[PM-7742] Set hasManageResetPasswordPermission for owner and admin invitees (#4528)

* Set hasManageResetPasswordPermission for owner and admin invitees * Make userdecryptionoptionsbuilder ignore orgusertype if orguser is null
2025-04-05 05:00:19 -05:00 · 2024-08-06 11:22:10 +02:00 · 2024-08-06 11:22:10 +02:00 · 7d48102865
commit 7d48102865
parent 4d3c1c5a5c
2 changed files with 37 additions and 0 deletions
--- a/src/Identity/IdentityServer/UserDecryptionOptionsBuilder.cs
+++ b/src/Identity/IdentityServer/UserDecryptionOptionsBuilder.cs
@ -4,6 +4,7 @@ using Bit.Core.Auth.Models.Api.Response;
 using Bit.Core.Auth.Utilities;
 using Bit.Core.Context;
 using Bit.Core.Entities;
+using Bit.Core.Enums;
 using Bit.Core.Repositories;
 using Bit.Identity.Utilities;

@ -137,6 +138,7 @@ public class UserDecryptionOptionsBuilder : IUserDecryptionOptionsBuilder
            // If sso configuration data is not null then I know for sure that ssoConfiguration isn't null
            var organizationUser = await _organizationUserRepository.GetByOrganizationAsync(_ssoConfig.OrganizationId, _user.Id);

+            hasManageResetPasswordPermission |= organizationUser != null && (organizationUser.Type == OrganizationUserType.Owner || organizationUser.Type == OrganizationUserType.Admin);
            // They are only able to be approved by an admin if they have enrolled is reset password
            hasAdminApproval = organizationUser != null && !string.IsNullOrEmpty(organizationUser.ResetPasswordKey);
        }
--- a/test/Identity.Test/IdentityServer/UserDecryptionOptionsBuilderTests.cs
+++ b/test/Identity.Test/IdentityServer/UserDecryptionOptionsBuilderTests.cs
@ -3,6 +3,7 @@ using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Models.Data;
 using Bit.Core.Context;
 using Bit.Core.Entities;
+using Bit.Core.Enums;
 using Bit.Core.Repositories;
 using Bit.Identity.IdentityServer;
 using Bit.Identity.Utilities;
@ -131,6 +132,40 @@ public class UserDecryptionOptionsBuilderTests
        Assert.True(result.TrustedDeviceOption?.HasManageResetPasswordPermission);
    }

+    [Theory, BitAutoData]
+    public async Task Build_WhenIsOwnerInvite_ShouldReturnHasManageResetPasswordPermissionTrue(
+        SsoConfig ssoConfig,
+        SsoConfigurationData configurationData,
+        OrganizationUser organizationUser,
+        User user)
+    {
+        configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption;
+        ssoConfig.Data = configurationData.Serialize();
+        organizationUser.Type = OrganizationUserType.Owner;
+        _organizationUserRepository.GetByOrganizationAsync(ssoConfig.OrganizationId, user.Id).Returns(organizationUser);
+
+        var result = await _builder.ForUser(user).WithSso(ssoConfig).BuildAsync();
+
+        Assert.True(result.TrustedDeviceOption?.HasManageResetPasswordPermission);
+    }
+
+    [Theory, BitAutoData]
+    public async Task Build_WhenIsAdminInvite_ShouldReturnHasManageResetPasswordPermissionTrue(
+        SsoConfig ssoConfig,
+        SsoConfigurationData configurationData,
+        OrganizationUser organizationUser,
+        User user)
+    {
+        configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption;
+        ssoConfig.Data = configurationData.Serialize();
+        organizationUser.Type = OrganizationUserType.Admin;
+        _organizationUserRepository.GetByOrganizationAsync(ssoConfig.OrganizationId, user.Id).Returns(organizationUser);
+
+        var result = await _builder.ForUser(user).WithSso(ssoConfig).BuildAsync();
+
+        Assert.True(result.TrustedDeviceOption?.HasManageResetPasswordPermission);
+    }
+
    [Theory, BitAutoData]
    public async Task Build_WhenUserHasEnrolledIntoPasswordReset_ShouldReturnHasAdminApprovalTrue(
        SsoConfig ssoConfig,