diff --git a/src/Api/Startup.cs b/src/Api/Startup.cs index 338fd68daa..138caed34b 100644 --- a/src/Api/Startup.cs +++ b/src/Api/Startup.cs @@ -143,18 +143,6 @@ public class Startup (c.Value.Contains(ApiScopes.Api) || c.Value.Contains(ApiScopes.ApiSecrets)) )); }); - - // Simplest implementation: check for role - // Issues: - // - unable to specify custom permissions - // - multiple policies are treated as AND rather than OR - // - does not allow for more complex conditional logic - e.g. providers can affect whether owners can view billing - // Alternative: describe broad action/capability, e.g. ManageUsers, ManageGroups, ViewBilling, similar to CurrentContext today - // the handler is then implemented per domain to define who can do those things - // config.AddPolicy("owner", policy - // => policy.AddRequirements(new RoleRequirementAttribute(OrganizationUserType.Owner))); - // config.AddPolicy("admin", policy - // => policy.AddRequirements(new RoleRequirementAttribute(OrganizationUserType.Admin))); }); services.AddScoped(); @@ -268,7 +256,7 @@ public class Startup // Add authentication and authorization to the request pipeline. app.UseAuthentication(); - // Add current context - before authz + // Add current context - before authz. Is this OK? app.UseMiddleware(); app.UseAuthorization(); diff --git a/src/Core/AdminConsole/OrganizationFeatures/Shared/Authorization/OrganizationAuthorizeAttribute.cs b/src/Core/AdminConsole/OrganizationFeatures/Shared/Authorization/OrganizationAuthorizeAttribute.cs index 79bb6bbd06..d7eba2a277 100644 --- a/src/Core/AdminConsole/OrganizationFeatures/Shared/Authorization/OrganizationAuthorizeAttribute.cs +++ b/src/Core/AdminConsole/OrganizationFeatures/Shared/Authorization/OrganizationAuthorizeAttribute.cs @@ -2,6 +2,8 @@ namespace Bit.Core.AdminConsole.OrganizationFeatures.Shared.Authorization; +public interface IOrganizationRequirement : IAuthorizationRequirement; + public class OrganizationAuthorizeAttribute : AuthorizeAttribute, IAuthorizationRequirementData where T : IOrganizationRequirement, new() diff --git a/src/Core/AdminConsole/OrganizationFeatures/Shared/Authorization/OrganizationRequirementHandler.cs b/src/Core/AdminConsole/OrganizationFeatures/Shared/Authorization/OrganizationRequirementHelpers.cs similarity index 85% rename from src/Core/AdminConsole/OrganizationFeatures/Shared/Authorization/OrganizationRequirementHandler.cs rename to src/Core/AdminConsole/OrganizationFeatures/Shared/Authorization/OrganizationRequirementHelpers.cs index 672cfd9f92..4f17dfe135 100644 --- a/src/Core/AdminConsole/OrganizationFeatures/Shared/Authorization/OrganizationRequirementHandler.cs +++ b/src/Core/AdminConsole/OrganizationFeatures/Shared/Authorization/OrganizationRequirementHelpers.cs @@ -1,13 +1,10 @@ #nullable enable -using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Routing; namespace Bit.Core.AdminConsole.OrganizationFeatures.Shared.Authorization; -public interface IOrganizationRequirement : IAuthorizationRequirement; - public static class OrganizationRequirementHelpers { public static Guid? GetOrganizationId(this IHttpContextAccessor httpContextAccessor)