mirror of
https://github.com/bitwarden/server.git
synced 2025-06-30 15:42:48 -05:00
[AC-2847] Simplify OrganizationUser and Group PUT methods and tests (#4479)
* refactor controller logic * add additional validation checks to update commands * refactor and improve tests
This commit is contained in:
@ -135,7 +135,7 @@ public class GroupsController : Controller
|
||||
.Succeeded;
|
||||
if (!authorized)
|
||||
{
|
||||
throw new NotFoundException("You are not authorized to grant access to these collections.");
|
||||
throw new NotFoundException();
|
||||
}
|
||||
}
|
||||
|
||||
@ -175,13 +175,20 @@ public class GroupsController : Controller
|
||||
/// </summary>
|
||||
private async Task<GroupResponseModel> Put_vNext(Guid orgId, Guid id, [FromBody] GroupRequestModel model)
|
||||
{
|
||||
var (group, currentAccess) = await _groupRepository.GetByIdWithCollectionsAsync(id);
|
||||
if (group == null || !await _currentContext.ManageGroups(group.OrganizationId))
|
||||
if (!await _currentContext.ManageGroups(orgId))
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
// Check whether the user is permitted to add themselves to the group
|
||||
var (group, currentAccess) = await _groupRepository.GetByIdWithCollectionsAsync(id);
|
||||
if (group == null || group.OrganizationId != orgId)
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
// Authorization check:
|
||||
// If admins are not allowed access to all collections, you cannot add yourself to a group.
|
||||
// No error is thrown for this, we just don't update groups.
|
||||
var orgAbility = await _applicationCacheService.GetOrganizationAbilityAsync(orgId);
|
||||
if (!orgAbility.AllowAdminAccessToAllCollectionItems)
|
||||
{
|
||||
@ -195,9 +202,23 @@ public class GroupsController : Controller
|
||||
}
|
||||
}
|
||||
|
||||
// Authorization check:
|
||||
// You must have authorization to ModifyUserAccess for all collections being saved
|
||||
var postedCollections = await _collectionRepository
|
||||
.GetManyByManyIdsAsync(model.Collections.Select(c => c.Id));
|
||||
foreach (var collection in postedCollections)
|
||||
{
|
||||
if (!(await _authorizationService.AuthorizeAsync(User, collection,
|
||||
BulkCollectionOperations.ModifyGroupAccess))
|
||||
.Succeeded)
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
}
|
||||
|
||||
// The client only sends collections that the saving user has permissions to edit.
|
||||
// On the server side, we need to (1) confirm this and (2) concat these with the collections that the user
|
||||
// can't edit before saving to the database.
|
||||
// We need to combine these with collections that the user doesn't have permissions for, so that we don't
|
||||
// accidentally overwrite those
|
||||
var currentCollections = await _collectionRepository
|
||||
.GetManyByManyIdsAsync(currentAccess.Select(cas => cas.Id));
|
||||
|
||||
@ -211,11 +232,6 @@ public class GroupsController : Controller
|
||||
}
|
||||
}
|
||||
|
||||
if (model.Collections.Any(c => readonlyCollectionIds.Contains(c.Id)))
|
||||
{
|
||||
throw new BadRequestException("You must have Can Manage permissions to edit a collection's membership");
|
||||
}
|
||||
|
||||
var editedCollectionAccess = model.Collections
|
||||
.Select(c => c.ToSelectionReadOnly());
|
||||
var readonlyCollectionAccess = currentAccess
|
||||
|
@ -230,7 +230,7 @@ public class OrganizationUsersController : Controller
|
||||
.Succeeded;
|
||||
if (!authorized)
|
||||
{
|
||||
throw new NotFoundException("You are not authorized to grant access to these collections.");
|
||||
throw new NotFoundException();
|
||||
}
|
||||
}
|
||||
|
||||
@ -400,13 +400,15 @@ public class OrganizationUsersController : Controller
|
||||
var userId = _userService.GetProperUserId(User).Value;
|
||||
var editingSelf = userId == organizationUser.UserId;
|
||||
|
||||
// Authorization check:
|
||||
// If admins are not allowed access to all collections, you cannot add yourself to a group.
|
||||
// In this case we just don't update groups.
|
||||
// No error is thrown for this, we just don't update groups.
|
||||
var organizationAbility = await _applicationCacheService.GetOrganizationAbilityAsync(orgId);
|
||||
var groupsToSave = editingSelf && !organizationAbility.AllowAdminAccessToAllCollectionItems
|
||||
? null
|
||||
: model.Groups;
|
||||
|
||||
// Authorization check:
|
||||
// If admins are not allowed access to all collections, you cannot add yourself to collections.
|
||||
// This is not caught by the requirement below that you can ModifyUserAccess and must be checked separately
|
||||
var currentAccessIds = currentAccess.Select(c => c.Id).ToHashSet();
|
||||
@ -417,9 +419,23 @@ public class OrganizationUsersController : Controller
|
||||
throw new BadRequestException("You cannot add yourself to a collection.");
|
||||
}
|
||||
|
||||
// Authorization check:
|
||||
// You must have authorization to ModifyUserAccess for all collections being saved
|
||||
var postedCollections = await _collectionRepository
|
||||
.GetManyByManyIdsAsync(model.Collections.Select(c => c.Id));
|
||||
foreach (var collection in postedCollections)
|
||||
{
|
||||
if (!(await _authorizationService.AuthorizeAsync(User, collection,
|
||||
BulkCollectionOperations.ModifyUserAccess))
|
||||
.Succeeded)
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
}
|
||||
|
||||
// The client only sends collections that the saving user has permissions to edit.
|
||||
// On the server side, we need to (1) make sure the user has permissions for these collections, and
|
||||
// (2) concat these with the collections that the user can't edit before saving to the database.
|
||||
// We need to combine these with collections that the user doesn't have permissions for, so that we don't
|
||||
// accidentally overwrite those
|
||||
var currentCollections = await _collectionRepository
|
||||
.GetManyByManyIdsAsync(currentAccess.Select(cas => cas.Id));
|
||||
|
||||
@ -433,11 +449,6 @@ public class OrganizationUsersController : Controller
|
||||
}
|
||||
}
|
||||
|
||||
if (model.Collections.Any(c => readonlyCollectionIds.Contains(c.Id)))
|
||||
{
|
||||
throw new BadRequestException("You must have Can Manage permissions to edit a collection's membership");
|
||||
}
|
||||
|
||||
var editedCollectionAccess = model.Collections
|
||||
.Select(c => c.ToSelectionReadOnly());
|
||||
var readonlyCollectionAccess = currentAccess
|
||||
|
Reference in New Issue
Block a user