[AC-1443] Update manager permission to only see collections they have access to (#3071)

* [AC-1443] Changed CurrentContext.ViewAllCollections to only check if the user can edit or delete any collection * [AC-1443] Renamed ICollectionService.GetOrganizationCollections to GetOrganizationCollectionsAsync * [AC-1443] Changed CollectionService.GetOrganizationCollectionsAsync to first check CurrentContext.ViewAssignedCollections instead Added unit tests * [AC-1443] Added new unit test to check for Exception when user does not have permission
2025-06-30 07:36:14 -05:00 · 2023-08-08 16:54:10 +01:00
parent 5275f22f12
commit 95b7652ca9
7 changed files with 63 additions and 10 deletions
--- a/test/Api.Test/Controllers/CollectionsControllerTests.cs
+++ b/test/Api.Test/Controllers/CollectionsControllerTests.cs
@ -171,7 +171,7 @@ public class CollectionsControllerTests
            .Returns(user.Id);

        sutProvider.GetDependency<ICollectionService>()
-            .GetOrganizationCollections(orgId)
+            .GetOrganizationCollectionsAsync(orgId)
            .Returns(collections);

        // Act
@ -237,7 +237,7 @@ public class CollectionsControllerTests
            .Returns(user.Id);

        sutProvider.GetDependency<ICollectionService>()
-            .GetOrganizationCollections(orgId)
+            .GetOrganizationCollectionsAsync(orgId)
            .Returns(collections);

        // Act
--- a/test/Core.Test/Services/CollectionServiceTests.cs
+++ b/test/Core.Test/Services/CollectionServiceTests.cs
@ -1,4 +1,5 @@
-using Bit.Core.Entities;
+using Bit.Core.Context;
+using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Data;
@ -185,4 +186,56 @@ public class CollectionServiceTest
            .LogOrganizationUserEventAsync(default, default);
    }

+    [Theory, BitAutoData]
+    public async Task GetOrganizationCollectionsAsync_WithViewAssignedCollectionsTrue_ReturnsAssignedCollections(
+        CollectionDetails collectionDetails, Guid organizationId, Guid userId, SutProvider<CollectionService> sutProvider)
+    {
+        collectionDetails.OrganizationId = organizationId;
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+        sutProvider.GetDependency<ICollectionRepository>()
+            .GetManyByUserIdAsync(userId)
+            .Returns(new List<CollectionDetails> { collectionDetails });
+        sutProvider.GetDependency<ICurrentContext>().ViewAssignedCollections(organizationId).Returns(true);
+
+        var result = await sutProvider.Sut.GetOrganizationCollectionsAsync(organizationId);
+
+        Assert.Single(result);
+        Assert.Equal(collectionDetails, result.First());
+
+        await sutProvider.GetDependency<ICollectionRepository>().DidNotReceiveWithAnyArgs().GetManyByOrganizationIdAsync(default);
+        await sutProvider.GetDependency<ICollectionRepository>().Received(1).GetManyByUserIdAsync(userId);
+    }
+
+    [Theory, BitAutoData]
+    public async Task GetOrganizationCollectionsAsync_WithViewAllCollectionsTrue_ReturnsAllOrganizationCollections(
+        Collection collection, Guid organizationId, Guid userId, SutProvider<CollectionService> sutProvider)
+    {
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+        sutProvider.GetDependency<ICollectionRepository>()
+            .GetManyByOrganizationIdAsync(organizationId)
+            .Returns(new List<Collection> { collection });
+        sutProvider.GetDependency<ICurrentContext>().ViewAssignedCollections(organizationId).Returns(true);
+        sutProvider.GetDependency<ICurrentContext>().ViewAllCollections(organizationId).Returns(true);
+
+        var result = await sutProvider.Sut.GetOrganizationCollectionsAsync(organizationId);
+
+        Assert.Single(result);
+        Assert.Equal(collection, result.First());
+
+        await sutProvider.GetDependency<ICollectionRepository>().Received(1).GetManyByOrganizationIdAsync(organizationId);
+        await sutProvider.GetDependency<ICollectionRepository>().DidNotReceiveWithAnyArgs().GetManyByUserIdAsync(default);
+    }
+
+    [Theory, BitAutoData]
+    public async Task GetOrganizationCollectionsAsync_WithViewAssignedCollectionsFalse_ThrowsBadRequestException(
+        Guid organizationId, SutProvider<CollectionService> sutProvider)
+    {
+        sutProvider.GetDependency<ICurrentContext>().ViewAssignedCollections(organizationId).Returns(false);
+
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.GetOrganizationCollectionsAsync(organizationId));
+
+        await sutProvider.GetDependency<ICollectionRepository>().DidNotReceiveWithAnyArgs().GetManyByOrganizationIdAsync(default);
+        await sutProvider.GetDependency<ICollectionRepository>().DidNotReceiveWithAnyArgs().GetManyByUserIdAsync(default);
+    }
 }