mirror of
https://github.com/bitwarden/server.git
synced 2025-07-01 08:02:49 -05:00
EC-262 - implement org user deactivated flag and behavior server (#2050)
* SM-47 - Add Disabled status to enum + schema * SM-47 - Enable and disable sprocs and repositories * SM-47 - Organization service enble/disable user * SM-47 - Fix lint errors * SM-47 - add disable/enable endpoints to API * SM-47 - Add bulk operations for enable/disable * SM-47 - Fix linting errors, one of these days I'll do this first * SM-47 - Codesense fix DRY warnings * EC-262 - Code review changes, async cleanup * EC-262 - Fix build issues, async refs * EC-262 - Update controller param types * EC-262 - Ensure mutable state is correct * EC-262 - rename disabled to deactivated
This commit is contained in:
Chad Scharf
@ -51,6 +51,8 @@
|
||||
OrganizationUser_AdminResetPassword = 1508,
|
||||
OrganizationUser_ResetSsoLink = 1509,
|
||||
OrganizationUser_FirstSsoLogin = 1510,
|
||||
OrganizationUser_Deactivated = 1511,
|
||||
OrganizationUser_Activated = 1512,
|
||||
|
||||
Organization_Updated = 1600,
|
||||
Organization_PurgedVault = 1601,
|
||||
|
||||
@ -1,9 +1,10 @@
|
||||
namespace Bit.Core.Enums
|
||||
{
|
||||
public enum OrganizationUserStatusType : byte
|
||||
public enum OrganizationUserStatusType : short
|
||||
{
|
||||
Invited = 0,
|
||||
Accepted = 1,
|
||||
Confirmed = 2
|
||||
Confirmed = 2,
|
||||
Deactivated = -1,
|
||||
}
|
||||
}
|
||||
|
||||
@ -39,5 +39,7 @@ namespace Bit.Core.Repositories
|
||||
Task<OrganizationUser> GetByOrganizationEmailAsync(Guid organizationId, string email);
|
||||
Task<IEnumerable<OrganizationUserPublicKey>> GetManyPublicKeysByOrganizationUserAsync(Guid organizationId, IEnumerable<Guid> Ids);
|
||||
Task<IEnumerable<OrganizationUserUserDetails>> GetManyByMinimumRoleAsync(Guid organizationId, OrganizationUserType minRole);
|
||||
Task DeactivateAsync(Guid id);
|
||||
Task ActivateAsync(Guid id, OrganizationUserStatusType status);
|
||||
}
|
||||
}
|
||||
|
||||
@ -61,5 +61,11 @@ namespace Bit.Core.Services
|
||||
Task DeleteSsoUserAsync(Guid userId, Guid? organizationId);
|
||||
Task<Organization> UpdateOrganizationKeysAsync(Guid orgId, string publicKey, string privateKey);
|
||||
Task<bool> HasConfirmedOwnersExceptAsync(Guid organizationId, IEnumerable<Guid> organizationUsersId, bool includeProvider = true);
|
||||
Task DeactivateUserAsync(OrganizationUser organizationUser, Guid? disablingUserId);
|
||||
Task<List<Tuple<OrganizationUser, string>>> DeactivateUsersAsync(Guid organizationId,
|
||||
IEnumerable<Guid> organizationUserIds, Guid? disablingUserId);
|
||||
Task ActivateUserAsync(OrganizationUser organizationUser, Guid? enablingUserId);
|
||||
Task<List<Tuple<OrganizationUser, string>>> ActivateUsersAsync(Guid organizationId,
|
||||
IEnumerable<Guid> organizationUserIds, Guid? enablingUserId);
|
||||
}
|
||||
}
|
||||
|
||||
@ -2186,5 +2186,186 @@ namespace Bit.Core.Services
|
||||
throw new BadRequestException("You cannot delete an Organization that is using Key Connector.");
|
||||
}
|
||||
}
|
||||
|
||||
public async Task DeactivateUserAsync(OrganizationUser organizationUser, Guid? disablingUserId)
|
||||
{
|
||||
if (organizationUser.Status == OrganizationUserStatusType.Deactivated)
|
||||
{
|
||||
throw new BadRequestException("Already deactivated.");
|
||||
}
|
||||
|
||||
if (disablingUserId.HasValue && organizationUser.UserId == disablingUserId.Value)
|
||||
{
|
||||
throw new BadRequestException("You cannot deactivate yourself.");
|
||||
}
|
||||
|
||||
if (organizationUser.Type == OrganizationUserType.Owner && disablingUserId.HasValue &&
|
||||
!await _currentContext.OrganizationOwner(organizationUser.OrganizationId))
|
||||
{
|
||||
throw new BadRequestException("Only owners can deactivate other owners.");
|
||||
}
|
||||
|
||||
if (!await HasConfirmedOwnersExceptAsync(organizationUser.OrganizationId, new[] { organizationUser.Id }))
|
||||
{
|
||||
throw new BadRequestException("Organization must have at least one confirmed owner.");
|
||||
}
|
||||
|
||||
await _organizationUserRepository.DeactivateAsync(organizationUser.Id);
|
||||
organizationUser.Status = OrganizationUserStatusType.Deactivated;
|
||||
await _eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Deactivated);
|
||||
}
|
||||
|
||||
public async Task<List<Tuple<OrganizationUser, string>>> DeactivateUsersAsync(Guid organizationId,
|
||||
IEnumerable<Guid> organizationUserIds, Guid? disablingUserId)
|
||||
{
|
||||
var orgUsers = await _organizationUserRepository.GetManyAsync(organizationUserIds);
|
||||
var filteredUsers = orgUsers.Where(u => u.OrganizationId == organizationId)
|
||||
.ToList();
|
||||
|
||||
if (!filteredUsers.Any())
|
||||
{
|
||||
throw new BadRequestException("Users invalid.");
|
||||
}
|
||||
|
||||
if (!await HasConfirmedOwnersExceptAsync(organizationId, organizationUserIds))
|
||||
{
|
||||
throw new BadRequestException("Organization must have at least one confirmed owner.");
|
||||
}
|
||||
|
||||
var deletingUserIsOwner = false;
|
||||
if (disablingUserId.HasValue)
|
||||
{
|
||||
deletingUserIsOwner = await _currentContext.OrganizationOwner(organizationId);
|
||||
}
|
||||
|
||||
var result = new List<Tuple<OrganizationUser, string>>();
|
||||
|
||||
foreach (var organizationUser in filteredUsers)
|
||||
{
|
||||
try
|
||||
{
|
||||
if (disablingUserId.HasValue && organizationUser.UserId == disablingUserId)
|
||||
{
|
||||
throw new BadRequestException("You cannot deactivate yourself.");
|
||||
}
|
||||
|
||||
if (organizationUser.Type == OrganizationUserType.Owner && disablingUserId.HasValue && !deletingUserIsOwner)
|
||||
{
|
||||
throw new BadRequestException("Only owners can deactivate other owners.");
|
||||
}
|
||||
|
||||
await _organizationUserRepository.DeactivateAsync(organizationUser.Id);
|
||||
organizationUser.Status = OrganizationUserStatusType.Deactivated;
|
||||
await _eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Deactivated);
|
||||
|
||||
result.Add(Tuple.Create(organizationUser, ""));
|
||||
}
|
||||
catch (BadRequestException e)
|
||||
{
|
||||
result.Add(Tuple.Create(organizationUser, e.Message));
|
||||
}
|
||||
}
|
||||
|
||||
return result;
|
||||
}
|
||||
|
||||
public async Task ActivateUserAsync(OrganizationUser organizationUser, Guid? enablingUserId)
|
||||
{
|
||||
if (organizationUser.Status != OrganizationUserStatusType.Deactivated)
|
||||
{
|
||||
throw new BadRequestException("Already active.");
|
||||
}
|
||||
|
||||
if (enablingUserId.HasValue && organizationUser.UserId == enablingUserId.Value)
|
||||
{
|
||||
throw new BadRequestException("You cannot activate yourself.");
|
||||
}
|
||||
|
||||
if (organizationUser.Type == OrganizationUserType.Owner && enablingUserId.HasValue &&
|
||||
!await _currentContext.OrganizationOwner(organizationUser.OrganizationId))
|
||||
{
|
||||
throw new BadRequestException("Only owners can activate other owners.");
|
||||
}
|
||||
|
||||
var status = GetPriorActiveOrganizationUserStatusType(organizationUser);
|
||||
|
||||
await _organizationUserRepository.ActivateAsync(organizationUser.Id, status);
|
||||
organizationUser.Status = status;
|
||||
await _eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Activated);
|
||||
}
|
||||
|
||||
public async Task<List<Tuple<OrganizationUser, string>>> ActivateUsersAsync(Guid organizationId,
|
||||
IEnumerable<Guid> organizationUserIds, Guid? enablingUserId)
|
||||
{
|
||||
var orgUsers = await _organizationUserRepository.GetManyAsync(organizationUserIds);
|
||||
var filteredUsers = orgUsers.Where(u => u.OrganizationId == organizationId)
|
||||
.ToList();
|
||||
|
||||
if (!filteredUsers.Any())
|
||||
{
|
||||
throw new BadRequestException("Users invalid.");
|
||||
}
|
||||
|
||||
var deletingUserIsOwner = false;
|
||||
if (enablingUserId.HasValue)
|
||||
{
|
||||
deletingUserIsOwner = await _currentContext.OrganizationOwner(organizationId);
|
||||
}
|
||||
|
||||
var result = new List<Tuple<OrganizationUser, string>>();
|
||||
|
||||
foreach (var organizationUser in filteredUsers)
|
||||
{
|
||||
try
|
||||
{
|
||||
if (organizationUser.Status != OrganizationUserStatusType.Deactivated)
|
||||
{
|
||||
throw new BadRequestException("Already active.");
|
||||
}
|
||||
|
||||
if (enablingUserId.HasValue && organizationUser.UserId == enablingUserId)
|
||||
{
|
||||
throw new BadRequestException("You cannot activate yourself.");
|
||||
}
|
||||
|
||||
if (organizationUser.Type == OrganizationUserType.Owner && enablingUserId.HasValue && !deletingUserIsOwner)
|
||||
{
|
||||
throw new BadRequestException("Only owners can activate other owners.");
|
||||
}
|
||||
|
||||
var status = GetPriorActiveOrganizationUserStatusType(organizationUser);
|
||||
|
||||
await _organizationUserRepository.ActivateAsync(organizationUser.Id, status);
|
||||
organizationUser.Status = status;
|
||||
await _eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Activated);
|
||||
|
||||
result.Add(Tuple.Create(organizationUser, ""));
|
||||
}
|
||||
catch (BadRequestException e)
|
||||
{
|
||||
result.Add(Tuple.Create(organizationUser, e.Message));
|
||||
}
|
||||
}
|
||||
|
||||
return result;
|
||||
}
|
||||
|
||||
static OrganizationUserStatusType GetPriorActiveOrganizationUserStatusType(OrganizationUser organizationUser)
|
||||
{
|
||||
// Determine status to revert back to
|
||||
var status = OrganizationUserStatusType.Invited;
|
||||
if (organizationUser.UserId.HasValue && string.IsNullOrWhiteSpace(organizationUser.Email))
|
||||
{
|
||||
// Has UserId & Email is null, then Accepted
|
||||
status = OrganizationUserStatusType.Accepted;
|
||||
if (!string.IsNullOrWhiteSpace(organizationUser.Key))
|
||||
{
|
||||
// We have an org key for this user, user was confirmed
|
||||
status = OrganizationUserStatusType.Confirmed;
|
||||
}
|
||||
}
|
||||
|
||||
return status;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user