uuid.eq(user_uuid).and( // Access to Collection + users_organizations::status.eq(UserOrgStatus::Confirmed as i32) + ) ) ) ))