nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-06-27 22:26:13 -05:00
Code

Implement a check to throw a BadRequestException if an attempt is made to modify member access for collections of type DefaultUserCollection.

Browse Source
This commit is contained in:
Rui Tome 2025-06-16 13:09:00 +01:00
parent 4d36e87b6f
commit bcb90f2913
No known key found for this signature in database
GPG Key ID: 526239D96A8EC066
2 changed files with 34 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/Api/Controllers/CollectionsController.cs
View File

@ -3,6 +3,7 @@ using Bit.Api.Models.Response;
using Bit.Api.Vault.AuthorizationHandlers.Collections; using Bit.Api.Vault.AuthorizationHandlers.Collections;
using Bit.Core.Context; using Bit.Core.Context;
using Bit.Core.Entities; using Bit.Core.Entities;
using Bit.Core.Enums;
using Bit.Core.Exceptions; using Bit.Core.Exceptions;
using Bit.Core.Models.Data; using Bit.Core.Models.Data;
using Bit.Core.OrganizationFeatures.OrganizationCollections.Interfaces; using Bit.Core.OrganizationFeatures.OrganizationCollections.Interfaces;
@ -208,6 +209,11 @@ public class CollectionsController : Controller
throw new NotFoundException(); throw new NotFoundException();
} }
if (collection.Type == CollectionType.DefaultUserCollection)
{
throw new BadRequestException("You cannot modify member access for collections with the type as DefaultUserCollection.");
}
await _collectionRepository.UpdateUsersAsync(collection.Id, model?.Select(g => g.ToSelectionReadOnly())); await _collectionRepository.UpdateUsersAsync(collection.Id, model?.Select(g => g.ToSelectionReadOnly()));
} }

28
test/Api.Test/Controllers/CollectionsControllerTests.cs
View File

@ -5,6 +5,7 @@ using Bit.Api.Vault.AuthorizationHandlers.Collections;
using Bit.Core.AdminConsole.Entities; using Bit.Core.AdminConsole.Entities;
using Bit.Core.Context; using Bit.Core.Context;
using Bit.Core.Entities; using Bit.Core.Entities;
using Bit.Core.Enums;
using Bit.Core.Exceptions; using Bit.Core.Exceptions;
using Bit.Core.Models.Data; using Bit.Core.Models.Data;
using Bit.Core.OrganizationFeatures.OrganizationCollections.Interfaces; using Bit.Core.OrganizationFeatures.OrganizationCollections.Interfaces;
@ -484,4 +485,31 @@ public class CollectionsControllerTests
await sutProvider.GetDependency<IBulkAddCollectionAccessCommand>().DidNotReceiveWithAnyArgs() await sutProvider.GetDependency<IBulkAddCollectionAccessCommand>().DidNotReceiveWithAnyArgs()
.AddAccessAsync(default, default, default); .AddAccessAsync(default, default, default);
} }
[Theory, BitAutoData]
public async Task PutUsers_WithDefaultUserCollectionType_ThrowsBadRequest(Organization organization,
Collection collection, IEnumerable<SelectionReadOnlyRequestModel> model, SutProvider<CollectionsController> sutProvider)
{
collection.Type = CollectionType.DefaultUserCollection;
collection.OrganizationId = organization.Id;
sutProvider.GetDependency<ICollectionRepository>()
.GetByIdAsync(collection.Id)
.Returns(collection);
sutProvider.GetDependency<IAuthorizationService>()
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(),
collection,
Arg.Is<IEnumerable<IAuthorizationRequirement>>(r => r.Contains(BulkCollectionOperations.ModifyUserAccess)))
.Returns(AuthorizationResult.Success());
var exception = await Assert.ThrowsAsync<BadRequestException>(() =>
sutProvider.Sut.PutUsers(organization.Id, collection.Id, model));
Assert.Contains("You cannot modify member access for collections with the type as DefaultUserCollection.", exception.Message);
await sutProvider.GetDependency<ICollectionRepository>()
.DidNotReceiveWithAnyArgs()
.UpdateUsersAsync(default, default);
}
} }