Add RBAC to Bitwarden Portal (#2853)

* Auth/pm-48 (#2680)

* PM-48 - add user's role as a claim and establish access control service

* PM-48 - remove function unrelated to the role claim

* PM-48 - fix whitespace issues

* PM-48 - move registration of CustomClaimsPrincipalFactory, replace role claim type string with constant, streamline code that retrieves the user's role

* Auth/pm-47 (#2699)

* PM-48 - add user's role as a claim and establish access control service

* PM-48 - remove function unrelated to the role claim

* PM-48 - fix whitespace issues

* PM-47 - add list of permission enums, role:permissions mapping, and function that determines if the logged in user has the given permission

* PM-47 - remove unneeded service registration, set role to lowercase

* PM-47 - fix code style issues

* PM-46 - create permission filter attribute (#2753)

* Auth/pm-54 add rbac for users (#2758)

* PM-54 - add permission gates to User elements

* PM-54 - fix formatting

* PM-54 - remove unused function

* PM-54 - fix variable reference, add permission to billing role

* PM-54 - handle Upgrade Premium button functionality and fix spelling

* PM-54 - change permission name to be more accurate

* PM-49 - update role retrieval (#2779)

* Auth/[PM-50] add rbac for logs (#2782)

* PM-50 - add rbac for logs

* PM-50 - remove unnecessary action filter

* PM-51 - add RBAC for tools (#2799)

* Auth/[pm-52] add rbac providers (#2818)

* PM-52 add rbac for providers

* PM-52 - update redirect action

* PM-52 - add back edit functionality and permission

* PM-52 - reverse changes around removing edit functionality

* PM-52 - moved permission check to variable assignement

* PM-53 - add rbac for organizations (#2798)

* PM-52 - add missed permission to billing role (#2836)

* Fixed merge conflicts.

* [PM-1846] Updates to add RBAC back after merge conflicts (#2870)

* Updates to add RBAC to changes from reseller.

* Added back checks for delete and initiating a trial.

* Removed extraneous Razor tag.

---------

Co-authored-by: dgoodman-bw <109169446+dgoodman-bw@users.noreply.github.com>
Co-authored-by: Danielle Goodman <dgoodman@bitwarden.com>
Co-authored-by: Jacob Fink <jfink@bitwarden.com>

src/Admin/Controllers/UsersController.cs

@@ -1,4 +1,7 @@
-using Bit.Admin.Models;
+using Bit.Admin.Enums;
+using Bit.Admin.Models;
+using Bit.Admin.Services;
+using Bit.Admin.Utilities;
 using Bit.Core.Entities;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
@@ -17,19 +20,23 @@ public class UsersController : Controller
     private readonly ICipherRepository _cipherRepository;
     private readonly IPaymentService _paymentService;
     private readonly GlobalSettings _globalSettings;
+    private readonly IAccessControlService _accessControlService;
 
     public UsersController(
         IUserRepository userRepository,
         ICipherRepository cipherRepository,
         IPaymentService paymentService,
-        GlobalSettings globalSettings)
+        GlobalSettings globalSettings,
+        IAccessControlService accessControlService)
     {
         _userRepository = userRepository;
         _cipherRepository = cipherRepository;
         _paymentService = paymentService;
         _globalSettings = globalSettings;
+        _accessControlService = accessControlService;
     }
 
+    [RequirePermission(Permission.User_List_View)]
     public async Task<IActionResult> Index(string email, int page = 1, int count = 25)
     {
         if (page < 1)
@@ -91,13 +98,36 @@ public class UsersController : Controller
             return RedirectToAction("Index");
         }
 
-        model.ToUser(user);
+        var canUpgradePremium = _accessControlService.UserHasPermission(Permission.User_UpgradePremium);
+
+        if (_accessControlService.UserHasPermission(Permission.User_Premium_Edit) ||
+            canUpgradePremium)
+        {
+            user.MaxStorageGb = model.MaxStorageGb;
+            user.Premium = model.Premium;
+        }
+
+        if (_accessControlService.UserHasPermission(Permission.User_Billing_Edit))
+        {
+            user.Gateway = model.Gateway;
+            user.GatewayCustomerId = model.GatewayCustomerId;
+            user.GatewaySubscriptionId = model.GatewaySubscriptionId;
+        }
+
+        if (_accessControlService.UserHasPermission(Permission.User_Licensing_Edit) ||
+            canUpgradePremium)
+        {
+            user.LicenseKey = model.LicenseKey;
+            user.PremiumExpirationDate = model.PremiumExpirationDate;
+        }
+
         await _userRepository.ReplaceAsync(user);
         return RedirectToAction("Edit", new { id });
     }
 
     [HttpPost]
     [ValidateAntiForgeryToken]
+    [RequirePermission(Permission.User_Delete)]
     public async Task<IActionResult> Delete(Guid id)
     {
         var user = await _userRepository.GetByIdAsync(id);