From 4d36e87b6f01a2536eae16a31958e931bdf7beec Mon Sep 17 00:00:00 2001
From: Rui Tome <rtome@bitwarden.com>
Date: Fri, 13 Jun 2025 15:00:01 +0100
Subject: [PATCH] Add validation in CollectionService to prevent modification
 of DefaultUserCollection type

* Implemented a check in DeleteUserAsync to throw a BadRequestException if an attempt is made to modify member access for collections of type DefaultUserCollection.
* Added a unit test to ensure the exception is thrown with the correct message when this condition is met.
---
 .../Implementations/CollectionService.cs       |  7 +++++--
 .../Services/CollectionServiceTests.cs         | 18 ++++++++++++++++++
 2 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/src/Core/Services/Implementations/CollectionService.cs b/src/Core/Services/Implementations/CollectionService.cs
index 2a3f8c42dc..3b828955af 100644
--- a/src/Core/Services/Implementations/CollectionService.cs
+++ b/src/Core/Services/Implementations/CollectionService.cs
@@ -22,10 +22,13 @@ public class CollectionService : ICollectionService
         _collectionRepository = collectionRepository;
     }
 
-
-
     public async Task DeleteUserAsync(Collection collection, Guid organizationUserId)
     {
+        if (collection.Type == Enums.CollectionType.DefaultUserCollection)
+        {
+            throw new BadRequestException("You cannot modify member access for collections with the type as DefaultUserCollection.");
+        }
+
         var orgUser = await _organizationUserRepository.GetByIdAsync(organizationUserId);
         if (orgUser == null || orgUser.OrganizationId != collection.OrganizationId)
         {
diff --git a/test/Core.Test/Services/CollectionServiceTests.cs b/test/Core.Test/Services/CollectionServiceTests.cs
index 2f99467700..118c0fa6b2 100644
--- a/test/Core.Test/Services/CollectionServiceTests.cs
+++ b/test/Core.Test/Services/CollectionServiceTests.cs
@@ -49,4 +49,22 @@ public class CollectionServiceTest
         await sutProvider.GetDependency<IEventService>().DidNotReceiveWithAnyArgs()
             .LogOrganizationUserEventAsync<OrganizationUser>(default, default);
     }
+
+    [Theory, BitAutoData]
+    public async Task DeleteUserAsync_WithDefaultUserCollectionType_ThrowsBadRequest(Collection collection,
+        Organization organization, OrganizationUser organizationUser, SutProvider<CollectionService> sutProvider)
+    {
+        collection.Type = CollectionType.DefaultUserCollection;
+        collection.OrganizationId = organization.Id;
+        organizationUser.OrganizationId = organization.Id;
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(() =>
+            sutProvider.Sut.DeleteUserAsync(collection, organizationUser.Id));
+        Assert.Contains("You cannot modify member access for collections with the type as DefaultUserCollection.", exception.Message);
+
+        await sutProvider.GetDependency<IOrganizationUserRepository>().DidNotReceiveWithAnyArgs().GetByIdAsync(default);
+        await sutProvider.GetDependency<ICollectionRepository>().DidNotReceiveWithAnyArgs().DeleteUserAsync(default, default);
+        await sutProvider.GetDependency<IEventService>().DidNotReceiveWithAnyArgs()
+            .LogOrganizationUserEventAsync<OrganizationUser>(default, default);
+    }
 }