[AC-2538] Limit admin access - fix ManageUsers custom permission (#4032)

* Fix issue where ManageUsers custom permission could not grant access to collections * Split ModifyAccess operation to ModifyUserAccess and ModifyGroupAccess to reflect more granular operations
2025-07-04 01:22:50 -05:00 · 2024-05-01 10:06:24 +10:00
parent 3749fa6113
commit 5012d56e5a
7 changed files with 193 additions and 89 deletions
--- a/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
+++ b/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
@ -199,7 +199,7 @@ public class OrganizationUsersController : Controller
        {
            var collections = await _collectionRepository.GetManyByManyIdsAsync(model.Collections.Select(a => a.Id));
            var authorized =
-                (await _authorizationService.AuthorizeAsync(User, collections, BulkCollectionOperations.ModifyAccess))
+                (await _authorizationService.AuthorizeAsync(User, collections, BulkCollectionOperations.ModifyUserAccess))
                .Succeeded;
            if (!authorized)
            {
@ -390,7 +390,7 @@ public class OrganizationUsersController : Controller
        var readonlyCollectionIds = new HashSet<Guid>();
        foreach (var collection in currentCollections)
        {
-            if (!(await _authorizationService.AuthorizeAsync(User, collection, BulkCollectionOperations.ModifyAccess))
+            if (!(await _authorizationService.AuthorizeAsync(User, collection, BulkCollectionOperations.ModifyUserAccess))
                .Succeeded)
            {
                readonlyCollectionIds.Add(collection.Id);