[AC-2171] Member modal - limit admin access - editing self (#3893)

* Restrict admins from adding themselves to groups Updated OrganizationUsersController only, GroupsController to be updated separately * Delete unused api method
2025-06-30 15:42:48 -05:00 · 2024-03-22 12:37:30 +10:00
parent 90a5862840
commit 1c2acbec3a
3 changed files with 130 additions and 34 deletions
--- a/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
+++ b/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
@ -4,6 +4,7 @@ using Bit.Api.Models.Request.Organizations;
 using Bit.Api.Models.Response;
 using Bit.Api.Utilities;
 using Bit.Api.Vault.AuthorizationHandlers.OrganizationUsers;
+using Bit.Core;
 using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
@ -41,6 +42,7 @@ public class OrganizationUsersController : Controller
    private readonly IAcceptOrgUserCommand _acceptOrgUserCommand;
    private readonly IAuthorizationService _authorizationService;
    private readonly IApplicationCacheService _applicationCacheService;
+    private readonly IFeatureService _featureService;

    public OrganizationUsersController(
        IOrganizationRepository organizationRepository,
@ -56,7 +58,8 @@ public class OrganizationUsersController : Controller
        IUpdateOrganizationUserGroupsCommand updateOrganizationUserGroupsCommand,
        IAcceptOrgUserCommand acceptOrgUserCommand,
        IAuthorizationService authorizationService,
-        IApplicationCacheService applicationCacheService)
+        IApplicationCacheService applicationCacheService,
+        IFeatureService featureService)
    {
        _organizationRepository = organizationRepository;
        _organizationUserRepository = organizationUserRepository;
@ -72,6 +75,7 @@ public class OrganizationUsersController : Controller
        _acceptOrgUserCommand = acceptOrgUserCommand;
        _authorizationService = authorizationService;
        _applicationCacheService = applicationCacheService;
+        _featureService = featureService;
    }

    [HttpGet("{id}")]
@ -305,43 +309,34 @@ public class OrganizationUsersController : Controller

    [HttpPut("{id}")]
    [HttpPost("{id}")]
-    public async Task Put(string orgId, string id, [FromBody] OrganizationUserUpdateRequestModel model)
+    public async Task Put(Guid orgId, Guid id, [FromBody] OrganizationUserUpdateRequestModel model)
    {
-        var orgGuidId = new Guid(orgId);
-        if (!await _currentContext.ManageUsers(orgGuidId))
+        if (!await _currentContext.ManageUsers(orgId))
        {
            throw new NotFoundException();
        }

-        var organizationUser = await _organizationUserRepository.GetByIdAsync(new Guid(id));
-        if (organizationUser == null || organizationUser.OrganizationId != orgGuidId)
+        var organizationUser = await _organizationUserRepository.GetByIdAsync(id);
+        if (organizationUser == null || organizationUser.OrganizationId != orgId)
        {
            throw new NotFoundException();
        }

-        var userId = _userService.GetProperUserId(User);
-        await _organizationService.SaveUserAsync(model.ToOrganizationUser(organizationUser), userId.Value,
-            model.Collections?.Select(c => c.ToSelectionReadOnly()).ToList(), model.Groups);
-    }
+        // If admins are not allowed access to all collections, you cannot add yourself to a group
+        // In this case we just don't update groups
+        var userId = _userService.GetProperUserId(User).Value;
+        var organizationAbility = await _applicationCacheService.GetOrganizationAbilityAsync(orgId);
+        var restrictEditingGroups = _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1) &&
+                                    organizationAbility.FlexibleCollections &&
+                                    userId == organizationUser.UserId &&
+                                    !organizationAbility.AllowAdminAccessToAllCollectionItems;

-    [HttpPut("{id}/groups")]
-    [HttpPost("{id}/groups")]
-    public async Task PutGroups(string orgId, string id, [FromBody] OrganizationUserUpdateGroupsRequestModel model)
-    {
-        var orgGuidId = new Guid(orgId);
-        if (!await _currentContext.ManageUsers(orgGuidId))
-        {
-            throw new NotFoundException();
-        }
+        var groups = restrictEditingGroups
+            ? null
+            : model.Groups;

-        var organizationUser = await _organizationUserRepository.GetByIdAsync(new Guid(id));
-        if (organizationUser == null || organizationUser.OrganizationId != orgGuidId)
-        {
-            throw new NotFoundException();
-        }
-
-        var loggedInUserId = _userService.GetProperUserId(User);
-        await _updateOrganizationUserGroupsCommand.UpdateUserGroupsAsync(organizationUser, model.GroupIds.Select(g => new Guid(g)), loggedInUserId);
+        await _organizationService.SaveUserAsync(model.ToOrganizationUser(organizationUser), userId,
+            model.Collections?.Select(c => c.ToSelectionReadOnly()).ToList(), groups);
    }

    [HttpPut("{userId}/reset-password-enrollment")]