[AC-1809] Update OrganizationAbility with Collection Management Settings (#3571)

* feat: Update OrganizationAbility with LimitCollectionCreationDeletion, refs AC-1809

* feat: Update OrganizationAbility constructor usage to pass feature flag state, refs AC-1809

* feat: Update EF retrieval of org abilities to include new property from database, refs AC-1809

* feat: Update sproc to include LimitCollectionCreationDeletion property and create migration, refs AC-1809

* feat: Inject ApplicationCache into handler accessing LimitCollectionCreationDeletion, refs AC-1809

* feat: remove collection management settings from CurrentContextOrganization and update tests, refs AC-1809

* feat: add AllowAdminAccessToAllCollectionItems to OrganizationAbility pipeline, refs AC-1809

---------

Co-authored-by: Thomas Rittson <trittson@bitwarden.com>
Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com>

src/Api/Vault/AuthorizationHandlers/Collections/BulkCollectionAuthorizationHandler.cs

@@ -4,6 +4,7 @@ using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
+using Bit.Core.Models.Data.Organizations;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Utilities;
@@ -20,6 +21,7 @@ public class BulkCollectionAuthorizationHandler : BulkAuthorizationHandler<BulkC
     private readonly ICurrentContext _currentContext;
     private readonly ICollectionRepository _collectionRepository;
     private readonly IFeatureService _featureService;
+    private readonly IApplicationCacheService _applicationCacheService;
     private Guid _targetOrganizationId;
 
     private bool FlexibleCollectionsIsEnabled => _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollections, _currentContext);
@@ -27,11 +29,13 @@ public class BulkCollectionAuthorizationHandler : BulkAuthorizationHandler<BulkC
     public BulkCollectionAuthorizationHandler(
         ICurrentContext currentContext,
         ICollectionRepository collectionRepository,
-        IFeatureService featureService)
+        IFeatureService featureService,
+        IApplicationCacheService applicationCacheService)
     {
         _currentContext = currentContext;
         _collectionRepository = collectionRepository;
         _featureService = featureService;
+        _applicationCacheService = applicationCacheService;
     }
 
     protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
@@ -84,7 +88,7 @@ public class BulkCollectionAuthorizationHandler : BulkAuthorizationHandler<BulkC
 
             case not null when requirement == BulkCollectionOperations.Update:
             case not null when requirement == BulkCollectionOperations.ModifyAccess:
-                await CanUpdateCollection(context, requirement, resources, org);
+                await CanUpdateCollectionAsync(context, requirement, resources, org);
                 break;
 
             case not null when requirement == BulkCollectionOperations.Delete:
@@ -96,10 +100,8 @@ public class BulkCollectionAuthorizationHandler : BulkAuthorizationHandler<BulkC
     private async Task CanCreateAsync(AuthorizationHandlerContext context, IAuthorizationRequirement requirement,
         CurrentContextOrganization? org)
     {
-        // If the limit collection management setting is disabled, allow any user to create collections
+        // Owners, Admins, and users with CreateNewCollections permission can always create collections
-        // Otherwise, Owners, Admins, and users with CreateNewCollections permission can always create collections
         if (org is
-        { LimitCollectionCreationDeletion: false } or
         { Type: OrganizationUserType.Owner or OrganizationUserType.Admin } or
         { Permissions.CreateNewCollections: true })
         {
@@ -107,6 +109,13 @@ public class BulkCollectionAuthorizationHandler : BulkAuthorizationHandler<BulkC
             return;
         }
 
+        // If the limit collection management setting is disabled, allow any user to create collections
+        if (await GetOrganizationAbilityAsync(org) is { LimitCollectionCreationDeletion: false })
+        {
+            context.Succeed(requirement);
+            return;
+        }
+
         // Allow provider users to create collections if they are a provider for the target organization
         if (await _currentContext.ProviderUserForOrgAsync(_targetOrganizationId))
         {
@@ -182,7 +191,7 @@ public class BulkCollectionAuthorizationHandler : BulkAuthorizationHandler<BulkC
     /// <summary>
     /// Ensures the acting user is allowed to update the target collections or manage access permissions for them.
     /// </summary>
-    private async Task CanUpdateCollection(AuthorizationHandlerContext context,
+    private async Task CanUpdateCollectionAsync(AuthorizationHandlerContext context,
         IAuthorizationRequirement requirement, ICollection<Collection> resources,
         CurrentContextOrganization? org)
     {
@@ -226,9 +235,10 @@ public class BulkCollectionAuthorizationHandler : BulkAuthorizationHandler<BulkC
             return;
         }
 
+        // Check for non-null org here: the user must be apart of the organization for this setting to take affect
         // The limit collection management setting is disabled,
         // ensure acting user has manage permissions for all collections being deleted
-        if (org is { LimitCollectionCreationDeletion: false })
+        if (await GetOrganizationAbilityAsync(org) is { LimitCollectionCreationDeletion: false })
         {
             var canManageCollections = await CanManageCollectionsAsync(resources, org);
             if (canManageCollections)
@@ -261,4 +271,19 @@ public class BulkCollectionAuthorizationHandler : BulkAuthorizationHandler<BulkC
         // Check if the acting user has access to all target collections
         return targetCollections.All(tc => assignedCollectionIds.Contains(tc.Id));
     }
+
+    private async Task<OrganizationAbility?> GetOrganizationAbilityAsync(CurrentContextOrganization? organization)
+    {
+        // If the CurrentContextOrganization is null, then the user isn't a member of the org so the setting is
+        // irrelevant
+        if (organization == null)
+        {
+            return null;
+        }
+
+        (await _applicationCacheService.GetOrganizationAbilitiesAsync())
+            .TryGetValue(organization.Id, out var organizationAbility);
+
+        return organizationAbility;
+    }
 }

src/Api/Vault/AuthorizationHandlers/Groups/GroupAuthorizationHandler.cs

@@ -3,6 +3,7 @@ using Bit.Core;
 using Bit.Core.Context;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
+using Bit.Core.Models.Data.Organizations;
 using Bit.Core.Services;
 using Microsoft.AspNetCore.Authorization;
 
@@ -16,15 +17,18 @@ public class GroupAuthorizationHandler : AuthorizationHandler<GroupOperationRequ
 {
     private readonly ICurrentContext _currentContext;
     private readonly IFeatureService _featureService;
+    private readonly IApplicationCacheService _applicationCacheService;
 
     private bool FlexibleCollectionsIsEnabled => _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollections, _currentContext);
 
     public GroupAuthorizationHandler(
         ICurrentContext currentContext,
-        IFeatureService featureService)
+        IFeatureService featureService,
+        IApplicationCacheService applicationCacheService)
     {
         _currentContext = currentContext;
         _featureService = featureService;
+        _applicationCacheService = applicationCacheService;
     }
 
     protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
@@ -62,10 +66,8 @@ public class GroupAuthorizationHandler : AuthorizationHandler<GroupOperationRequ
     private async Task CanReadAllAsync(AuthorizationHandlerContext context, GroupOperationRequirement requirement,
         CurrentContextOrganization? org)
     {
-        // If the limit collection management setting is disabled, allow any user to read all groups
+        // Owners, Admins, and users with any of ManageGroups, ManageUsers, EditAnyCollection, DeleteAnyCollection, CreateNewCollections permissions can always read all groups
-        // Otherwise, Owners, Admins, and users with any of ManageGroups, ManageUsers, EditAnyCollection, DeleteAnyCollection, CreateNewCollections permissions can always read all groups
         if (org is
-        { LimitCollectionCreationDeletion: false } or
         { Type: OrganizationUserType.Owner or OrganizationUserType.Admin } or
         { Permissions.ManageGroups: true } or
         { Permissions.ManageUsers: true } or
@@ -77,10 +79,33 @@ public class GroupAuthorizationHandler : AuthorizationHandler<GroupOperationRequ
             return;
         }
 
+        // Check for non-null org here: the user must be apart of the organization for this setting to take affect
+        // If the limit collection management setting is disabled, allow any user to read all groups
+        if (await GetOrganizationAbilityAsync(org) is { LimitCollectionCreationDeletion: false })
+        {
+            context.Succeed(requirement);
+            return;
+        }
+
         // Allow provider users to read all groups if they are a provider for the target organization
         if (await _currentContext.ProviderUserForOrgAsync(requirement.OrganizationId))
         {
             context.Succeed(requirement);
         }
     }
+
+    private async Task<OrganizationAbility?> GetOrganizationAbilityAsync(CurrentContextOrganization? organization)
+    {
+        // If the CurrentContextOrganization is null, then the user isn't a member of the org so the setting is
+        // irrelevant
+        if (organization == null)
+        {
+            return null;
+        }
+
+        (await _applicationCacheService.GetOrganizationAbilitiesAsync())
+            .TryGetValue(organization.Id, out var organizationAbility);
+
+        return organizationAbility;
+    }
 }

src/Api/Vault/AuthorizationHandlers/OrganizationUsers/OrganizationUserAuthorizationHandler.cs

@@ -3,6 +3,7 @@ using Bit.Core;
 using Bit.Core.Context;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
+using Bit.Core.Models.Data.Organizations;
 using Bit.Core.Services;
 using Microsoft.AspNetCore.Authorization;
 
@@ -16,15 +17,18 @@ public class OrganizationUserAuthorizationHandler : AuthorizationHandler<Organiz
 {
     private readonly ICurrentContext _currentContext;
     private readonly IFeatureService _featureService;
+    private readonly IApplicationCacheService _applicationCacheService;
 
     private bool FlexibleCollectionsIsEnabled => _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollections, _currentContext);
 
     public OrganizationUserAuthorizationHandler(
         ICurrentContext currentContext,
-        IFeatureService featureService)
+        IFeatureService featureService,
+        IApplicationCacheService applicationCacheService)
     {
         _currentContext = currentContext;
         _featureService = featureService;
+        _applicationCacheService = applicationCacheService;
     }
 
     protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
@@ -64,7 +68,6 @@ public class OrganizationUserAuthorizationHandler : AuthorizationHandler<Organiz
         // If the limit collection management setting is disabled, allow any user to read all organization users
         // Otherwise, Owners, Admins, and users with any of ManageGroups, ManageUsers, EditAnyCollection, DeleteAnyCollection, CreateNewCollections permissions can always read all organization users
         if (org is
-        { LimitCollectionCreationDeletion: false } or
         { Type: OrganizationUserType.Owner or OrganizationUserType.Admin } or
         { Permissions.ManageGroups: true } or
         { Permissions.ManageUsers: true } or
@@ -76,10 +79,33 @@ public class OrganizationUserAuthorizationHandler : AuthorizationHandler<Organiz
             return;
         }
 
+        // Check for non-null org here: the user must be apart of the organization for this setting to take affect
+        // If the limit collection management setting is disabled, allow any user to read all organization users
+        if (await GetOrganizationAbilityAsync(org) is { LimitCollectionCreationDeletion: false })
+        {
+            context.Succeed(requirement);
+            return;
+        }
+
         // Allow provider users to read all organization users if they are a provider for the target organization
         if (await _currentContext.ProviderUserForOrgAsync(requirement.OrganizationId))
         {
             context.Succeed(requirement);
         }
     }
+
+    private async Task<OrganizationAbility?> GetOrganizationAbilityAsync(CurrentContextOrganization? organization)
+    {
+        // If the CurrentContextOrganization is null, then the user isn't a member of the org so the setting is
+        // irrelevant
+        if (organization == null)
+        {
+            return null;
+        }
+
+        (await _applicationCacheService.GetOrganizationAbilitiesAsync())
+            .TryGetValue(organization.Id, out var organizationAbility);
+
+        return organizationAbility;
+    }
 }

src/Core/AdminConsole/Context/CurrentContextOrganization.cs

@@ -15,14 +15,10 @@ public class CurrentContextOrganization
         Type = orgUser.Type;
         Permissions = CoreHelpers.LoadClassFromJsonData<Permissions>(orgUser.Permissions);
         AccessSecretsManager = orgUser.AccessSecretsManager && orgUser.UseSecretsManager && orgUser.Enabled;
-        LimitCollectionCreationDeletion = orgUser.LimitCollectionCreationDeletion;
-        AllowAdminAccessToAllCollectionItems = orgUser.AllowAdminAccessToAllCollectionItems;
     }
 
     public Guid Id { get; set; }
     public OrganizationUserType Type { get; set; }
     public Permissions Permissions { get; set; } = new();
     public bool AccessSecretsManager { get; set; }
-    public bool LimitCollectionCreationDeletion { get; set; }
-    public bool AllowAdminAccessToAllCollectionItems { get; set; }
 }

src/Core/AdminConsole/Models/Data/Organizations/OrganizationAbility.cs

@@ -21,6 +21,8 @@ public class OrganizationAbility
         UseResetPassword = organization.UseResetPassword;
         UseCustomPermissions = organization.UseCustomPermissions;
         UsePolicies = organization.UsePolicies;
+        LimitCollectionCreationDeletion = organization.LimitCollectionCreationDeletion;
+        AllowAdminAccessToAllCollectionItems = organization.AllowAdminAccessToAllCollectionItems;
     }
 
     public Guid Id { get; set; }
@@ -35,4 +37,6 @@ public class OrganizationAbility
     public bool UseResetPassword { get; set; }
     public bool UseCustomPermissions { get; set; }
     public bool UsePolicies { get; set; }
+    public bool LimitCollectionCreationDeletion { get; set; }
+    public bool AllowAdminAccessToAllCollectionItems { get; set; }
 }

src/Core/Context/CurrentContext.cs

@@ -54,7 +54,7 @@ public class CurrentContext : ICurrentContext
     {
         _providerOrganizationRepository = providerOrganizationRepository;
         _providerUserRepository = providerUserRepository;
-        _featureService = featureService;
+        _featureService = featureService; ;
     }
 
     public async virtual Task BuildAsync(HttpContext httpContext, GlobalSettings globalSettings)
@@ -383,15 +383,10 @@ public class CurrentContext : ICurrentContext
             throw new FeatureUnavailableException("Flexible Collections is ON when it should be OFF.");
         }
 
-        var canCreateNewCollections = false;
         var org = GetOrganization(orgId);
-        if (org != null)
-        {
-            canCreateNewCollections = !org.LimitCollectionCreationDeletion || org.Permissions.CreateNewCollections;
-        }
         return await EditAssignedCollections(orgId)
                || await DeleteAssignedCollections(orgId)
-               || canCreateNewCollections;
+               || (org != null && org.Permissions.CreateNewCollections);
     }
 
     public async Task<bool> ManageGroups(Guid orgId)

src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs

@@ -88,7 +88,9 @@ public class OrganizationRepository : Repository<Core.AdminConsole.Entities.Orga
                 UseResetPassword = e.UseResetPassword,
                 UseScim = e.UseScim,
                 UseCustomPermissions = e.UseCustomPermissions,
-                UsePolicies = e.UsePolicies
+                UsePolicies = e.UsePolicies,
+                LimitCollectionCreationDeletion = e.LimitCollectionCreationDeletion,
+                AllowAdminAccessToAllCollectionItems = e.AllowAdminAccessToAllCollectionItems
             }).ToListAsync();
         }
     }

src/Sql/dbo/Stored Procedures/Organization_ReadAbilities.sql

@@ -20,7 +20,9 @@ BEGIN
         [UseScim],
         [UseResetPassword],
         [UsePolicies],
-        [Enabled]
+        [Enabled],
+        [LimitCollectionCreationDeletion],
+        [AllowAdminAccessToAllCollectionItems]
     FROM
         [dbo].[Organization]
 END

test/Api.Test/Vault/AuthorizationHandlers/BulkCollectionAuthorizationHandlerTests.cs

@@ -6,7 +6,9 @@ using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Data;
+using Bit.Core.Models.Data.Organizations;
 using Bit.Core.Repositories;
+using Bit.Core.Services;
 using Bit.Core.Test.AutoFixture;
 using Bit.Core.Test.Vault.AutoFixture;
 using Bit.Test.Common.AutoFixture;
@@ -31,9 +33,10 @@ public class BulkCollectionAuthorizationHandlerTests
         CurrentContextOrganization organization)
     {
         organization.Type = userType;
-        organization.LimitCollectionCreationDeletion = true;
         organization.Permissions = new Permissions();
 
+        var organizationAbilities = ArrangeOrganizationAbilitiesDictionary(organization.Id, true);
+
         var context = new AuthorizationHandlerContext(
             new[] { BulkCollectionOperations.Create },
             new ClaimsPrincipal(),
@@ -41,6 +44,7 @@ public class BulkCollectionAuthorizationHandlerTests
 
         sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
         sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilitiesAsync().Returns(organizationAbilities);
 
         await sutProvider.Sut.HandleAsync(context);
 
@@ -56,7 +60,8 @@ public class BulkCollectionAuthorizationHandlerTests
         var actingUserId = Guid.NewGuid();
 
         organization.Type = OrganizationUserType.User;
-        organization.LimitCollectionCreationDeletion = false;
+
+        var organizationAbilities = ArrangeOrganizationAbilitiesDictionary(organization.Id, false);
 
         var context = new AuthorizationHandlerContext(
             new[] { BulkCollectionOperations.Create },
@@ -65,6 +70,7 @@ public class BulkCollectionAuthorizationHandlerTests
 
         sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
         sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilitiesAsync().Returns(organizationAbilities);
 
         await sutProvider.Sut.HandleAsync(context);
 
@@ -83,7 +89,6 @@ public class BulkCollectionAuthorizationHandlerTests
         var actingUserId = Guid.NewGuid();
 
         organization.Type = userType;
-        organization.LimitCollectionCreationDeletion = true;
         organization.Permissions = new Permissions
         {
             EditAnyCollection = false,
@@ -92,6 +97,8 @@ public class BulkCollectionAuthorizationHandlerTests
             ManageUsers = false
         };
 
+        var organizationAbilities = ArrangeOrganizationAbilitiesDictionary(organization.Id, true);
+
         var context = new AuthorizationHandlerContext(
             new[] { BulkCollectionOperations.Create },
             new ClaimsPrincipal(),
@@ -99,6 +106,8 @@ public class BulkCollectionAuthorizationHandlerTests
 
         sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
         sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilitiesAsync().Returns(organizationAbilities);
+        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(Arg.Any<Guid>()).Returns(false);
 
         await sutProvider.Sut.HandleAsync(context);
 
@@ -111,6 +120,8 @@ public class BulkCollectionAuthorizationHandlerTests
         ICollection<Collection> collections,
         SutProvider<BulkCollectionAuthorizationHandler> sutProvider)
     {
+        var organizationAbilities = ArrangeOrganizationAbilitiesDictionary(collections.First().OrganizationId, true);
+
         var context = new AuthorizationHandlerContext(
             new[] { BulkCollectionOperations.Create },
             new ClaimsPrincipal(),
@@ -119,6 +130,8 @@ public class BulkCollectionAuthorizationHandlerTests
 
         sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
         sutProvider.GetDependency<ICurrentContext>().GetOrganization(Arg.Any<Guid>()).Returns((CurrentContextOrganization)null);
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilitiesAsync().Returns(organizationAbilities);
+        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(Arg.Any<Guid>()).Returns(false);
 
         await sutProvider.Sut.HandleAsync(context);
         Assert.False(context.HasSucceeded);
@@ -134,7 +147,6 @@ public class BulkCollectionAuthorizationHandlerTests
         CurrentContextOrganization organization)
     {
         organization.Type = userType;
-        organization.LimitCollectionCreationDeletion = true;
         organization.Permissions = new Permissions();
 
         var operationsToTest = new[]
@@ -217,7 +229,6 @@ public class BulkCollectionAuthorizationHandlerTests
         }
 
         organization.Type = OrganizationUserType.User;
-        organization.LimitCollectionCreationDeletion = false;
         organization.Permissions = new Permissions();
 
         var operationsToTest = new[]
@@ -254,7 +265,6 @@ public class BulkCollectionAuthorizationHandlerTests
         var actingUserId = Guid.NewGuid();
 
         organization.Type = OrganizationUserType.User;
-        organization.LimitCollectionCreationDeletion = false;
         organization.Permissions = new Permissions();
 
         var operationsToTest = new[]
@@ -293,7 +303,6 @@ public class BulkCollectionAuthorizationHandlerTests
         var actingUserId = Guid.NewGuid();
 
         organization.Type = userType;
-        organization.LimitCollectionCreationDeletion = true;
         organization.Permissions = new Permissions
         {
             EditAnyCollection = false,
@@ -367,7 +376,6 @@ public class BulkCollectionAuthorizationHandlerTests
         CurrentContextOrganization organization)
     {
         organization.Type = userType;
-        organization.LimitCollectionCreationDeletion = true;
         organization.Permissions = new Permissions();
 
         sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
@@ -431,7 +439,6 @@ public class BulkCollectionAuthorizationHandlerTests
         }
 
         organization.Type = OrganizationUserType.User;
-        organization.LimitCollectionCreationDeletion = false;
         organization.Permissions = new Permissions();
 
         sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
@@ -462,7 +469,6 @@ public class BulkCollectionAuthorizationHandlerTests
         }
 
         organization.Type = OrganizationUserType.User;
-        organization.LimitCollectionCreationDeletion = false;
         organization.Permissions = new Permissions();
 
         sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
@@ -491,7 +497,6 @@ public class BulkCollectionAuthorizationHandlerTests
         var actingUserId = Guid.NewGuid();
 
         organization.Type = userType;
-        organization.LimitCollectionCreationDeletion = true;
         organization.Permissions = new Permissions
         {
             EditAnyCollection = false,
@@ -543,7 +548,6 @@ public class BulkCollectionAuthorizationHandlerTests
         CurrentContextOrganization organization)
     {
         organization.Type = userType;
-        organization.LimitCollectionCreationDeletion = true;
         organization.Permissions = new Permissions();
 
         var operationsToTest = new[]
@@ -661,7 +665,6 @@ public class BulkCollectionAuthorizationHandlerTests
         var actingUserId = Guid.NewGuid();
 
         organization.Type = userType;
-        organization.LimitCollectionCreationDeletion = false;
         organization.Permissions = new Permissions
         {
             EditAnyCollection = false,
@@ -742,9 +745,10 @@ public class BulkCollectionAuthorizationHandlerTests
         CurrentContextOrganization organization)
     {
         organization.Type = userType;
-        organization.LimitCollectionCreationDeletion = true;
         organization.Permissions = new Permissions();
 
+        var organizationAbilities = ArrangeOrganizationAbilitiesDictionary(organization.Id, true);
+
         var context = new AuthorizationHandlerContext(
             new[] { BulkCollectionOperations.Delete },
             new ClaimsPrincipal(),
@@ -752,6 +756,8 @@ public class BulkCollectionAuthorizationHandlerTests
 
         sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
         sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilitiesAsync()
+            .Returns(organizationAbilities);
 
         await sutProvider.Sut.HandleAsync(context);
 
@@ -767,12 +773,13 @@ public class BulkCollectionAuthorizationHandlerTests
         var actingUserId = Guid.NewGuid();
 
         organization.Type = OrganizationUserType.Custom;
-        organization.LimitCollectionCreationDeletion = false;
         organization.Permissions = new Permissions
         {
             DeleteAnyCollection = true
         };
 
+        var organizationAbilities = ArrangeOrganizationAbilitiesDictionary(organization.Id, true);
+
         var context = new AuthorizationHandlerContext(
             new[] { BulkCollectionOperations.Delete },
             new ClaimsPrincipal(),
@@ -780,6 +787,8 @@ public class BulkCollectionAuthorizationHandlerTests
 
         sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
         sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilitiesAsync()
+            .Returns(organizationAbilities);
 
         await sutProvider.Sut.HandleAsync(context);
 
@@ -797,9 +806,13 @@ public class BulkCollectionAuthorizationHandlerTests
         organization.Type = OrganizationUserType.User;
         organization.Permissions = new Permissions();
 
+        var organizationAbilities = ArrangeOrganizationAbilitiesDictionary(organization.Id, false);
+
         sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
         sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
         sutProvider.GetDependency<ICollectionRepository>().GetManyByUserIdAsync(actingUserId, Arg.Any<bool>()).Returns(collections);
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilitiesAsync()
+            .Returns(organizationAbilities);
 
         foreach (var c in collections)
         {
@@ -828,7 +841,6 @@ public class BulkCollectionAuthorizationHandlerTests
         var actingUserId = Guid.NewGuid();
 
         organization.Type = userType;
-        organization.LimitCollectionCreationDeletion = true;
         organization.Permissions = new Permissions
         {
             EditAnyCollection = false,
@@ -837,6 +849,8 @@ public class BulkCollectionAuthorizationHandlerTests
             ManageUsers = false
         };
 
+        var organizationAbilities = ArrangeOrganizationAbilitiesDictionary(organization.Id, true);
+
         var context = new AuthorizationHandlerContext(
             new[] { BulkCollectionOperations.Delete },
             new ClaimsPrincipal(),
@@ -844,6 +858,9 @@ public class BulkCollectionAuthorizationHandlerTests
 
         sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
         sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilitiesAsync()
+            .Returns(organizationAbilities);
+        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(Arg.Any<Guid>()).Returns(false);
 
         await sutProvider.Sut.HandleAsync(context);
 
@@ -864,6 +881,7 @@ public class BulkCollectionAuthorizationHandlerTests
 
         sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
         sutProvider.GetDependency<ICurrentContext>().GetOrganization(Arg.Any<Guid>()).Returns((CurrentContextOrganization)null);
+        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(Arg.Any<Guid>()).Returns(false);
 
         await sutProvider.Sut.HandleAsync(context);
         Assert.False(context.HasSucceeded);
@@ -919,6 +937,16 @@ public class BulkCollectionAuthorizationHandlerTests
         var actingUserId = Guid.NewGuid();
         var orgId = collections.First().OrganizationId;
 
+        var organizationAbilities = new Dictionary<Guid, OrganizationAbility>
+        {
+            { collections.First().OrganizationId,
+                new OrganizationAbility
+                {
+                    LimitCollectionCreationDeletion = true
+                }
+            }
+        };
+
         var operationsToTest = new[]
         {
             BulkCollectionOperations.Create,
@@ -933,6 +961,8 @@ public class BulkCollectionAuthorizationHandlerTests
         {
             sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
             sutProvider.GetDependency<ICurrentContext>().GetOrganization(orgId).Returns((CurrentContextOrganization)null);
+            sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilitiesAsync()
+                .Returns(organizationAbilities);
             sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(Arg.Any<Guid>()).Returns(true);
 
             var context = new AuthorizationHandlerContext(
@@ -950,4 +980,18 @@ public class BulkCollectionAuthorizationHandlerTests
             sutProvider.Recreate();
         }
     }
+
+    private static Dictionary<Guid, OrganizationAbility> ArrangeOrganizationAbilitiesDictionary(Guid orgId,
+        bool limitCollectionCreationDeletion)
+    {
+        return new Dictionary<Guid, OrganizationAbility>
+        {
+            { orgId,
+                new OrganizationAbility
+                {
+                    LimitCollectionCreationDeletion = limitCollectionCreationDeletion
+                }
+            }
+        };
+    }
 }

test/Api.Test/Vault/AuthorizationHandlers/GroupAuthorizationHandlerTests.cs

@@ -4,6 +4,8 @@ using Bit.Core;
 using Bit.Core.Context;
 using Bit.Core.Enums;
 using Bit.Core.Models.Data;
+using Bit.Core.Models.Data.Organizations;
+using Bit.Core.Services;
 using Bit.Core.Test.AutoFixture;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
@@ -26,9 +28,10 @@ public class GroupAuthorizationHandlerTests
         CurrentContextOrganization organization)
     {
         organization.Type = userType;
-        organization.LimitCollectionCreationDeletion = true;
         organization.Permissions = new Permissions();
 
+        var organizationAbilities = ArrangeOrganizationAbilitiesDictionary(organization.Id, true);
+
         var context = new AuthorizationHandlerContext(
             new[] { GroupOperations.ReadAll(organization.Id) },
             new ClaimsPrincipal(),
@@ -36,6 +39,7 @@ public class GroupAuthorizationHandlerTests
 
         sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
         sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilitiesAsync().Returns(organizationAbilities);
 
         await sutProvider.Sut.HandleAsync(context);
 
@@ -48,9 +52,10 @@ public class GroupAuthorizationHandlerTests
         SutProvider<GroupAuthorizationHandler> sutProvider, CurrentContextOrganization organization)
     {
         organization.Type = OrganizationUserType.User;
-        organization.LimitCollectionCreationDeletion = true;
         organization.Permissions = new Permissions();
 
+        var organizationAbilities = ArrangeOrganizationAbilitiesDictionary(organization.Id, true);
+
         var context = new AuthorizationHandlerContext(
             new[] { GroupOperations.ReadAll(organization.Id) },
             new ClaimsPrincipal(),
@@ -59,6 +64,7 @@ public class GroupAuthorizationHandlerTests
         sutProvider.GetDependency<ICurrentContext>()
             .UserId
             .Returns(userId);
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilitiesAsync().Returns(organizationAbilities);
         sutProvider.GetDependency<ICurrentContext>()
             .ProviderUserForOrgAsync(organization.Id)
             .Returns(true);
@@ -83,7 +89,6 @@ public class GroupAuthorizationHandlerTests
         var actingUserId = Guid.NewGuid();
 
         organization.Type = OrganizationUserType.Custom;
-        organization.LimitCollectionCreationDeletion = limitCollectionCreationDeletion;
         organization.Permissions = new Permissions
         {
             EditAnyCollection = editAnyCollection,
@@ -92,6 +97,8 @@ public class GroupAuthorizationHandlerTests
             ManageUsers = manageUsers
         };
 
+        var organizationAbilities = ArrangeOrganizationAbilitiesDictionary(organization.Id, limitCollectionCreationDeletion);
+
         var context = new AuthorizationHandlerContext(
             new[] { GroupOperations.ReadAll(organization.Id) },
             new ClaimsPrincipal(),
@@ -99,6 +106,7 @@ public class GroupAuthorizationHandlerTests
 
         sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
         sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilitiesAsync().Returns(organizationAbilities);
 
         await sutProvider.Sut.HandleAsync(context);
 
@@ -116,7 +124,6 @@ public class GroupAuthorizationHandlerTests
         var actingUserId = Guid.NewGuid();
 
         organization.Type = userType;
-        organization.LimitCollectionCreationDeletion = true;
         organization.Permissions = new Permissions
         {
             EditAnyCollection = false,
@@ -126,6 +133,8 @@ public class GroupAuthorizationHandlerTests
             AccessImportExport = false
         };
 
+        var organizationAbilities = ArrangeOrganizationAbilitiesDictionary(organization.Id, true);
+
         var context = new AuthorizationHandlerContext(
             new[] { GroupOperations.ReadAll(organization.Id) },
             new ClaimsPrincipal(),
@@ -133,6 +142,8 @@ public class GroupAuthorizationHandlerTests
 
         sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
         sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilitiesAsync().Returns(organizationAbilities);
+        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(Arg.Any<Guid>()).Returns(false);
 
         await sutProvider.Sut.HandleAsync(context);
 
@@ -145,6 +156,8 @@ public class GroupAuthorizationHandlerTests
         Guid organizationId,
         SutProvider<GroupAuthorizationHandler> sutProvider)
     {
+        var organizationAbilities = ArrangeOrganizationAbilitiesDictionary(organizationId, true);
+
         var context = new AuthorizationHandlerContext(
             new[] { GroupOperations.ReadAll(organizationId) },
             new ClaimsPrincipal(),
@@ -153,6 +166,8 @@ public class GroupAuthorizationHandlerTests
 
         sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
         sutProvider.GetDependency<ICurrentContext>().GetOrganization(Arg.Any<Guid>()).Returns((CurrentContextOrganization)null);
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilitiesAsync().Returns(organizationAbilities);
+        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(Arg.Any<Guid>()).Returns(false);
 
         await sutProvider.Sut.HandleAsync(context);
         Assert.False(context.HasSucceeded);
@@ -194,4 +209,18 @@ public class GroupAuthorizationHandlerTests
         Assert.False(context.HasSucceeded);
         Assert.True(context.HasFailed);
     }
+
+    private static Dictionary<Guid, OrganizationAbility> ArrangeOrganizationAbilitiesDictionary(Guid orgId,
+        bool limitCollectionCreationDeletion)
+    {
+        return new Dictionary<Guid, OrganizationAbility>
+        {
+            { orgId,
+                new OrganizationAbility
+                {
+                    LimitCollectionCreationDeletion = limitCollectionCreationDeletion
+                }
+            }
+        };
+    }
 }

test/Api.Test/Vault/AuthorizationHandlers/OrganizationUserAuthorizationHandlerTests.cs

@@ -4,6 +4,8 @@ using Bit.Core;
 using Bit.Core.Context;
 using Bit.Core.Enums;
 using Bit.Core.Models.Data;
+using Bit.Core.Models.Data.Organizations;
+using Bit.Core.Services;
 using Bit.Core.Test.AutoFixture;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
@@ -26,9 +28,10 @@ public class OrganizationUserAuthorizationHandlerTests
         CurrentContextOrganization organization)
     {
         organization.Type = userType;
-        organization.LimitCollectionCreationDeletion = true;
         organization.Permissions = new Permissions();
 
+        var organizationAbilities = ArrangeOrganizationAbilitiesDictionary(organization.Id, true);
+
         var context = new AuthorizationHandlerContext(
             new[] { OrganizationUserOperations.ReadAll(organization.Id) },
             new ClaimsPrincipal(),
@@ -36,6 +39,7 @@ public class OrganizationUserAuthorizationHandlerTests
 
         sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
         sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilitiesAsync().Returns(organizationAbilities);
 
         await sutProvider.Sut.HandleAsync(context);
 
@@ -48,9 +52,10 @@ public class OrganizationUserAuthorizationHandlerTests
         SutProvider<OrganizationUserAuthorizationHandler> sutProvider, CurrentContextOrganization organization)
     {
         organization.Type = OrganizationUserType.User;
-        organization.LimitCollectionCreationDeletion = true;
         organization.Permissions = new Permissions();
 
+        var organizationAbilities = ArrangeOrganizationAbilitiesDictionary(organization.Id, true);
+
         var context = new AuthorizationHandlerContext(
             new[] { OrganizationUserOperations.ReadAll(organization.Id) },
             new ClaimsPrincipal(),
@@ -59,6 +64,7 @@ public class OrganizationUserAuthorizationHandlerTests
         sutProvider.GetDependency<ICurrentContext>()
             .UserId
             .Returns(userId);
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilitiesAsync().Returns(organizationAbilities);
         sutProvider.GetDependency<ICurrentContext>()
             .ProviderUserForOrgAsync(organization.Id)
             .Returns(true);
@@ -83,7 +89,6 @@ public class OrganizationUserAuthorizationHandlerTests
         var actingUserId = Guid.NewGuid();
 
         organization.Type = OrganizationUserType.Custom;
-        organization.LimitCollectionCreationDeletion = limitCollectionCreationDeletion;
         organization.Permissions = new Permissions
         {
             EditAnyCollection = editAnyCollection,
@@ -92,6 +97,8 @@ public class OrganizationUserAuthorizationHandlerTests
             ManageUsers = manageUsers
         };
 
+        var organizationAbilities = ArrangeOrganizationAbilitiesDictionary(organization.Id, limitCollectionCreationDeletion);
+
         var context = new AuthorizationHandlerContext(
             new[] { OrganizationUserOperations.ReadAll(organization.Id) },
             new ClaimsPrincipal(),
@@ -99,6 +106,7 @@ public class OrganizationUserAuthorizationHandlerTests
 
         sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
         sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilitiesAsync().Returns(organizationAbilities);
 
         await sutProvider.Sut.HandleAsync(context);
 
@@ -116,7 +124,6 @@ public class OrganizationUserAuthorizationHandlerTests
         var actingUserId = Guid.NewGuid();
 
         organization.Type = userType;
-        organization.LimitCollectionCreationDeletion = true;
         organization.Permissions = new Permissions
         {
             EditAnyCollection = false,
@@ -125,6 +132,8 @@ public class OrganizationUserAuthorizationHandlerTests
             ManageUsers = false
         };
 
+        var organizationAbilities = ArrangeOrganizationAbilitiesDictionary(organization.Id, true);
+
         var context = new AuthorizationHandlerContext(
             new[] { OrganizationUserOperations.ReadAll(organization.Id) },
             new ClaimsPrincipal(),
@@ -132,6 +141,8 @@ public class OrganizationUserAuthorizationHandlerTests
 
         sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
         sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilitiesAsync().Returns(organizationAbilities);
+        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(Arg.Any<Guid>()).Returns(false);
 
         await sutProvider.Sut.HandleAsync(context);
 
@@ -144,6 +155,8 @@ public class OrganizationUserAuthorizationHandlerTests
         Guid organizationId,
         SutProvider<OrganizationUserAuthorizationHandler> sutProvider)
     {
+        var organizationAbilities = ArrangeOrganizationAbilitiesDictionary(organizationId, true);
+
         var context = new AuthorizationHandlerContext(
             new[] { OrganizationUserOperations.ReadAll(organizationId) },
             new ClaimsPrincipal(),
@@ -152,6 +165,8 @@ public class OrganizationUserAuthorizationHandlerTests
 
         sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
         sutProvider.GetDependency<ICurrentContext>().GetOrganization(Arg.Any<Guid>()).Returns((CurrentContextOrganization)null);
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilitiesAsync().Returns(organizationAbilities);
+        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(Arg.Any<Guid>()).Returns(false);
 
         await sutProvider.Sut.HandleAsync(context);
         Assert.False(context.HasSucceeded);
@@ -191,4 +206,18 @@ public class OrganizationUserAuthorizationHandlerTests
 
         Assert.True(context.HasFailed);
     }
+
+    private static Dictionary<Guid, OrganizationAbility> ArrangeOrganizationAbilitiesDictionary(Guid orgId,
+        bool limitCollectionCreationDeletion)
+    {
+        return new Dictionary<Guid, OrganizationAbility>
+        {
+            { orgId,
+                new OrganizationAbility
+                {
+                    LimitCollectionCreationDeletion = limitCollectionCreationDeletion
+                }
+            }
+        };
+    }
 }

util/Migrator/DbScripts/2023-12-21_00_OrganizationAbilitiesWithCollectionManagementSettings.sql

@@ -0,0 +1,30 @@
+--Update stored procedure to include LimitCollectionCreationDeletion property
+CREATE OR ALTER PROCEDURE [dbo].[Organization_ReadAbilities]
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    SELECT
+        [Id],
+        [UseEvents],
+        [Use2fa],
+        CASE
+            WHEN [Use2fa] = 1 AND [TwoFactorProviders] IS NOT NULL AND [TwoFactorProviders] != '{}' THEN
+                1
+            ELSE
+                0
+            END AS [Using2fa],
+        [UsersGetPremium],
+        [UseCustomPermissions],
+        [UseSso],
+        [UseKeyConnector],
+        [UseScim],
+        [UseResetPassword],
+        [UsePolicies],
+        [Enabled],
+        [LimitCollectionCreationDeletion],
+        [AllowAdminAccessToAllCollectionItems]
+    FROM
+        [dbo].[Organization]
+END
+GO