diff --git a/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs b/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs index a6ef6e7b9f..d3fdf47c2a 100644 --- a/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs +++ b/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs @@ -12,6 +12,7 @@ using Bit.Core.Context; using Bit.Core.Enums; using Bit.Core.Exceptions; using Bit.Core.Models.Business; +using Bit.Core.Models.Data; using Bit.Core.Models.Data.Organizations.OrganizationUsers; using Bit.Core.OrganizationFeatures.OrganizationSubscriptions.Interface; using Bit.Core.OrganizationFeatures.OrganizationUsers.Interfaces; @@ -83,6 +84,15 @@ public class OrganizationUsersController : Controller } var response = new OrganizationUserDetailsResponseModel(organizationUser.Item1, organizationUser.Item2); + if (await FlexibleCollectionsIsEnabledAsync(organizationUser.Item1.OrganizationId)) + { + // Downgrade Custom users with no other permissions than 'Edit/Delete Assigned Collections' to User + response.Type = GetFlexibleCollectionsUserType(response.Type, response.Permissions); + + // Set 'Edit/Delete Assigned Collections' custom permissions to false + response.Permissions.EditAssignedCollections = false; + response.Permissions.DeleteAssignedCollections = false; + } if (includeGroups) { @@ -95,9 +105,12 @@ public class OrganizationUsersController : Controller [HttpGet("")] public async Task> Get(Guid orgId, bool includeGroups = false, bool includeCollections = false) { - var authorized = await FlexibleCollectionsIsEnabledAsync(orgId) - ? (await _authorizationService.AuthorizeAsync(User, OrganizationUserOperations.ReadAll(orgId))).Succeeded - : await _currentContext.ViewAllCollections(orgId) || + if (await FlexibleCollectionsIsEnabledAsync(orgId)) + { + return await Get_vNext(orgId, includeGroups, includeCollections); + } + + var authorized = await _currentContext.ViewAllCollections(orgId) || await _currentContext.ViewAssignedCollections(orgId) || await _currentContext.ManageGroups(orgId) || await _currentContext.ManageUsers(orgId); @@ -521,4 +534,65 @@ public class OrganizationUsersController : Controller var organizationAbility = await _applicationCacheService.GetOrganizationAbilityAsync(organizationId); return organizationAbility?.FlexibleCollections ?? false; } + + private async Task> Get_vNext(Guid orgId, + bool includeGroups = false, bool includeCollections = false) + { + var authorized = (await _authorizationService.AuthorizeAsync( + User, OrganizationUserOperations.ReadAll(orgId))).Succeeded; + if (!authorized) + { + throw new NotFoundException(); + } + + var organizationUsers = await _organizationUserRepository + .GetManyDetailsByOrganizationAsync(orgId, includeGroups, includeCollections); + var responseTasks = organizationUsers + .Select(async o => + { + var orgUser = new OrganizationUserUserDetailsResponseModel(o, + await _userService.TwoFactorIsEnabledAsync(o)); + + // Downgrade Custom users with no other permissions than 'Edit/Delete Assigned Collections' to User + orgUser.Type = GetFlexibleCollectionsUserType(orgUser.Type, orgUser.Permissions); + + // Set 'Edit/Delete Assigned Collections' custom permissions to false + orgUser.Permissions.EditAssignedCollections = false; + orgUser.Permissions.DeleteAssignedCollections = false; + + return orgUser; + }); + var responses = await Task.WhenAll(responseTasks); + + return new ListResponseModel(responses); + } + + private OrganizationUserType GetFlexibleCollectionsUserType(OrganizationUserType type, Permissions permissions) + { + // Downgrade Custom users with no other permissions than 'Edit/Delete Assigned Collections' to User + if (type == OrganizationUserType.Custom) + { + if ((permissions.EditAssignedCollections || permissions.DeleteAssignedCollections) && + permissions is + { + AccessEventLogs: false, + AccessImportExport: false, + AccessReports: false, + CreateNewCollections: false, + EditAnyCollection: false, + DeleteAnyCollection: false, + ManageGroups: false, + ManagePolicies: false, + ManageSso: false, + ManageUsers: false, + ManageResetPassword: false, + ManageScim: false + }) + { + return OrganizationUserType.User; + } + } + + return type; + } } diff --git a/src/Api/AdminConsole/Models/Response/ProfileOrganizationResponseModel.cs b/src/Api/AdminConsole/Models/Response/ProfileOrganizationResponseModel.cs index a526cb0c70..163b2e27be 100644 --- a/src/Api/AdminConsole/Models/Response/ProfileOrganizationResponseModel.cs +++ b/src/Api/AdminConsole/Models/Response/ProfileOrganizationResponseModel.cs @@ -69,6 +69,37 @@ public class ProfileOrganizationResponseModel : ResponseModel KeyConnectorEnabled = ssoConfigData.MemberDecryptionType == MemberDecryptionType.KeyConnector && !string.IsNullOrEmpty(ssoConfigData.KeyConnectorUrl); KeyConnectorUrl = ssoConfigData.KeyConnectorUrl; } + + if (FlexibleCollections) + { + // Downgrade Custom users with no other permissions than 'Edit/Delete Assigned Collections' to User + if (Type == OrganizationUserType.Custom) + { + if ((Permissions.EditAssignedCollections || Permissions.DeleteAssignedCollections) && + Permissions is + { + AccessEventLogs: false, + AccessImportExport: false, + AccessReports: false, + CreateNewCollections: false, + EditAnyCollection: false, + DeleteAnyCollection: false, + ManageGroups: false, + ManagePolicies: false, + ManageSso: false, + ManageUsers: false, + ManageResetPassword: false, + ManageScim: false + }) + { + organization.Type = OrganizationUserType.User; + } + } + + // Set 'Edit/Delete Assigned Collections' custom permissions to false + Permissions.EditAssignedCollections = false; + Permissions.DeleteAssignedCollections = false; + } } public Guid Id { get; set; } diff --git a/src/Api/AdminConsole/Public/Controllers/MembersController.cs b/src/Api/AdminConsole/Public/Controllers/MembersController.cs index f2bffb5189..4c40022990 100644 --- a/src/Api/AdminConsole/Public/Controllers/MembersController.cs +++ b/src/Api/AdminConsole/Public/Controllers/MembersController.cs @@ -61,8 +61,9 @@ public class MembersController : Controller { return new NotFoundResult(); } + var flexibleCollectionsIsEnabled = await FlexibleCollectionsIsEnabledAsync(orgUser.OrganizationId); var response = new MemberResponseModel(orgUser, await _userService.TwoFactorIsEnabledAsync(orgUser), - userDetails.Item2); + userDetails.Item2, flexibleCollectionsIsEnabled); return new JsonResult(response); } @@ -101,9 +102,10 @@ public class MembersController : Controller { var users = await _organizationUserRepository.GetManyDetailsByOrganizationAsync( _currentContext.OrganizationId.Value); + var flexibleCollectionsIsEnabled = await FlexibleCollectionsIsEnabledAsync(_currentContext.OrganizationId.Value); // TODO: Get all CollectionUser associations for the organization and marry them up here for the response. var memberResponsesTasks = users.Select(async u => new MemberResponseModel(u, - await _userService.TwoFactorIsEnabledAsync(u), null)); + await _userService.TwoFactorIsEnabledAsync(u), null, flexibleCollectionsIsEnabled)); var memberResponses = await Task.WhenAll(memberResponsesTasks); var response = new ListResponseModel(memberResponses); return new JsonResult(response); @@ -121,11 +123,11 @@ public class MembersController : Controller [ProducesResponseType(typeof(ErrorResponseModel), (int)HttpStatusCode.BadRequest)] public async Task Post([FromBody] MemberCreateRequestModel model) { - var organizationAbility = await _applicationCacheService.GetOrganizationAbilityAsync(_currentContext.OrganizationId.Value); - var associations = model.Collections?.Select(c => c.ToCollectionAccessSelection(organizationAbility?.FlexibleCollections ?? false)).ToList(); + var flexibleCollectionsIsEnabled = await FlexibleCollectionsIsEnabledAsync(_currentContext.OrganizationId.Value); + var associations = model.Collections?.Select(c => c.ToCollectionAccessSelection(flexibleCollectionsIsEnabled)).ToList(); var user = await _organizationService.InviteUserAsync(_currentContext.OrganizationId.Value, null, model.Email, model.Type.Value, model.AccessAll.Value, model.ExternalId, associations, model.Groups); - var response = new MemberResponseModel(user, associations); + var response = new MemberResponseModel(user, associations, flexibleCollectionsIsEnabled); return new JsonResult(response); } @@ -150,19 +152,19 @@ public class MembersController : Controller return new NotFoundResult(); } var updatedUser = model.ToOrganizationUser(existingUser); - var organizationAbility = await _applicationCacheService.GetOrganizationAbilityAsync(_currentContext.OrganizationId.Value); - var associations = model.Collections?.Select(c => c.ToCollectionAccessSelection(organizationAbility?.FlexibleCollections ?? false)).ToList(); + var flexibleCollectionsIsEnabled = await FlexibleCollectionsIsEnabledAsync(_currentContext.OrganizationId.Value); + var associations = model.Collections?.Select(c => c.ToCollectionAccessSelection(flexibleCollectionsIsEnabled)).ToList(); await _organizationService.SaveUserAsync(updatedUser, null, associations, model.Groups); MemberResponseModel response = null; if (existingUser.UserId.HasValue) { var existingUserDetails = await _organizationUserRepository.GetDetailsByIdAsync(id); response = new MemberResponseModel(existingUserDetails, - await _userService.TwoFactorIsEnabledAsync(existingUserDetails), associations); + await _userService.TwoFactorIsEnabledAsync(existingUserDetails), associations, flexibleCollectionsIsEnabled); } else { - response = new MemberResponseModel(updatedUser, associations); + response = new MemberResponseModel(updatedUser, associations, flexibleCollectionsIsEnabled); } return new JsonResult(response); } @@ -233,4 +235,10 @@ public class MembersController : Controller await _organizationService.ResendInviteAsync(_currentContext.OrganizationId.Value, null, id); return new OkResult(); } + + private async Task FlexibleCollectionsIsEnabledAsync(Guid organizationId) + { + var organizationAbility = await _applicationCacheService.GetOrganizationAbilityAsync(organizationId); + return organizationAbility?.FlexibleCollections ?? false; + } } diff --git a/src/Api/AdminConsole/Public/Models/MemberBaseModel.cs b/src/Api/AdminConsole/Public/Models/MemberBaseModel.cs index 69bb0dc6f3..983a35f840 100644 --- a/src/Api/AdminConsole/Public/Models/MemberBaseModel.cs +++ b/src/Api/AdminConsole/Public/Models/MemberBaseModel.cs @@ -1,6 +1,7 @@ using System.ComponentModel.DataAnnotations; using Bit.Core.Entities; using Bit.Core.Enums; +using Bit.Core.Models.Data; using Bit.Core.Models.Data.Organizations.OrganizationUsers; namespace Bit.Api.AdminConsole.Public.Models; @@ -9,27 +10,27 @@ public abstract class MemberBaseModel { public MemberBaseModel() { } - public MemberBaseModel(OrganizationUser user) + public MemberBaseModel(OrganizationUser user, bool flexibleCollectionsEnabled) { if (user == null) { throw new ArgumentNullException(nameof(user)); } - Type = user.Type; + Type = flexibleCollectionsEnabled ? GetFlexibleCollectionsUserType(user.Type, user.GetPermissions()) : user.Type; AccessAll = user.AccessAll; ExternalId = user.ExternalId; ResetPasswordEnrolled = user.ResetPasswordKey != null; } - public MemberBaseModel(OrganizationUserUserDetails user) + public MemberBaseModel(OrganizationUserUserDetails user, bool flexibleCollectionsEnabled) { if (user == null) { throw new ArgumentNullException(nameof(user)); } - Type = user.Type; + Type = flexibleCollectionsEnabled ? GetFlexibleCollectionsUserType(user.Type, user.GetPermissions()) : user.Type; AccessAll = user.AccessAll; ExternalId = user.ExternalId; ResetPasswordEnrolled = user.ResetPasswordKey != null; @@ -58,4 +59,34 @@ public abstract class MemberBaseModel /// [Required] public bool ResetPasswordEnrolled { get; set; } + + // TODO: AC-2188 - Remove this method when the custom users with no other permissions than 'Edit/Delete Assigned Collections' are migrated + private OrganizationUserType GetFlexibleCollectionsUserType(OrganizationUserType type, Permissions permissions) + { + // Downgrade Custom users with no other permissions than 'Edit/Delete Assigned Collections' to User + if (type == OrganizationUserType.Custom) + { + if ((permissions.EditAssignedCollections || permissions.DeleteAssignedCollections) && + permissions is + { + AccessEventLogs: false, + AccessImportExport: false, + AccessReports: false, + CreateNewCollections: false, + EditAnyCollection: false, + DeleteAnyCollection: false, + ManageGroups: false, + ManagePolicies: false, + ManageSso: false, + ManageUsers: false, + ManageResetPassword: false, + ManageScim: false + }) + { + return OrganizationUserType.User; + } + } + + return type; + } } diff --git a/src/Api/AdminConsole/Public/Models/Response/MemberResponseModel.cs b/src/Api/AdminConsole/Public/Models/Response/MemberResponseModel.cs index 7035b64295..de57e4fc48 100644 --- a/src/Api/AdminConsole/Public/Models/Response/MemberResponseModel.cs +++ b/src/Api/AdminConsole/Public/Models/Response/MemberResponseModel.cs @@ -12,8 +12,9 @@ namespace Bit.Api.AdminConsole.Public.Models.Response; /// public class MemberResponseModel : MemberBaseModel, IResponseModel { - public MemberResponseModel(OrganizationUser user, IEnumerable collections) - : base(user) + public MemberResponseModel(OrganizationUser user, IEnumerable collections, + bool flexibleCollectionsEnabled) + : base(user, flexibleCollectionsEnabled) { if (user == null) { @@ -28,8 +29,8 @@ public class MemberResponseModel : MemberBaseModel, IResponseModel } public MemberResponseModel(OrganizationUserUserDetails user, bool twoFactorEnabled, - IEnumerable collections) - : base(user) + IEnumerable collections, bool flexibleCollectionsEnabled) + : base(user, flexibleCollectionsEnabled) { if (user == null) {