diff --git a/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs b/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs index d8f60d308c..5fd9109077 100644 --- a/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs +++ b/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs @@ -1,6 +1,4 @@ -using Bit.Api.AdminConsole.Authorization; -using Bit.Api.AdminConsole.Authorization.Requirements; -using Bit.Api.AdminConsole.Models.Request.Organizations; +using Bit.Api.AdminConsole.Models.Request.Organizations; using Bit.Api.AdminConsole.Models.Response.Organizations; using Bit.Api.Models.Request.Organizations; using Bit.Api.Models.Response; @@ -8,10 +6,12 @@ using Bit.Api.Vault.AuthorizationHandlers.Collections; using Bit.Core; using Bit.Core.AdminConsole.Enums; using Bit.Core.AdminConsole.Models.Data.Organizations.Policies; +using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Authorization; using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces; using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RestoreUser.v1; using Bit.Core.AdminConsole.OrganizationFeatures.Policies; using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements; +using Bit.Core.AdminConsole.OrganizationFeatures.Shared.Authorization; using Bit.Core.AdminConsole.Repositories; using Bit.Core.Auth.Enums; using Bit.Core.Auth.Repositories; @@ -141,19 +141,31 @@ public class OrganizationUsersController : Controller return response; } - [Authorize] [HttpGet("mini-details")] public async Task> GetMiniDetails(Guid orgId) { + var authorizationResult = await _authorizationService.AuthorizeAsync(User, new OrganizationScope(orgId), + OrganizationUserUserMiniDetailsOperations.ReadAll); + if (!authorizationResult.Succeeded) + { + throw new NotFoundException(); + } + var organizationUserUserDetails = await _organizationUserRepository.GetManyDetailsByOrganizationAsync(orgId); return new ListResponseModel( organizationUserUserDetails.Select(ou => new OrganizationUserUserMiniDetailsResponseModel(ou))); } [HttpGet("")] - [Authorize] public async Task> Get(Guid orgId, bool includeGroups = false, bool includeCollections = false) { + var authorized = (await _authorizationService.AuthorizeAsync( + User, new OrganizationScope(orgId), OrganizationUserUserDetailsOperations.ReadAll)).Succeeded; + if (!authorized) + { + throw new NotFoundException(); + } + var organizationUsers = await _organizationUserUserDetailsQuery.GetOrganizationUserUserDetails( new OrganizationUserUserDetailsQueryRequest { diff --git a/test/Api.IntegrationTest/AdminConsole/Authorization/OrganizationUsersControllerTests.cs b/test/Api.IntegrationTest/AdminConsole/Authorization/OrganizationUsersControllerTests.cs deleted file mode 100644 index fc1a578b3f..0000000000 --- a/test/Api.IntegrationTest/AdminConsole/Authorization/OrganizationUsersControllerTests.cs +++ /dev/null @@ -1,66 +0,0 @@ -using System.Net; -using Bit.Api.IntegrationTest.Factories; -using Bit.Api.IntegrationTest.Helpers; -using Bit.Core.AdminConsole.Entities; -using Bit.Core.Billing.Enums; -using Bit.Core.Entities; -using Bit.Core.Enums; -using Xunit; - -namespace Bit.Api.IntegrationTest.AdminConsole.Authorization; - -public class OrganizationUsersControllerTests : IClassFixture, IAsyncLifetime -{ - private readonly HttpClient _client; - private readonly ApiApplicationFactory _factory; - private readonly LoginHelper _loginHelper; - - // These will get set in `InitializeAsync` which is run before all tests - private Organization _organization = null!; - private OrganizationUser _organizationUser = null!; - private string _ownerEmail = null!; - - public OrganizationUsersControllerTests(ApiApplicationFactory factory) - { - _factory = factory; - _client = factory.CreateClient(); - _loginHelper = new LoginHelper(_factory, _client); - } - - public async Task InitializeAsync() - { - // Create the owner account - _ownerEmail = $"integration-test{Guid.NewGuid()}@bitwarden.com"; - await _factory.LoginWithNewAccount(_ownerEmail); - - // Create the organization - (_organization, _organizationUser) = await OrganizationTestHelpers.SignUpAsync(_factory, plan: PlanType.EnterpriseAnnually2023, - ownerEmail: _ownerEmail, passwordManagerSeats: 10, paymentMethod: PaymentMethodType.Card); - - // Login as the user - await _loginHelper.LoginAsync(_ownerEmail); - } - - public Task DisposeAsync() - { - _client.Dispose(); - return Task.CompletedTask; - } - - [Fact] - public async Task GetMiniDetails_Authorization_Fail() - { - // Request is for a random organizationId not in their claims - var organizationId = Guid.NewGuid(); - var response = await _client.GetAsync($"/organizations/{organizationId}/users/mini-details"); - Assert.Equal(HttpStatusCode.Forbidden, response.StatusCode); - } - - [Fact] - public async Task GetMiniDetails_Authorization_Success() - { - // Request is for their organization - var response = await _client.GetAsync($"/organizations/{_organization.Id}/users/mini-details"); - Assert.Equal(HttpStatusCode.OK, response.StatusCode); - } -}