[AC-2171] Member modal - limit admin access - editing self (#3893)

* Restrict admins from adding themselves to groups Updated OrganizationUsersController only, GroupsController to be updated separately * Delete unused api method
2025-06-30 15:42:48 -05:00 · 2024-03-22 12:37:30 +10:00
parent 90a5862840
commit 1c2acbec3a
3 changed files with 130 additions and 34 deletions
--- a/test/Api.Test/AdminConsole/Controllers/OrganizationUsersControllerTests.cs
+++ b/test/Api.Test/AdminConsole/Controllers/OrganizationUsersControllerTests.cs
@ -1,10 +1,15 @@
-using Bit.Api.AdminConsole.Controllers;
+using System.Security.Claims;
+using Bit.Api.AdminConsole.Controllers;
 using Bit.Api.AdminConsole.Models.Request.Organizations;
+using Bit.Core;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
 using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.Context;
 using Bit.Core.Entities;
+using Bit.Core.Models.Data;
+using Bit.Core.Models.Data.Organizations;
 using Bit.Core.OrganizationFeatures.OrganizationUsers.Interfaces;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
@ -94,4 +99,106 @@ public class OrganizationUsersControllerTests
        await sutProvider.GetDependency<IOrganizationService>().Received(1)
            .UpdateUserResetPasswordEnrollmentAsync(orgId, user.Id, model.ResetPasswordKey, user.Id);
    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task Put_Success(OrganizationUserUpdateRequestModel model,
+        OrganizationUser organizationUser, OrganizationAbility organizationAbility,
+        SutProvider<OrganizationUsersController> sutProvider, Guid savingUserId)
+    {
+        var orgId = organizationAbility.Id = organizationUser.OrganizationId;
+        sutProvider.GetDependency<ICurrentContext>().ManageUsers(orgId).Returns(true);
+        sutProvider.GetDependency<IOrganizationUserRepository>().GetByIdAsync(organizationUser.Id).Returns(organizationUser);
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilityAsync(orgId)
+            .Returns(organizationAbility);
+        sutProvider.GetDependency<IUserService>().GetProperUserId(Arg.Any<ClaimsPrincipal>()).Returns(savingUserId);
+
+        var orgUserId = organizationUser.Id;
+        var orgUserEmail = organizationUser.Email;
+
+        await sutProvider.Sut.Put(orgId, organizationUser.Id, model);
+
+        sutProvider.GetDependency<IOrganizationService>().Received(1).SaveUserAsync(Arg.Is<OrganizationUser>(ou =>
+            ou.Type == model.Type &&
+            ou.Permissions == CoreHelpers.ClassToJsonData(model.Permissions) &&
+            ou.AccessSecretsManager == model.AccessSecretsManager &&
+            ou.Id == orgUserId &&
+            ou.Email == orgUserEmail),
+            savingUserId,
+            Arg.Is<List<CollectionAccessSelection>>(cas =>
+                cas.All(c => model.Collections.Any(m => m.Id == c.Id))),
+            model.Groups);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task Put_UpdateSelf_WithoutAllowAdminAccessToAllCollectionItems_DoesNotUpdateGroups(OrganizationUserUpdateRequestModel model,
+        OrganizationUser organizationUser, OrganizationAbility organizationAbility,
+        SutProvider<OrganizationUsersController> sutProvider, Guid savingUserId)
+    {
+        // Updating self
+        organizationUser.UserId = savingUserId;
+        organizationAbility.FlexibleCollections = true;
+        organizationAbility.AllowAdminAccessToAllCollectionItems = false;
+        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1).Returns(true);
+
+        var orgId = organizationAbility.Id = organizationUser.OrganizationId;
+        sutProvider.GetDependency<ICurrentContext>().ManageUsers(orgId).Returns(true);
+        sutProvider.GetDependency<IOrganizationUserRepository>().GetByIdAsync(organizationUser.Id).Returns(organizationUser);
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilityAsync(orgId)
+            .Returns(organizationAbility);
+        sutProvider.GetDependency<IUserService>().GetProperUserId(Arg.Any<ClaimsPrincipal>()).Returns(savingUserId);
+
+        var orgUserId = organizationUser.Id;
+        var orgUserEmail = organizationUser.Email;
+
+        await sutProvider.Sut.Put(orgId, organizationUser.Id, model);
+
+        sutProvider.GetDependency<IOrganizationService>().Received(1).SaveUserAsync(Arg.Is<OrganizationUser>(ou =>
+            ou.Type == model.Type &&
+            ou.Permissions == CoreHelpers.ClassToJsonData(model.Permissions) &&
+            ou.AccessSecretsManager == model.AccessSecretsManager &&
+            ou.Id == orgUserId &&
+            ou.Email == orgUserEmail),
+            savingUserId,
+            Arg.Is<List<CollectionAccessSelection>>(cas =>
+                cas.All(c => model.Collections.Any(m => m.Id == c.Id))),
+            null);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task Put_UpdateSelf_WithAllowAdminAccessToAllCollectionItems_DoesUpdateGroups(OrganizationUserUpdateRequestModel model,
+        OrganizationUser organizationUser, OrganizationAbility organizationAbility,
+        SutProvider<OrganizationUsersController> sutProvider, Guid savingUserId)
+    {
+        // Updating self
+        organizationUser.UserId = savingUserId;
+        organizationAbility.FlexibleCollections = true;
+        organizationAbility.AllowAdminAccessToAllCollectionItems = true;
+        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1).Returns(true);
+
+        var orgId = organizationAbility.Id = organizationUser.OrganizationId;
+        sutProvider.GetDependency<ICurrentContext>().ManageUsers(orgId).Returns(true);
+        sutProvider.GetDependency<IOrganizationUserRepository>().GetByIdAsync(organizationUser.Id).Returns(organizationUser);
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilityAsync(orgId)
+            .Returns(organizationAbility);
+        sutProvider.GetDependency<IUserService>().GetProperUserId(Arg.Any<ClaimsPrincipal>()).Returns(savingUserId);
+
+        var orgUserId = organizationUser.Id;
+        var orgUserEmail = organizationUser.Email;
+
+        await sutProvider.Sut.Put(orgId, organizationUser.Id, model);
+
+        sutProvider.GetDependency<IOrganizationService>().Received(1).SaveUserAsync(Arg.Is<OrganizationUser>(ou =>
+            ou.Type == model.Type &&
+            ou.Permissions == CoreHelpers.ClassToJsonData(model.Permissions) &&
+            ou.AccessSecretsManager == model.AccessSecretsManager &&
+            ou.Id == orgUserId &&
+            ou.Email == orgUserEmail),
+            savingUserId,
+            Arg.Is<List<CollectionAccessSelection>>(cas =>
+                cas.All(c => model.Collections.Any(m => m.Id == c.Id))),
+            model.Groups);
+    }
 }