[EC-647] OAVR v2 Feature Branch Merge (#2588)

* [EC-19] Move SSO Identifier to Org SSO endpoint (#2184) * [EC-19] Move SSO identifier to Org SSO config endpoint * [EC-19] Add Jira tech debt issue reference * [EC-542] Update email communications (#2348) * [EC-73] Add users alongside groups for collection details (#2358) * [EC-73] feat: add new stored procedures * [EC-73] feat: add migration * [EC-73] chore: rename collection group details * [EC-73] fix: migration * [EC-73] feat: return users from dapper repo * [EC-73] feat: EF support for collection users * [EC-73] feat: implement updating users in EF * [EC-73] feat: new collections with users in EF * [EC-73] feat: create with users in dapper * [EC-73] feat: update with users in dapper * [EC-73] fix: collection service tests * [EC-73] fix: lint * [EC-73] feat: add new data model and rename for clarity * [EC-73] chore: add future migrations * [EC-16 / EC-86] Implement Groups Table Endpoints (#2280) * [EC-16] Update Group endpoints/repositories to include necessary collection info * [EC-16] Add delete many groups endpoint and command * [EC-16] Add DeleteGroupCommand unit tests * [EC-16] Update migration script * [EC-16] Formatting * [EC-16] Support modifying users via Post Group endpoint - Add optional Users property to GroupRequestModel - Add users parameter to the GroupService.SaveAsync() method - Use the users argument to update the Group via the GroupRepository if present. * [EC-16] Add/update Sprocs for bulk group deletion - Add a new bump account revision date by multiple org ids sproc to be used by the delete many group sproc. - Update the delete many group sproc to no longer require the organization Id as authorization is a business concern. * [EC-16] No longer require org Id in delete many GroupRepository The group repository should not care about which organization a group belongs to when being deleted. That is a business logic concern and is not necessary at the repository level. * [EC-16] Remove org Id from delete many group command - Remove the organization Id from the delete many method. - Require Group entities instead of just group Ids so that group retrieval is completed outside the command. - No longer return deleted groups as they are now being passed into the command. - Update unit tests * [EC-16] Remove org id from bulk delete group endpoint - Remove the Org Id from the endpoint and make use of the updated delete many command * [EC-16] Rename delete many groups sproc * [EC-16] Update migration script * [EC-16] Fix typo in migration script * [EC-16] Fix order of operations in Group_DeleteByIds sproc * [EC-16] Formatting * [EC-86] Fix DeleteManyAsync parameter name Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com> * [EC-16] Add missing sproc to sqlproj file * [EC-16] Improve GroupRepository method performance Use GroupBy before marrying Groups and Collections to avoid iterating over all collections for every group) * [EC-16] Use ToListAsync() to be consistent in the repository * [EC-16] Fix collection grouping in the EF repository * [EC-16] Adjust DeleteGroup command namespace to be less verbose * [EC-16] Cleanup DeleteGroupCommandTests * [EC-16] Formatting * [EC-16] Ensure a non-null group collection list is provided * [EC-16] Add bulk GroupEvents method to EventService - Use the new method in the DeleteGroups command * [EC-16] Remove bulk delete group Api response The response is unnecessary and not used by the client * [EC-16] Log OrganizationUser_UpdateGroups event in GroupService Events are logged for users during both Group creation (all added users) and modification (only changed users). * [EC-16] Fix failing unit test * [EC-16] Rename newUsers variable per feedback * [EC-16] Assert delete many group log events Explicitly check for the event type and groups that are logged to the event service. * [EC-16] Update DeleteManyAsync signature Use ICollection<> instead of IEnumerable<> to avoid ambiguity of possible multiple enumeration * [EC-16] Increment migration script name Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com> * Add missing GO command to EC-73 migration script (#2433) * [EC-15] Members Grid Api Support (#2485) * [EC-15] Update OrganizationUser models to support list of collections and groups * [EC-15] Add sprocs to query GroupUser and CollectionUser entities * [EC-15] Update the OrganizationUserRepository to optionally fetch groups/collections * [EC-15] Formatting * [EC-15] Remove leftover repository method * [EC-15] Fix table identifier inconsistency in sproc/migration * Formatting * [EC-14]: Server changes for Collection rows in Vault (#2360) * [EC-14] add collection management methods to repo - delete many, get many by ids, and get many with groups by org * [EC-14] connection command tests had wrong folder name * [EC-14] add collection repo methods to interface * [EC-14] create DeleteCollectionCommand * [EC-14] add getManyWithDetails collections endpoint * [EC-14] add GetManyWithGroupsByUserId * [EC-14] add call to interface * [EC-14] add GetOrganizationCollectionsWIthGroups - gets groups with collections - add tests as well * [EC-14] add call to interface * [EC-14] add new coll call to controller - gets collections with groups * [EC-14] use new delete collection command * [EC-14] add CollectionBulkDeleteRequestModel * [EC-14] remove org from delete collection cmd - move all permission checks to controller - add tests to controller - remove org check from repository method * [EC-14] add migration and sprocs * [EC-14] formatting * [EC-14] revert delete permission check changes * [EC-14] rename SelectionReadOnly to CollectionAccessSelection * [EC-14] move GetOrganizationCollectionsWithGroups to controller - there's no reason to have this logic in the service layer - we can still test the permission check in the controller - also renamed repo methods and changed return types * [EC-14] include users in collection access details * [EC-14] fix migration names * [EC-14] bumpAccountRevisionDate when deleting collections * [EC-14] new line in collection service * [EC-14] formatting and add .sql to proc file * [EC-14] more formatting * [EC-14] formatting * [EC-14] fix whitespace * [EC-14] add datetime to event log of single delete * [EC-14] remove ToList() from enumerables not returned * [EC-14] fix permissions on "Create new collection" - a custom user with "Create new collections" should see all collections * [EC-14] add bulk events for collections * [EC-14] group collections from db before iterating * [EC-14] sql formatting and missing GO * [EC-14] fix tests * [EC-14] add null handling to repo methods * [EC-14] fix account revision call * [EC-14] formatting * [EC-548] Member Details Group Tab (#2508) * [EC-548] Update models to support groups * [EC-548] Include groups in invite and save organization user methods * [EC-548] Pass groups to service methods in member/user controllers * [EC-548] Fix failing tests * [EC-548] Add option to include groups for GET org user query * Formatting * [EC-887] Server fix for managers seeing options to edit/delete Collections they aren't assigned to (#2542) * [EC-887] Add Assigned property to CollectionResponseModel A new property to determine if a collection is assigned to the acting user; as some users, have the view all collections permission, but cannot see every collection's items * [EC-887] Update logic for retrieving GET all collection details - Only need to check the ViewAllCollections permission - Calculate new Assigned response property based on the assignedOrgCollections list * Formatting * [EC-887] Update unit tests Co-authored-by: Shane Melton <smelton@bitwarden.com> Co-authored-by: Jacob Fink <jfink@bitwarden.com> Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com>
2025-07-01 16:12:49 -05:00 · 2023-01-19 17:00:54 +01:00
parent 9e75f65a2d
commit 354caa3063
97 changed files with 2649 additions and 382 deletions
--- a/src/Api/Controllers/CollectionsController.cs
+++ b/src/Api/Controllers/CollectionsController.cs
@ -3,6 +3,7 @@ using Bit.Api.Models.Response;
 using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Exceptions;
+using Bit.Core.OrganizationFeatures.OrganizationCollections.Interfaces;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Microsoft.AspNetCore.Authorization;
@ -16,17 +17,20 @@ public class CollectionsController : Controller
 {
    private readonly ICollectionRepository _collectionRepository;
    private readonly ICollectionService _collectionService;
+    private readonly IDeleteCollectionCommand _deleteCollectionCommand;
    private readonly IUserService _userService;
    private readonly ICurrentContext _currentContext;

    public CollectionsController(
        ICollectionRepository collectionRepository,
        ICollectionService collectionService,
+        IDeleteCollectionCommand deleteCollectionCommand,
        IUserService userService,
        ICurrentContext currentContext)
    {
        _collectionRepository = collectionRepository;
        _collectionService = collectionService;
+        _deleteCollectionCommand = deleteCollectionCommand;
        _userService = userService;
        _currentContext = currentContext;
    }
@ -44,7 +48,7 @@ public class CollectionsController : Controller
    }

    [HttpGet("{id}/details")]
-    public async Task<CollectionGroupDetailsResponseModel> GetDetails(Guid orgId, Guid id)
+    public async Task<CollectionAccessDetailsResponseModel> GetDetails(Guid orgId, Guid id)
    {
        if (!await ViewAtLeastOneCollectionAsync(orgId) && !await _currentContext.ManageUsers(orgId))
        {
@ -53,25 +57,58 @@ public class CollectionsController : Controller

        if (await _currentContext.ViewAllCollections(orgId))
        {
-            var collectionDetails = await _collectionRepository.GetByIdWithGroupsAsync(id);
-            if (collectionDetails?.Item1 == null || collectionDetails.Item1.OrganizationId != orgId)
+            (var collection, var access) = await _collectionRepository.GetByIdWithAccessAsync(id);
+            if (collection == null || collection.OrganizationId != orgId)
            {
                throw new NotFoundException();
            }
-            return new CollectionGroupDetailsResponseModel(collectionDetails.Item1, collectionDetails.Item2);
+            return new CollectionAccessDetailsResponseModel(collection, access.Groups, access.Users);
        }
        else
        {
-            var collectionDetails = await _collectionRepository.GetByIdWithGroupsAsync(id,
+            (var collection, var access) = await _collectionRepository.GetByIdWithAccessAsync(id,
                _currentContext.UserId.Value);
-            if (collectionDetails?.Item1 == null || collectionDetails.Item1.OrganizationId != orgId)
+            if (collection == null || collection.OrganizationId != orgId)
            {
                throw new NotFoundException();
            }
-            return new CollectionGroupDetailsResponseModel(collectionDetails.Item1, collectionDetails.Item2);
+            return new CollectionAccessDetailsResponseModel(collection, access.Groups, access.Users);
        }
    }

+    [HttpGet("details")]
+    public async Task<ListResponseModel<CollectionAccessDetailsResponseModel>> GetManyWithDetails(Guid orgId)
+    {
+        if (!await ViewAtLeastOneCollectionAsync(orgId) && !await _currentContext.ManageUsers(orgId))
+        {
+            throw new NotFoundException();
+        }
+
+        // We always need to know which collections the current user is assigned to
+        var assignedOrgCollections = await _collectionRepository.GetManyByUserIdWithAccessAsync(_currentContext.UserId.Value, orgId);
+
+        if (await _currentContext.ViewAllCollections(orgId))
+        {
+            // The user can view all collections, but they may not always be assigned to all of them
+            var allOrgCollections = await _collectionRepository.GetManyByOrganizationIdWithAccessAsync(orgId);
+
+            return new ListResponseModel<CollectionAccessDetailsResponseModel>(allOrgCollections.Select(c =>
+                new CollectionAccessDetailsResponseModel(c.Item1, c.Item2.Groups, c.Item2.Users)
+                {
+                    // Manually determine which collections they're assigned to
+                    Assigned = assignedOrgCollections.Any(ac => ac.Item1.Id == c.Item1.Id)
+                })
+            );
+        }
+
+        return new ListResponseModel<CollectionAccessDetailsResponseModel>(assignedOrgCollections.Select(c =>
+            new CollectionAccessDetailsResponseModel(c.Item1, c.Item2.Groups, c.Item2.Users)
+            {
+                Assigned = true // Mapping from assignedOrgCollections implies they're all assigned
+            })
+        );
+    }
+
    [HttpGet("")]
    public async Task<ListResponseModel<CollectionResponseModel>> Get(Guid orgId)
    {
@ -110,11 +147,13 @@ public class CollectionsController : Controller
            throw new NotFoundException();
        }

+        var groups = model.Groups?.Select(g => g.ToSelectionReadOnly());
+        var users = model.Users?.Select(g => g.ToSelectionReadOnly());
+
        var assignUserToCollection = !(await _currentContext.EditAnyCollection(orgId)) &&
            await _currentContext.EditAssignedCollections(orgId);

-        await _collectionService.SaveAsync(collection, model.Groups?.Select(g => g.ToSelectionReadOnly()),
-            assignUserToCollection ? _currentContext.UserId : null);
+        await _collectionService.SaveAsync(collection, groups, users, assignUserToCollection ? _currentContext.UserId : null);
        return new CollectionResponseModel(collection);
    }

@ -128,8 +167,9 @@ public class CollectionsController : Controller
        }

        var collection = await GetCollectionAsync(id, orgId);
-        await _collectionService.SaveAsync(model.ToCollection(collection),
-            model.Groups?.Select(g => g.ToSelectionReadOnly()));
+        var groups = model.Groups?.Select(g => g.ToSelectionReadOnly());
+        var users = model.Users?.Select(g => g.ToSelectionReadOnly());
+        await _collectionService.SaveAsync(model.ToCollection(collection), groups, users);
        return new CollectionResponseModel(collection);
    }

@ -155,7 +195,29 @@ public class CollectionsController : Controller
        }

        var collection = await GetCollectionAsync(id, orgId);
-        await _collectionService.DeleteAsync(collection);
+        await _deleteCollectionCommand.DeleteAsync(collection);
+    }
+
+    [HttpDelete("")]
+    [HttpPost("delete")]
+    public async Task DeleteMany([FromBody] CollectionBulkDeleteRequestModel model)
+    {
+        var orgId = new Guid(model.OrganizationId);
+        var collectionIds = model.Ids.Select(i => new Guid(i));
+        if (!await _currentContext.DeleteAssignedCollections(orgId))
+        {
+            throw new NotFoundException();
+        }
+
+        var userCollections = await _collectionRepository.GetManyByUserIdAsync(_currentContext.UserId.Value);
+        var filteredCollections = userCollections.Where(c => collectionIds.Contains(c.Id) && c.OrganizationId == orgId);
+
+        if (!filteredCollections.Any())
+        {
+            throw new BadRequestException("No collections found.");
+        }
+
+        await _deleteCollectionCommand.DeleteManyAsync(filteredCollections);
    }

    [HttpDelete("{id}/user/{orgUserId}")]