[AC-2887] Added Billing Authorization Where Missing (#4525)

* Added missing authorization validation to OrganizationBillingController endpoints * Moved authorization validation to top of each method * Resolved broken unit tests and added some new ones
2025-06-30 15:42:48 -05:00 · 2024-07-17 16:15:28 -04:00
parent 88d5a97a86
commit 45ec57f81b
3 changed files with 85 additions and 6 deletions
--- a/src/Api/Billing/Controllers/OrganizationBillingController.cs
+++ b/src/Api/Billing/Controllers/OrganizationBillingController.cs
@ -20,6 +20,11 @@ public class OrganizationBillingController(
    [HttpGet("metadata")]
    public async Task<IResult> GetMetadataAsync([FromRoute] Guid organizationId)
    {
+        if (!await currentContext.ViewBillingHistory(organizationId))
+        {
+            return TypedResults.Unauthorized();
+        }
+
        var metadata = await organizationBillingService.GetMetadata(organizationId);

        if (metadata == null)
@ -35,6 +40,11 @@ public class OrganizationBillingController(
    [HttpGet("history")]
    public async Task<IResult> GetHistoryAsync([FromRoute] Guid organizationId)
    {
+        if (!await currentContext.ViewBillingHistory(organizationId))
+        {
+            return TypedResults.Unauthorized();
+        }
+
        var organization = await organizationRepository.GetByIdAsync(organizationId);

        if (organization == null)
--- a/src/Api/Billing/Controllers/OrganizationsController.cs
+++ b/src/Api/Billing/Controllers/OrganizationsController.cs
@ -162,13 +162,13 @@ public class OrganizationsController(
    [SelfHosted(NotSelfHostedOnly = true)]
    public async Task PostSmSubscription(Guid id, [FromBody] SecretsManagerSubscriptionUpdateRequestModel model)
    {
-        var organization = await organizationRepository.GetByIdAsync(id);
-        if (organization == null)
+        if (!await currentContext.EditSubscription(id))
        {
            throw new NotFoundException();
        }

-        if (!await currentContext.EditSubscription(id))
+        var organization = await organizationRepository.GetByIdAsync(id);
+        if (organization == null)
        {
            throw new NotFoundException();
        }
@ -195,13 +195,13 @@ public class OrganizationsController(
    [SelfHosted(NotSelfHostedOnly = true)]
    public async Task<ProfileOrganizationResponseModel> PostSubscribeSecretsManagerAsync(Guid id, [FromBody] SecretsManagerSubscribeRequestModel model)
    {
-        var organization = await organizationRepository.GetByIdAsync(id);
-        if (organization == null)
+        if (!await currentContext.EditSubscription(id))
        {
            throw new NotFoundException();
        }

-        if (!await currentContext.EditSubscription(id))
+        var organization = await organizationRepository.GetByIdAsync(id);
+        if (organization == null)
        {
            throw new NotFoundException();
        }