1
0
mirror of https://github.com/bitwarden/server.git synced 2025-06-30 15:42:48 -05:00

[AC-2847] Simplify OrganizationUser and Group PUT methods and tests (#4479)

* refactor controller logic
* add additional validation checks to update commands
* refactor and improve tests
This commit is contained in:
Thomas Rittson
2024-07-16 10:47:28 +10:00
committed by GitHub
parent 7fee588812
commit 5df0e2180d
11 changed files with 1113 additions and 659 deletions

View File

@ -135,7 +135,7 @@ public class GroupsController : Controller
.Succeeded;
if (!authorized)
{
throw new NotFoundException("You are not authorized to grant access to these collections.");
throw new NotFoundException();
}
}
@ -175,13 +175,20 @@ public class GroupsController : Controller
/// </summary>
private async Task<GroupResponseModel> Put_vNext(Guid orgId, Guid id, [FromBody] GroupRequestModel model)
{
var (group, currentAccess) = await _groupRepository.GetByIdWithCollectionsAsync(id);
if (group == null || !await _currentContext.ManageGroups(group.OrganizationId))
if (!await _currentContext.ManageGroups(orgId))
{
throw new NotFoundException();
}
// Check whether the user is permitted to add themselves to the group
var (group, currentAccess) = await _groupRepository.GetByIdWithCollectionsAsync(id);
if (group == null || group.OrganizationId != orgId)
{
throw new NotFoundException();
}
// Authorization check:
// If admins are not allowed access to all collections, you cannot add yourself to a group.
// No error is thrown for this, we just don't update groups.
var orgAbility = await _applicationCacheService.GetOrganizationAbilityAsync(orgId);
if (!orgAbility.AllowAdminAccessToAllCollectionItems)
{
@ -195,9 +202,23 @@ public class GroupsController : Controller
}
}
// Authorization check:
// You must have authorization to ModifyUserAccess for all collections being saved
var postedCollections = await _collectionRepository
.GetManyByManyIdsAsync(model.Collections.Select(c => c.Id));
foreach (var collection in postedCollections)
{
if (!(await _authorizationService.AuthorizeAsync(User, collection,
BulkCollectionOperations.ModifyGroupAccess))
.Succeeded)
{
throw new NotFoundException();
}
}
// The client only sends collections that the saving user has permissions to edit.
// On the server side, we need to (1) confirm this and (2) concat these with the collections that the user
// can't edit before saving to the database.
// We need to combine these with collections that the user doesn't have permissions for, so that we don't
// accidentally overwrite those
var currentCollections = await _collectionRepository
.GetManyByManyIdsAsync(currentAccess.Select(cas => cas.Id));
@ -211,11 +232,6 @@ public class GroupsController : Controller
}
}
if (model.Collections.Any(c => readonlyCollectionIds.Contains(c.Id)))
{
throw new BadRequestException("You must have Can Manage permissions to edit a collection's membership");
}
var editedCollectionAccess = model.Collections
.Select(c => c.ToSelectionReadOnly());
var readonlyCollectionAccess = currentAccess

View File

@ -230,7 +230,7 @@ public class OrganizationUsersController : Controller
.Succeeded;
if (!authorized)
{
throw new NotFoundException("You are not authorized to grant access to these collections.");
throw new NotFoundException();
}
}
@ -400,13 +400,15 @@ public class OrganizationUsersController : Controller
var userId = _userService.GetProperUserId(User).Value;
var editingSelf = userId == organizationUser.UserId;
// Authorization check:
// If admins are not allowed access to all collections, you cannot add yourself to a group.
// In this case we just don't update groups.
// No error is thrown for this, we just don't update groups.
var organizationAbility = await _applicationCacheService.GetOrganizationAbilityAsync(orgId);
var groupsToSave = editingSelf && !organizationAbility.AllowAdminAccessToAllCollectionItems
? null
: model.Groups;
// Authorization check:
// If admins are not allowed access to all collections, you cannot add yourself to collections.
// This is not caught by the requirement below that you can ModifyUserAccess and must be checked separately
var currentAccessIds = currentAccess.Select(c => c.Id).ToHashSet();
@ -417,9 +419,23 @@ public class OrganizationUsersController : Controller
throw new BadRequestException("You cannot add yourself to a collection.");
}
// Authorization check:
// You must have authorization to ModifyUserAccess for all collections being saved
var postedCollections = await _collectionRepository
.GetManyByManyIdsAsync(model.Collections.Select(c => c.Id));
foreach (var collection in postedCollections)
{
if (!(await _authorizationService.AuthorizeAsync(User, collection,
BulkCollectionOperations.ModifyUserAccess))
.Succeeded)
{
throw new NotFoundException();
}
}
// The client only sends collections that the saving user has permissions to edit.
// On the server side, we need to (1) make sure the user has permissions for these collections, and
// (2) concat these with the collections that the user can't edit before saving to the database.
// We need to combine these with collections that the user doesn't have permissions for, so that we don't
// accidentally overwrite those
var currentCollections = await _collectionRepository
.GetManyByManyIdsAsync(currentAccess.Select(cas => cas.Id));
@ -433,11 +449,6 @@ public class OrganizationUsersController : Controller
}
}
if (model.Collections.Any(c => readonlyCollectionIds.Contains(c.Id)))
{
throw new BadRequestException("You must have Can Manage permissions to edit a collection's membership");
}
var editedCollectionAccess = model.Collections
.Select(c => c.ToSelectionReadOnly());
var readonlyCollectionAccess = currentAccess