From c4614bfb3da5863889cd04f3f678d76e4f3bce37 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rui=20Tom=C3=A9?=
 <108268980+r-tome@users.noreply.github.com>
Date: Fri, 16 Jun 2023 16:38:58 +0100
Subject: [PATCH] [AC-1144] Warn admins when removing or revoking users without
 master password (#2953)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* [AC-1144] Modified OrganizationUserUserDetails queries to include value for 'HasMasterPassword' property

* [AC-1144] Added 'HasMasterPassword' property to ProviderUserUserDetailsView

* [AC-1144] Added IProviderUserRepository.GetDetailsByIdAsync to get the details for a given ProviderUser.Id

* [AC-1144] Changed ProviderUsersController.Get to use ProviderUserRepository.GetDetailsByIdAsync

* [AC-1144] Modified OrganizationUsersController.Get to user OrganizationUserRepository.GetDetailsByIdWithCollectionsAsync to output HasMasterPassword value

* [AC-1144] Reverted changes for ProviderUser

* [AC-1144] Removed line break
---
 .../OrganizationUsersController.cs            |  2 +-
 .../OrganizationUserResponseModel.cs          |  9 ++++
 .../OrganizationUserUserDetails.cs            |  1 +
 .../Queries/OrganizationUserUserViewQuery.cs  |  1 +
 .../Views/OrganizationUserUserDetailsView.sql |  3 +-
 .../2023-05-18_00_UserHasMasterPassword.sql   | 46 +++++++++++++++++++
 6 files changed, 60 insertions(+), 2 deletions(-)
 create mode 100644 util/Migrator/DbScripts/2023-05-18_00_UserHasMasterPassword.sql

diff --git a/src/Api/Controllers/OrganizationUsersController.cs b/src/Api/Controllers/OrganizationUsersController.cs
index 255efdc9e4..dd69f35ac7 100644
--- a/src/Api/Controllers/OrganizationUsersController.cs
+++ b/src/Api/Controllers/OrganizationUsersController.cs
@@ -51,7 +51,7 @@ public class OrganizationUsersController : Controller
     [HttpGet("{id}")]
     public async Task<OrganizationUserDetailsResponseModel> Get(string id, bool includeGroups = false)
     {
-        var organizationUser = await _organizationUserRepository.GetByIdWithCollectionsAsync(new Guid(id));
+        var organizationUser = await _organizationUserRepository.GetDetailsByIdWithCollectionsAsync(new Guid(id));
         if (organizationUser == null || !await _currentContext.ManageUsers(organizationUser.Item1.OrganizationId))
         {
             throw new NotFoundException();
diff --git a/src/Api/Models/Response/Organizations/OrganizationUserResponseModel.cs b/src/Api/Models/Response/Organizations/OrganizationUserResponseModel.cs
index 1ce055a869..7a82d6ee13 100644
--- a/src/Api/Models/Response/Organizations/OrganizationUserResponseModel.cs
+++ b/src/Api/Models/Response/Organizations/OrganizationUserResponseModel.cs
@@ -47,6 +47,7 @@ public class OrganizationUserResponseModel : ResponseModel
         Permissions = CoreHelpers.LoadClassFromJsonData<Permissions>(organizationUser.Permissions);
         ResetPasswordEnrolled = !string.IsNullOrEmpty(organizationUser.ResetPasswordKey);
         UsesKeyConnector = organizationUser.UsesKeyConnector;
+        HasMasterPassword = organizationUser.HasMasterPassword;
     }
 
     public string Id { get; set; }
@@ -59,6 +60,7 @@ public class OrganizationUserResponseModel : ResponseModel
     public Permissions Permissions { get; set; }
     public bool ResetPasswordEnrolled { get; set; }
     public bool UsesKeyConnector { get; set; }
+    public bool HasMasterPassword { get; set; }
 }
 
 public class OrganizationUserDetailsResponseModel : OrganizationUserResponseModel
@@ -70,6 +72,13 @@ public class OrganizationUserDetailsResponseModel : OrganizationUserResponseMode
         Collections = collections.Select(c => new SelectionReadOnlyResponseModel(c));
     }
 
+    public OrganizationUserDetailsResponseModel(OrganizationUserUserDetails organizationUser,
+        IEnumerable<CollectionAccessSelection> collections)
+        : base(organizationUser, "organizationUserDetails")
+    {
+        Collections = collections.Select(c => new SelectionReadOnlyResponseModel(c));
+    }
+
     public IEnumerable<SelectionReadOnlyResponseModel> Collections { get; set; }
 
     [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
diff --git a/src/Core/Models/Data/Organizations/OrganizationUsers/OrganizationUserUserDetails.cs b/src/Core/Models/Data/Organizations/OrganizationUsers/OrganizationUserUserDetails.cs
index 1dbd0972a9..0da749cad5 100644
--- a/src/Core/Models/Data/Organizations/OrganizationUsers/OrganizationUserUserDetails.cs
+++ b/src/Core/Models/Data/Organizations/OrganizationUsers/OrganizationUserUserDetails.cs
@@ -26,6 +26,7 @@ public class OrganizationUserUserDetails : IExternal, ITwoFactorProvidersUser
     public string Permissions { get; set; }
     public string ResetPasswordKey { get; set; }
     public bool UsesKeyConnector { get; set; }
+    public bool HasMasterPassword { get; set; }
 
     public ICollection<Guid> Groups { get; set; } = new List<Guid>();
     public ICollection<CollectionAccessSelection> Collections { get; set; } = new List<CollectionAccessSelection>();
diff --git a/src/Infrastructure.EntityFramework/Repositories/Queries/OrganizationUserUserViewQuery.cs b/src/Infrastructure.EntityFramework/Repositories/Queries/OrganizationUserUserViewQuery.cs
index 2f36743dc0..95f6638171 100644
--- a/src/Infrastructure.EntityFramework/Repositories/Queries/OrganizationUserUserViewQuery.cs
+++ b/src/Infrastructure.EntityFramework/Repositories/Queries/OrganizationUserUserViewQuery.cs
@@ -31,6 +31,7 @@ public class OrganizationUserUserDetailsViewQuery : IQuery<OrganizationUserUserD
             ResetPasswordKey = x.ou.ResetPasswordKey,
             UsesKeyConnector = x.u != null && x.u.UsesKeyConnector,
             AccessSecretsManager = x.ou.AccessSecretsManager,
+            HasMasterPassword = x.u != null && !string.IsNullOrWhiteSpace(x.u.MasterPassword)
         });
     }
 }
diff --git a/src/Sql/dbo/Views/OrganizationUserUserDetailsView.sql b/src/Sql/dbo/Views/OrganizationUserUserDetailsView.sql
index f2d7739769..b1f7689081 100644
--- a/src/Sql/dbo/Views/OrganizationUserUserDetailsView.sql
+++ b/src/Sql/dbo/Views/OrganizationUserUserDetailsView.sql
@@ -17,7 +17,8 @@ SELECT
     SU.[ExternalId] SsoExternalId,
     OU.[Permissions],
     OU.[ResetPasswordKey],
-    U.[UsesKeyConnector]
+    U.[UsesKeyConnector],
+    CASE WHEN U.[MasterPassword] IS NOT NULL THEN 1 ELSE 0 END AS HasMasterPassword
 FROM
     [dbo].[OrganizationUser] OU
 LEFT JOIN
diff --git a/util/Migrator/DbScripts/2023-05-18_00_UserHasMasterPassword.sql b/util/Migrator/DbScripts/2023-05-18_00_UserHasMasterPassword.sql
new file mode 100644
index 0000000000..de793a1208
--- /dev/null
+++ b/util/Migrator/DbScripts/2023-05-18_00_UserHasMasterPassword.sql
@@ -0,0 +1,46 @@
+CREATE OR ALTER VIEW [dbo].[OrganizationUserUserDetailsView]
+AS
+SELECT
+    OU.[Id],
+    OU.[UserId],
+    OU.[OrganizationId],
+    U.[Name],
+    ISNULL(U.[Email], OU.[Email]) Email,
+    U.[AvatarColor],
+    U.[TwoFactorProviders],
+    U.[Premium],
+    OU.[Status],
+    OU.[Type],
+    OU.[AccessAll],
+    OU.[AccessSecretsManager],
+    OU.[ExternalId],
+    SU.[ExternalId] SsoExternalId,
+    OU.[Permissions],
+    OU.[ResetPasswordKey],
+    U.[UsesKeyConnector],
+    CASE WHEN U.[MasterPassword] IS NOT NULL THEN 1 ELSE 0 END AS HasMasterPassword
+FROM
+    [dbo].[OrganizationUser] OU
+LEFT JOIN
+    [dbo].[User] U ON U.[Id] = OU.[UserId]
+LEFT JOIN
+    [dbo].[SsoUser] SU ON SU.[UserId] = OU.[UserId] AND SU.[OrganizationId] = OU.[OrganizationId]
+GO
+
+IF OBJECT_ID('[dbo].[OrganizationUserUserDetails_ReadByOrganizationId]') IS NOT NULL
+BEGIN
+    EXECUTE sp_refreshsqlmodule N'[dbo].[OrganizationUserUserDetails_ReadByOrganizationId]';
+END
+GO
+
+IF OBJECT_ID('[dbo].[OrganizationUser_ReadByMinimumRole]') IS NOT NULL
+BEGIN
+    EXECUTE sp_refreshsqlmodule N'[dbo].[OrganizationUser_ReadByMinimumRole]';
+END
+GO
+
+IF OBJECT_ID('[dbo].[OrganizationUserUserDetails_ReadById]') IS NOT NULL
+BEGIN
+    EXECUTE sp_refreshsqlmodule N'[dbo].[OrganizationUserUserDetails_ReadById]';
+END
+GO