[AC-1139] Rewrote CollectionAuthorizationHandler to be similar to other AuthHandlers; Revisited unit tests

2025-07-01 16:12:49 -05:00 · 2023-11-24 16:16:07 +00:00
parent 22a90dee77
commit 95e6211ab9
2 changed files with 59 additions and 45 deletions
--- a/src/Api/Vault/AuthorizationHandlers/Collections/CollectionAuthorizationHandler.cs
+++ b/src/Api/Vault/AuthorizationHandlers/Collections/CollectionAuthorizationHandler.cs
@ -16,7 +16,6 @@ public class CollectionAuthorizationHandler : AuthorizationHandler<CollectionOpe
 {
    private readonly ICurrentContext _currentContext;
    private readonly IFeatureService _featureService;
-    private Guid _targetOrganizationId;

    private bool UseFlexibleCollections => _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollections, _currentContext);

@ -65,22 +64,21 @@ public class CollectionAuthorizationHandler : AuthorizationHandler<CollectionOpe
    }

    private async Task CanReadAllAsync(AuthorizationHandlerContext context, CollectionOperationRequirement requirement,
-        CurrentContextOrganization org)
+        CurrentContextOrganization? org)
    {
-        if (org != null)
+        // Owners, Admins, and users with EditAnyCollection, DeleteAnyCollection,
+        // or AccessImportExport permission can always read a collection
+        if (org is
+        { Type: OrganizationUserType.Owner or OrganizationUserType.Admin } or
+        { Permissions.EditAnyCollection: true } or
+        { Permissions.DeleteAnyCollection: true } or
+        { Permissions.AccessImportExport: true })
        {
-            // Acting user is a member of the target organization, check permissions
-            if (org.Type is OrganizationUserType.Owner or OrganizationUserType.Admin ||
-                  org.Permissions.EditAnyCollection ||
-                  org.Permissions.DeleteAnyCollection ||
-                  org.Permissions.AccessImportExport)
-            {
-                context.Succeed(requirement);
-                return;
-            }
+            context.Succeed(requirement);
+            return;
        }

-        // Check if acting user is a provider user for the target organization
+        // Allow provider users to read collections if they are a provider for the target organization
        if (await _currentContext.ProviderUserForOrgAsync(requirement.OrganizationId))
        {
            context.Succeed(requirement);
@ -88,21 +86,20 @@ public class CollectionAuthorizationHandler : AuthorizationHandler<CollectionOpe
    }

    private async Task CanReadAllWithAccessAsync(AuthorizationHandlerContext context, CollectionOperationRequirement requirement,
-        CurrentContextOrganization org)
+        CurrentContextOrganization? org)
    {
-        if (org != null)
+        // Owners, Admins, and users with EditAnyCollection or DeleteAnyCollection
+        // permission can always read a collection
+        if (org is
+        { Type: OrganizationUserType.Owner or OrganizationUserType.Admin } or
+        { Permissions.EditAnyCollection: true } or
+        { Permissions.DeleteAnyCollection: true })
        {
-            // Acting user is a member of the target organization, check permissions
-            if (org.Type is OrganizationUserType.Owner or OrganizationUserType.Admin ||
-                org.Permissions.EditAnyCollection ||
-                org.Permissions.DeleteAnyCollection)
-            {
-                context.Succeed(requirement);
-                return;
-            }
+            context.Succeed(requirement);
+            return;
        }

-        // Check if acting user is a provider user for the target organization
+        // Allow provider users to read collections if they are a provider for the target organization
        if (await _currentContext.ProviderUserForOrgAsync(requirement.OrganizationId))
        {
            context.Succeed(requirement);
--- a/test/Api.Test/Vault/AuthorizationHandlers/CollectionAuthorizationHandlerTests.cs
+++ b/test/Api.Test/Vault/AuthorizationHandlers/CollectionAuthorizationHandlerTests.cs
@ -101,7 +101,7 @@ public class CollectionAuthorizationHandlerTests
    [Theory]
    [BitAutoData(OrganizationUserType.User)]
    [BitAutoData(OrganizationUserType.Custom)]
-    public async Task CanReadAllAsync_WhenMissingAccess_Failure(
+    public async Task CanReadAllAsync_WhenMissingPermissions_NoSuccess(
        OrganizationUserType userType,
        SutProvider<CollectionAuthorizationHandler> sutProvider,
        CurrentContextOrganization organization)
@ -211,7 +211,7 @@ public class CollectionAuthorizationHandlerTests
    [Theory]
    [BitAutoData(OrganizationUserType.User)]
    [BitAutoData(OrganizationUserType.Custom)]
-    public async Task CanReadAllWithAccessAsync_WhenMissingAccess_Failure(
+    public async Task CanReadAllWithAccessAsync_WhenMissingPermissions_NoSuccess(
        OrganizationUserType userType,
        SutProvider<CollectionAuthorizationHandler> sutProvider,
        CurrentContextOrganization organization)
@ -240,25 +240,7 @@ public class CollectionAuthorizationHandlerTests
    }

    [Theory, BitAutoData]
-    public async Task HandleRequirementAsync_MissingUserId_Failure(
-        Guid organizationId,
-        SutProvider<CollectionAuthorizationHandler> sutProvider)
-    {
-        var context = new AuthorizationHandlerContext(
-            new[] { CollectionOperations.ReadAll(organizationId) },
-            new ClaimsPrincipal(),
-            null
-        );
-
-        // Simulate missing user id
-        sutProvider.GetDependency<ICurrentContext>().UserId.Returns((Guid?)null);
-
-        await sutProvider.Sut.HandleAsync(context);
-        Assert.False(context.HasSucceeded);
-    }
-
-    [Theory, BitAutoData]
-    public async Task HandleRequirementAsync_MissingOrg_Failure(
+    public async Task HandleRequirementAsync_WhenMissingOrgAccess_NoSuccess(
        Guid userId,
        Guid organizationId,
        SutProvider<CollectionAuthorizationHandler> sutProvider)
@ -275,4 +257,39 @@ public class CollectionAuthorizationHandlerTests
        await sutProvider.Sut.HandleAsync(context);
        Assert.False(context.HasSucceeded);
    }
+
+    [Theory, BitAutoData]
+    public async Task HandleRequirementAsync_MissingUserId_Failure(
+        Guid organizationId,
+        SutProvider<CollectionAuthorizationHandler> sutProvider)
+    {
+        var context = new AuthorizationHandlerContext(
+            new[] { CollectionOperations.ReadAll(organizationId) },
+            new ClaimsPrincipal(),
+            null
+        );
+
+        // Simulate missing user id
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns((Guid?)null);
+
+        await sutProvider.Sut.HandleAsync(context);
+        Assert.True(context.HasFailed);
+    }
+
+    [Theory, BitAutoData]
+    public async Task HandleRequirementAsync_NoSpecifiedOrgId_Failure(
+        SutProvider<CollectionAuthorizationHandler> sutProvider)
+    {
+        var context = new AuthorizationHandlerContext(
+            new[] { CollectionOperations.ReadAll(default) },
+            new ClaimsPrincipal(),
+            null
+        );
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(new Guid());
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.True(context.HasFailed);
+    }
 }