From 343ab2d8a98d60450d942eec986aaee623fa2f97 Mon Sep 17 00:00:00 2001
From: Thomas Rittson <trittson@bitwarden.com>
Date: Mon, 9 Oct 2023 14:29:48 +1000
Subject: [PATCH] Fix logic, add comment

---
 src/Api/Controllers/CollectionsController.cs | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/Api/Controllers/CollectionsController.cs b/src/Api/Controllers/CollectionsController.cs
index bbda9ae86f..5e3012194c 100644
--- a/src/Api/Controllers/CollectionsController.cs
+++ b/src/Api/Controllers/CollectionsController.cs
@@ -159,7 +159,7 @@ public class CollectionsController : Controller
 
         var authorized = FlexibleCollectionsIsEnabled()
             ? (await _authorizationService.AuthorizeAsync(User, collection, CollectionOperations.Create)).Succeeded
-            : await CanCreateCollection(orgId, collection.Id) && await CanEditCollectionAsync(orgId, collection.Id);
+            : await CanCreateCollection(orgId, collection.Id) || await CanEditCollectionAsync(orgId, collection.Id);
         if (!authorized)
         {
             throw new NotFoundException();
@@ -202,6 +202,8 @@ public class CollectionsController : Controller
 
     [HttpPost("bulk-access")]
     [RequireFeature(FeatureFlagKeys.BulkCollectionAccess)]
+    // Also gated behind Flexible Collections flag because it only has new authorization logic.
+    // Could be removed if legacy authorization logic were implemented for many collections.
     [RequireFeature(FeatureFlagKeys.FlexibleCollections)]
     public async Task PostBulkCollectionAccess([FromBody] BulkCollectionAccessRequestModel model)
     {