[AC-1748] Created GroupAuthorizationHandler and modified GroupsController.Get to use it if flexible collections feature flag is enabled

src/Api/Controllers/GroupsController.cs

@@ -1,7 +1,11 @@
 using Bit.Api.Models.Request;
 using Bit.Api.Models.Response;
+using Bit.Api.Vault.AuthorizationHandlers.Groups;
+using Bit.Core;
 using Bit.Core.Context;
+using Bit.Core.Entities;
 using Bit.Core.Exceptions;
+using Bit.Core.Models.Data;
 using Bit.Core.OrganizationFeatures.Groups.Interfaces;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
@@ -21,6 +25,10 @@ public class GroupsController : Controller
     private readonly ICurrentContext _currentContext;
     private readonly ICreateGroupCommand _createGroupCommand;
     private readonly IUpdateGroupCommand _updateGroupCommand;
+    private readonly IFeatureService _featureService;
+    private readonly IAuthorizationService _authorizationService;
+
+    private bool FlexibleCollectionsIsEnabled => _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollections, _currentContext);
 
     public GroupsController(
         IGroupRepository groupRepository,
@@ -29,7 +37,9 @@ public class GroupsController : Controller
         ICurrentContext currentContext,
         ICreateGroupCommand createGroupCommand,
         IUpdateGroupCommand updateGroupCommand,
-        IDeleteGroupCommand deleteGroupCommand)
+        IDeleteGroupCommand deleteGroupCommand,
+        IFeatureService featureService,
+        IAuthorizationService authorizationService)
     {
         _groupRepository = groupRepository;
         _groupService = groupService;
@@ -38,6 +48,8 @@ public class GroupsController : Controller
         _createGroupCommand = createGroupCommand;
         _updateGroupCommand = updateGroupCommand;
         _deleteGroupCommand = deleteGroupCommand;
+        _featureService = featureService;
+        _authorizationService = authorizationService;
     }
 
     [HttpGet("{id}")]
@@ -65,20 +77,34 @@ public class GroupsController : Controller
     }
 
     [HttpGet("")]
-    public async Task<ListResponseModel<GroupDetailsResponseModel>> Get(string orgId)
+    public async Task<ListResponseModel<GroupDetailsResponseModel>> Get(Guid orgId)
     {
-        var orgIdGuid = new Guid(orgId);
-        var canAccess = await _currentContext.ManageGroups(orgIdGuid) ||
-            await _currentContext.ViewAssignedCollections(orgIdGuid) ||
-            await _currentContext.ViewAllCollections(orgIdGuid) ||
-            await _currentContext.ManageUsers(orgIdGuid);
+        ICollection<Tuple<Group, ICollection<CollectionAccessSelection>>> groups;
 
-        if (!canAccess)
+        if (FlexibleCollectionsIsEnabled)
         {
-            throw new NotFoundException();
+            groups = await _groupRepository.GetManyWithCollectionsByOrganizationIdAsync(orgId);
+            var authorized = (await _authorizationService.AuthorizeAsync(User, groups.Select(g => g.Item1), GroupOperations.Read)).Succeeded;
+            if (!authorized)
+            {
+                throw new NotFoundException();
+            }
+        }
+        else
+        {
+            var canAccess = await _currentContext.ManageGroups(orgId) ||
+                            await _currentContext.ViewAssignedCollections(orgId) ||
+                            await _currentContext.ViewAllCollections(orgId) ||
+                            await _currentContext.ManageUsers(orgId);
+
+            if (!canAccess)
+            {
+                throw new NotFoundException();
+            }
+
+            groups = await _groupRepository.GetManyWithCollectionsByOrganizationIdAsync(orgId);
         }
 
-        var groups = await _groupRepository.GetManyWithCollectionsByOrganizationIdAsync(orgIdGuid);
         var responses = groups.Select(g => new GroupDetailsResponseModel(g.Item1, g.Item2));
         return new ListResponseModel<GroupDetailsResponseModel>(responses);
     }