[EC-152] Hide Subscription/Billing information for Provider-managed organizations (#1970)

* Block billing endpoints if org is managed by Provider
2025-06-30 23:52:50 -05:00 · 2022-05-10 12:19:22 +10:00
parent 06c9b123f9
commit 227b725514
3 changed files with 38 additions and 17 deletions
--- a/src/Api/Controllers/OrganizationsController.cs
+++ b/src/Api/Controllers/OrganizationsController.cs
@ -83,7 +83,7 @@ namespace Bit.Api.Controllers
        public async Task<BillingResponseModel> GetBilling(string id)
        {
            var orgIdGuid = new Guid(id);
-            if (!await _currentContext.OrganizationOwner(orgIdGuid))
+            if (!await _currentContext.ManageBilling(orgIdGuid))
            {
                throw new NotFoundException();
            }
@ -102,7 +102,7 @@ namespace Bit.Api.Controllers
        public async Task<OrganizationSubscriptionResponseModel> GetSubscription(string id)
        {
            var orgIdGuid = new Guid(id);
-            if (!await _currentContext.OrganizationOwner(orgIdGuid))
+            if (!await _currentContext.ManageBilling(orgIdGuid))
            {
                throw new NotFoundException();
            }
@ -230,10 +230,6 @@ namespace Bit.Api.Controllers
        public async Task<OrganizationResponseModel> Put(string id, [FromBody] OrganizationUpdateRequestModel model)
        {
            var orgIdGuid = new Guid(id);
-            if (!await _currentContext.OrganizationOwner(orgIdGuid))
-            {
-                throw new NotFoundException();
-            }

            var organization = await _organizationRepository.GetByIdAsync(orgIdGuid);
            if (organization == null)
@ -241,10 +237,19 @@ namespace Bit.Api.Controllers
                throw new NotFoundException();
            }

-            var updatebilling = !_globalSettings.SelfHosted && (model.BusinessName != organization.BusinessName ||
+            var updateBilling = !_globalSettings.SelfHosted && (model.BusinessName != organization.BusinessName ||
                model.BillingEmail != organization.BillingEmail);

-            await _organizationService.UpdateAsync(model.ToOrganization(organization, _globalSettings), updatebilling);
+            var hasRequiredPermissions = updateBilling
+                ? await _currentContext.ManageBilling(orgIdGuid)
+                : await _currentContext.OrganizationOwner(orgIdGuid);
+
+            if (!hasRequiredPermissions)
+            {
+                throw new NotFoundException();
+            }
+
+            await _organizationService.UpdateAsync(model.ToOrganization(organization, _globalSettings), updateBilling);
            return new OrganizationResponseModel(organization);
        }

@ -253,7 +258,7 @@ namespace Bit.Api.Controllers
        public async Task PostPayment(string id, [FromBody] PaymentRequestModel model)
        {
            var orgIdGuid = new Guid(id);
-            if (!await _currentContext.OrganizationOwner(orgIdGuid))
+            if (!await _currentContext.ManageBilling(orgIdGuid))
            {
                throw new NotFoundException();
            }
@ -276,7 +281,7 @@ namespace Bit.Api.Controllers
        public async Task<PaymentResponseModel> PostUpgrade(string id, [FromBody] OrganizationUpgradeRequestModel model)
        {
            var orgIdGuid = new Guid(id);
-            if (!await _currentContext.OrganizationOwner(orgIdGuid))
+            if (!await _currentContext.ManageBilling(orgIdGuid))
            {
                throw new NotFoundException();
            }
@ -294,7 +299,7 @@ namespace Bit.Api.Controllers
        public async Task PostSubscription(string id, [FromBody] OrganizationSubscriptionUpdateRequestModel model)
        {
            var orgIdGuid = new Guid(id);
-            if (!await _currentContext.OrganizationOwner(orgIdGuid))
+            if (!await _currentContext.ManageBilling(orgIdGuid))
            {
                throw new NotFoundException();
            }
@ -307,7 +312,7 @@ namespace Bit.Api.Controllers
        public async Task<PaymentResponseModel> PostSeat(string id, [FromBody] OrganizationSeatRequestModel model)
        {
            var orgIdGuid = new Guid(id);
-            if (!await _currentContext.OrganizationOwner(orgIdGuid))
+            if (!await _currentContext.ManageBilling(orgIdGuid))
            {
                throw new NotFoundException();
            }
@ -325,7 +330,7 @@ namespace Bit.Api.Controllers
        public async Task<PaymentResponseModel> PostStorage(string id, [FromBody] StorageRequestModel model)
        {
            var orgIdGuid = new Guid(id);
-            if (!await _currentContext.OrganizationOwner(orgIdGuid))
+            if (!await _currentContext.ManageBilling(orgIdGuid))
            {
                throw new NotFoundException();
            }
@ -343,7 +348,7 @@ namespace Bit.Api.Controllers
        public async Task PostVerifyBank(string id, [FromBody] OrganizationVerifyBankRequestModel model)
        {
            var orgIdGuid = new Guid(id);
-            if (!await _currentContext.OrganizationOwner(orgIdGuid))
+            if (!await _currentContext.ManageBilling(orgIdGuid))
            {
                throw new NotFoundException();
            }
@ -356,7 +361,7 @@ namespace Bit.Api.Controllers
        public async Task PostCancel(string id)
        {
            var orgIdGuid = new Guid(id);
-            if (!await _currentContext.OrganizationOwner(orgIdGuid))
+            if (!await _currentContext.ManageBilling(orgIdGuid))
            {
                throw new NotFoundException();
            }
@ -369,7 +374,7 @@ namespace Bit.Api.Controllers
        public async Task PostReinstate(string id)
        {
            var orgIdGuid = new Guid(id);
-            if (!await _currentContext.OrganizationOwner(orgIdGuid))
+            if (!await _currentContext.ManageBilling(orgIdGuid))
            {
                throw new NotFoundException();
            }