nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-06-27 22:26:13 -05:00
Code

Add validation in CollectionService to prevent modification of DefaultUserCollection type

Browse Source 
* Implemented a check in DeleteUserAsync to throw a BadRequestException if an attempt is made to modify member access for collections of type DefaultUserCollection.
* Added a unit test to ensure the exception is thrown with the correct message when this condition is met.
This commit is contained in:
Rui Tome 2025-06-13 15:00:01 +01:00
parent f1afc653e3
commit 4d36e87b6f
No known key found for this signature in database
GPG Key ID: 526239D96A8EC066
2 changed files with 23 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/Core/Services/Implementations/CollectionService.cs
View File

@ -22,10 +22,13 @@ public class CollectionService : ICollectionService
_collectionRepository = collectionRepository; _collectionRepository = collectionRepository;
} }
public async Task DeleteUserAsync(Collection collection, Guid organizationUserId) public async Task DeleteUserAsync(Collection collection, Guid organizationUserId)
{ {
if (collection.Type == Enums.CollectionType.DefaultUserCollection)
{
throw new BadRequestException("You cannot modify member access for collections with the type as DefaultUserCollection.");
}
var orgUser = await _organizationUserRepository.GetByIdAsync(organizationUserId); var orgUser = await _organizationUserRepository.GetByIdAsync(organizationUserId);
if (orgUser == null || orgUser.OrganizationId != collection.OrganizationId) if (orgUser == null || orgUser.OrganizationId != collection.OrganizationId)
{ {

18
test/Core.Test/Services/CollectionServiceTests.cs
View File

@ -49,4 +49,22 @@ public class CollectionServiceTest
await sutProvider.GetDependency<IEventService>().DidNotReceiveWithAnyArgs() await sutProvider.GetDependency<IEventService>().DidNotReceiveWithAnyArgs()
.LogOrganizationUserEventAsync<OrganizationUser>(default, default); .LogOrganizationUserEventAsync<OrganizationUser>(default, default);
} }
[Theory, BitAutoData]
public async Task DeleteUserAsync_WithDefaultUserCollectionType_ThrowsBadRequest(Collection collection,
Organization organization, OrganizationUser organizationUser, SutProvider<CollectionService> sutProvider)
{
collection.Type = CollectionType.DefaultUserCollection;
collection.OrganizationId = organization.Id;
organizationUser.OrganizationId = organization.Id;
var exception = await Assert.ThrowsAsync<BadRequestException>(() =>
sutProvider.Sut.DeleteUserAsync(collection, organizationUser.Id));
Assert.Contains("You cannot modify member access for collections with the type as DefaultUserCollection.", exception.Message);
await sutProvider.GetDependency<IOrganizationUserRepository>().DidNotReceiveWithAnyArgs().GetByIdAsync(default);
await sutProvider.GetDependency<ICollectionRepository>().DidNotReceiveWithAnyArgs().DeleteUserAsync(default, default);
await sutProvider.GetDependency<IEventService>().DidNotReceiveWithAnyArgs()
.LogOrganizationUserEventAsync<OrganizationUser>(default, default);
}
} }