[AC-1981] Fix CollectionsController.Get auth check by just checking collections for the requested orgId (#3575)

* Fixed auth check by just checking collections for the requested orgId * [AC-1139] Refactor collection authorization logic to check for manage permission * [AC-1139] Remove unnecessary authorization check in CollectionsController * [AC-1139] Remove unused test method * [AC-1139] Remove unnecessary code for checking read permissions
2025-06-30 07:36:14 -05:00 · 2023-12-20 16:34:09 +00:00
parent ca750e226f
commit 72ebb5e66f
4 changed files with 62 additions and 31 deletions
--- a/src/Api/Controllers/CollectionsController.cs
+++ b/src/Api/Controllers/CollectionsController.cs
@ -584,11 +584,6 @@ public class CollectionsController : Controller

        // Filter the assigned collections to only return those where the user has Manage permission
        var manageableOrgCollections = assignedOrgCollections.Where(c => c.Item1.Manage).ToList();
-        var readAssignedAuthorized = await _authorizationService.AuthorizeAsync(User, manageableOrgCollections.Select(c => c.Item1), BulkCollectionOperations.ReadWithAccess);
-        if (!readAssignedAuthorized.Succeeded)
-        {
-            throw new NotFoundException();
-        }

        return new ListResponseModel<CollectionAccessDetailsResponseModel>(manageableOrgCollections.Select(c =>
            new CollectionAccessDetailsResponseModel(c.Item1, c.Item2.Groups, c.Item2.Users)
@ -609,16 +604,8 @@ public class CollectionsController : Controller
        }
        else
        {
-            var collections = await _collectionRepository.GetManyByUserIdAsync(_currentContext.UserId.Value, FlexibleCollectionsIsEnabled);
-            var readAuthorized = (await _authorizationService.AuthorizeAsync(User, collections, BulkCollectionOperations.Read)).Succeeded;
-            if (readAuthorized)
-            {
-                orgCollections = collections.Where(c => c.OrganizationId == orgId);
-            }
-            else
-            {
-                throw new NotFoundException();
-            }
+            var assignedCollections = await _collectionRepository.GetManyByUserIdAsync(_currentContext.UserId.Value, FlexibleCollectionsIsEnabled);
+            orgCollections = assignedCollections.Where(c => c.OrganizationId == orgId && c.Manage).ToList();
        }

        var responses = orgCollections.Select(c => new CollectionResponseModel(c));
--- a/src/Api/Vault/AuthorizationHandlers/Collections/BulkCollectionAuthorizationHandler.cs
+++ b/src/Api/Vault/AuthorizationHandlers/Collections/BulkCollectionAuthorizationHandler.cs
@ -131,8 +131,8 @@ public class BulkCollectionAuthorizationHandler : BulkAuthorizationHandler<BulkC
        // ensure they have access for the collection being read
        if (org is not null)
        {
-            var isAssignedToCollections = await IsAssignedToCollectionsAsync(resources, org, false);
-            if (isAssignedToCollections)
+            var canManageCollections = await CanManageCollectionsAsync(resources, org);
+            if (canManageCollections)
            {
                context.Succeed(requirement);
                return;
@ -164,8 +164,8 @@ public class BulkCollectionAuthorizationHandler : BulkAuthorizationHandler<BulkC
        // ensure they have access with manage permission for the collection being read
        if (org is not null)
        {
-            var isAssignedToCollections = await IsAssignedToCollectionsAsync(resources, org, true);
-            if (isAssignedToCollections)
+            var canManageCollections = await CanManageCollectionsAsync(resources, org);
+            if (canManageCollections)
            {
                context.Succeed(requirement);
                return;
@ -199,7 +199,7 @@ public class BulkCollectionAuthorizationHandler : BulkAuthorizationHandler<BulkC
        // ensure they have manage permission for the collection being managed
        if (org is not null)
        {
-            var canManageCollections = await IsAssignedToCollectionsAsync(resources, org, true);
+            var canManageCollections = await CanManageCollectionsAsync(resources, org);
            if (canManageCollections)
            {
                context.Succeed(requirement);
@ -230,7 +230,7 @@ public class BulkCollectionAuthorizationHandler : BulkAuthorizationHandler<BulkC
        // ensure acting user has manage permissions for all collections being deleted
        if (org is { LimitCollectionCreationDeletion: false })
        {
-            var canManageCollections = await IsAssignedToCollectionsAsync(resources, org, true);
+            var canManageCollections = await CanManageCollectionsAsync(resources, org);
            if (canManageCollections)
            {
                context.Succeed(requirement);
@ -245,17 +245,16 @@ public class BulkCollectionAuthorizationHandler : BulkAuthorizationHandler<BulkC
        }
    }

-    private async Task<bool> IsAssignedToCollectionsAsync(
+    private async Task<bool> CanManageCollectionsAsync(
        ICollection<Collection> targetCollections,
-        CurrentContextOrganization org,
-        bool requireManagePermission)
+        CurrentContextOrganization org)
    {
        // List of collection Ids the acting user has access to
        var assignedCollectionIds =
            (await _collectionRepository.GetManyByUserIdAsync(_currentContext.UserId!.Value, useFlexibleCollections: true))
            .Where(c =>
                // Check Collections with Manage permission
-                (!requireManagePermission || c.Manage) && c.OrganizationId == org.Id)
+                c.Manage && c.OrganizationId == org.Id)
            .Select(c => c.Id)
            .ToHashSet();