[AC-2114] Downgrade Custom roles to User if flexible collections are enabled and only active permissions are 'Edit/Delete assigned collections' (#3770)

* [AC-2114] Downgrade Custom roles to User if flexible collections are enabled and only active permissions are 'Edit/Delete assigned collections' * [AC-2114] Undo changes to OrganizationsController * [AC-2114] Updated public API MembersController responses to have downgraded Custom user types for flexible collections
2025-07-02 00:22:50 -05:00 · 2024-02-09 17:42:01 +00:00
parent 58b54692b2
commit a9b9231cfa
5 changed files with 165 additions and 20 deletions
--- a/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
+++ b/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
@ -12,6 +12,7 @@ using Bit.Core.Context;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Business;
+using Bit.Core.Models.Data;
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Core.OrganizationFeatures.OrganizationSubscriptions.Interface;
 using Bit.Core.OrganizationFeatures.OrganizationUsers.Interfaces;
@ -83,6 +84,15 @@ public class OrganizationUsersController : Controller
        }

        var response = new OrganizationUserDetailsResponseModel(organizationUser.Item1, organizationUser.Item2);
+        if (await FlexibleCollectionsIsEnabledAsync(organizationUser.Item1.OrganizationId))
+        {
+            // Downgrade Custom users with no other permissions than 'Edit/Delete Assigned Collections' to User
+            response.Type = GetFlexibleCollectionsUserType(response.Type, response.Permissions);
+
+            // Set 'Edit/Delete Assigned Collections' custom permissions to false
+            response.Permissions.EditAssignedCollections = false;
+            response.Permissions.DeleteAssignedCollections = false;
+        }

        if (includeGroups)
        {
@ -95,9 +105,12 @@ public class OrganizationUsersController : Controller
    [HttpGet("")]
    public async Task<ListResponseModel<OrganizationUserUserDetailsResponseModel>> Get(Guid orgId, bool includeGroups = false, bool includeCollections = false)
    {
-        var authorized = await FlexibleCollectionsIsEnabledAsync(orgId)
-            ? (await _authorizationService.AuthorizeAsync(User, OrganizationUserOperations.ReadAll(orgId))).Succeeded
-            : await _currentContext.ViewAllCollections(orgId) ||
+        if (await FlexibleCollectionsIsEnabledAsync(orgId))
+        {
+            return await Get_vNext(orgId, includeGroups, includeCollections);
+        }
+
+        var authorized = await _currentContext.ViewAllCollections(orgId) ||
              await _currentContext.ViewAssignedCollections(orgId) ||
              await _currentContext.ManageGroups(orgId) ||
              await _currentContext.ManageUsers(orgId);
@ -521,4 +534,65 @@ public class OrganizationUsersController : Controller
        var organizationAbility = await _applicationCacheService.GetOrganizationAbilityAsync(organizationId);
        return organizationAbility?.FlexibleCollections ?? false;
    }
+
+    private async Task<ListResponseModel<OrganizationUserUserDetailsResponseModel>> Get_vNext(Guid orgId,
+        bool includeGroups = false, bool includeCollections = false)
+    {
+        var authorized = (await _authorizationService.AuthorizeAsync(
+            User, OrganizationUserOperations.ReadAll(orgId))).Succeeded;
+        if (!authorized)
+        {
+            throw new NotFoundException();
+        }
+
+        var organizationUsers = await _organizationUserRepository
+            .GetManyDetailsByOrganizationAsync(orgId, includeGroups, includeCollections);
+        var responseTasks = organizationUsers
+            .Select(async o =>
+            {
+                var orgUser = new OrganizationUserUserDetailsResponseModel(o,
+                    await _userService.TwoFactorIsEnabledAsync(o));
+
+                // Downgrade Custom users with no other permissions than 'Edit/Delete Assigned Collections' to User
+                orgUser.Type = GetFlexibleCollectionsUserType(orgUser.Type, orgUser.Permissions);
+
+                // Set 'Edit/Delete Assigned Collections' custom permissions to false
+                orgUser.Permissions.EditAssignedCollections = false;
+                orgUser.Permissions.DeleteAssignedCollections = false;
+
+                return orgUser;
+            });
+        var responses = await Task.WhenAll(responseTasks);
+
+        return new ListResponseModel<OrganizationUserUserDetailsResponseModel>(responses);
+    }
+
+    private OrganizationUserType GetFlexibleCollectionsUserType(OrganizationUserType type, Permissions permissions)
+    {
+        // Downgrade Custom users with no other permissions than 'Edit/Delete Assigned Collections' to User
+        if (type == OrganizationUserType.Custom)
+        {
+            if ((permissions.EditAssignedCollections || permissions.DeleteAssignedCollections) &&
+                permissions is
+                {
+                    AccessEventLogs: false,
+                    AccessImportExport: false,
+                    AccessReports: false,
+                    CreateNewCollections: false,
+                    EditAnyCollection: false,
+                    DeleteAnyCollection: false,
+                    ManageGroups: false,
+                    ManagePolicies: false,
+                    ManageSso: false,
+                    ManageUsers: false,
+                    ManageResetPassword: false,
+                    ManageScim: false
+                })
+            {
+                return OrganizationUserType.User;
+            }
+        }
+
+        return type;
+    }
 }