[AC-2052] Block Manager role and AccessAll if using FlexibleCollections (#3671)

* Also don't assign AccessAll to the first orgUser if using Flexible Collections
2025-06-30 07:36:14 -05:00 · 2024-01-22 08:56:20 +10:00
parent 4b6299a055
commit 77698c3ee2
9 changed files with 291 additions and 63 deletions
--- a/src/Core/AdminConsole/OrganizationFeatures/Groups/CreateGroupCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Groups/CreateGroupCommand.cs
@ -39,7 +39,7 @@ public class CreateGroupCommand : ICreateGroupCommand
        IEnumerable<CollectionAccessSelection> collections = null,
        IEnumerable<Guid> users = null)
    {
-        Validate(organization);
+        Validate(organization, group);
        await GroupRepositoryCreateGroupAsync(group, organization, collections);

        if (users != null)
@ -54,7 +54,7 @@ public class CreateGroupCommand : ICreateGroupCommand
        IEnumerable<CollectionAccessSelection> collections = null,
        IEnumerable<Guid> users = null)
    {
-        Validate(organization);
+        Validate(organization, group);
        await GroupRepositoryCreateGroupAsync(group, organization, collections);

        if (users != null)
@ -103,7 +103,7 @@ public class CreateGroupCommand : ICreateGroupCommand
        }
    }

-    private static void Validate(Organization organization)
+    private static void Validate(Organization organization, Group group)
    {
        if (organization == null)
        {
@ -114,5 +114,10 @@ public class CreateGroupCommand : ICreateGroupCommand
        {
            throw new BadRequestException("This organization cannot use groups.");
        }
+
+        if (organization.FlexibleCollections && group.AccessAll)
+        {
+            throw new BadRequestException("The AccessAll property has been deprecated by collection enhancements. Assign the group to collections instead.");
+        }
    }
 }
--- a/src/Core/AdminConsole/OrganizationFeatures/Groups/UpdateGroupCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Groups/UpdateGroupCommand.cs
@ -29,7 +29,7 @@ public class UpdateGroupCommand : IUpdateGroupCommand
        IEnumerable<CollectionAccessSelection> collections = null,
        IEnumerable<Guid> userIds = null)
    {
-        Validate(organization);
+        Validate(organization, group);
        await GroupRepositoryUpdateGroupAsync(group, collections);

        if (userIds != null)
@ -44,7 +44,7 @@ public class UpdateGroupCommand : IUpdateGroupCommand
        IEnumerable<CollectionAccessSelection> collections = null,
        IEnumerable<Guid> userIds = null)
    {
-        Validate(organization);
+        Validate(organization, group);
        await GroupRepositoryUpdateGroupAsync(group, collections);

        if (userIds != null)
@ -97,7 +97,7 @@ public class UpdateGroupCommand : IUpdateGroupCommand
        }
    }

-    private static void Validate(Organization organization)
+    private static void Validate(Organization organization, Group group)
    {
        if (organization == null)
        {
@ -108,5 +108,10 @@ public class UpdateGroupCommand : IUpdateGroupCommand
        {
            throw new BadRequestException("This organization cannot use groups.");
        }
+
+        if (organization.FlexibleCollections && group.AccessAll)
+        {
+            throw new BadRequestException("The AccessAll property has been deprecated by collection enhancements. Assign the group to collections instead.");
+        }
    }
 }
--- a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
+++ b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
@ -673,7 +673,10 @@ public class OrganizationService : IOrganizationService
                    AccessSecretsManager = organization.UseSecretsManager,
                    Type = OrganizationUserType.Owner,
                    Status = OrganizationUserStatusType.Confirmed,
-                    AccessAll = true,
+
+                    // If using Flexible Collections, AccessAll is deprecated and set to false.
+                    // If not using Flexible Collections, set AccessAll to true (previous behavior)
+                    AccessAll = !organization.FlexibleCollections,
                    CreationDate = organization.CreationDate,
                    RevisionDate = organization.CreationDate
                };
@ -885,6 +888,18 @@ public class OrganizationService : IOrganizationService
            throw new NotFoundException();
        }

+        // If the organization is using Flexible Collections, prevent use of any deprecated permissions
+        if (organization.FlexibleCollections && invites.Any(i => i.invite.Type is OrganizationUserType.Manager))
+        {
+            throw new BadRequestException("The Manager role has been deprecated by collection enhancements. Use the collection Can Manage permission instead.");
+        }
+
+        if (organization.FlexibleCollections && invites.Any(i => i.invite.AccessAll))
+        {
+            throw new BadRequestException("The AccessAll property has been deprecated by collection enhancements. Assign the user to collections instead.");
+        }
+        // End Flexible Collections
+
        var existingEmails = new HashSet<string>(await _organizationUserRepository.SelectKnownEmailsAsync(
            organizationId, invites.SelectMany(i => i.invite.Emails), false), StringComparer.InvariantCultureIgnoreCase);

@ -1377,6 +1392,19 @@ public class OrganizationService : IOrganizationService
            throw new BadRequestException("Organization must have at least one confirmed owner.");
        }

+        // If the organization is using Flexible Collections, prevent use of any deprecated permissions
+        var organizationAbility = await _applicationCacheService.GetOrganizationAbilityAsync(user.OrganizationId);
+        if (organizationAbility?.FlexibleCollections == true && user.Type == OrganizationUserType.Manager)
+        {
+            throw new BadRequestException("The Manager role has been deprecated by collection enhancements. Use the collection Can Manage permission instead.");
+        }
+
+        if (organizationAbility?.FlexibleCollections == true && user.AccessAll)
+        {
+            throw new BadRequestException("The AccessAll property has been deprecated by collection enhancements. Assign the user to collections instead.");
+        }
+        // End Flexible Collections
+
        // Only autoscale (if required) after all validation has passed so that we know it's a valid request before
        // updating Stripe
        if (!originalUser.AccessSecretsManager && user.AccessSecretsManager)
@ -2027,15 +2055,6 @@ public class OrganizationService : IOrganizationService
        {
            throw new BadRequestException("Custom users can only grant the same custom permissions that they have.");
        }
-
-        // TODO: pass in the whole organization object when this is refactored into a command/query
-        // See AC-2036
-        var organizationAbility = await _applicationCacheService.GetOrganizationAbilityAsync(organizationId);
-        var flexibleCollectionsEnabled = organizationAbility?.FlexibleCollections ?? false;
-        if (flexibleCollectionsEnabled && newType == OrganizationUserType.Manager && oldType is not OrganizationUserType.Manager)
-        {
-            throw new BadRequestException("Manager role is deprecated after Flexible Collections.");
-        }
    }

    private async Task ValidateOrganizationCustomPermissionsEnabledAsync(Guid organizationId, OrganizationUserType newType)
@ -2451,7 +2470,10 @@ public class OrganizationService : IOrganizationService
            Key = null,
            Type = OrganizationUserType.Owner,
            Status = OrganizationUserStatusType.Invited,
-            AccessAll = true
+
+            // If using Flexible Collections, AccessAll is deprecated and set to false.
+            // If not using Flexible Collections, set AccessAll to true (previous behavior)
+            AccessAll = !organization.FlexibleCollections,
        };
        await _organizationUserRepository.CreateAsync(ownerOrganizationUser);