remove admin checks from services for ctrl context

src/Api/Controllers/OrganizationUsersController.cs

@@ -7,6 +7,7 @@ using Microsoft.AspNetCore.Authorization;
 using Bit.Core.Models.Api;
 using Bit.Core.Exceptions;
 using Bit.Core.Services;
+using Bit.Core;
 
 namespace Bit.Api.Controllers
 {
@@ -19,26 +20,29 @@ namespace Bit.Api.Controllers
         private readonly IOrganizationService _organizationService;
         private readonly ISubvaultRepository _subvaultRepository;
         private readonly IUserService _userService;
+        private readonly CurrentContext _currentContext;
 
         public OrganizationUsersController(
             IOrganizationRepository organizationRepository,
             IOrganizationUserRepository organizationUserRepository,
             IOrganizationService organizationService,
             ISubvaultRepository subvaultRepository,
-            IUserService userService)
+            IUserService userService,
+            CurrentContext currentContext)
         {
             _organizationRepository = organizationRepository;
             _organizationUserRepository = organizationUserRepository;
             _organizationService = organizationService;
             _subvaultRepository = subvaultRepository;
             _userService = userService;
+            _currentContext = currentContext;
         }
 
         [HttpGet("{id}")]
         public async Task<OrganizationUserDetailsResponseModel> Get(string orgId, string id)
         {
             var organizationUser = await _organizationUserRepository.GetDetailsByIdAsync(new Guid(id));
-            if(organizationUser == null)
+            if(organizationUser == null || !_currentContext.OrganizationAdmin(organizationUser.Item1.OrganizationId))
             {
                 throw new NotFoundException();
             }
@@ -49,7 +53,13 @@ namespace Bit.Api.Controllers
         [HttpGet("")]
         public async Task<ListResponseModel<OrganizationUserResponseModel>> Get(string orgId)
         {
-            var organizationUsers = await _organizationUserRepository.GetManyDetailsByOrganizationAsync(new Guid(orgId));
+            var orgGuidId = new Guid(orgId);
+            if(!_currentContext.OrganizationAdmin(orgGuidId))
+            {
+                throw new NotFoundException();
+            }
+
+            var organizationUsers = await _organizationUserRepository.GetManyDetailsByOrganizationAsync(orgGuidId);
             var responses = organizationUsers.Select(o => new OrganizationUserResponseModel(o));
             return new ListResponseModel<OrganizationUserResponseModel>(responses);
         }
@@ -57,8 +67,14 @@ namespace Bit.Api.Controllers
         [HttpPost("invite")]
         public async Task Invite(string orgId, [FromBody]OrganizationUserInviteRequestModel model)
         {
+            var orgGuidId = new Guid(orgId);
+            if(!_currentContext.OrganizationAdmin(orgGuidId))
+            {
+                throw new NotFoundException();
+            }
+
             var userId = _userService.GetProperUserId(User);
-            var result = await _organizationService.InviteUserAsync(new Guid(orgId), userId.Value, model.Email, model.Type.Value,
+            var result = await _organizationService.InviteUserAsync(orgGuidId, userId.Value, model.Email, model.Type.Value,
                 model.Subvaults?.Select(s => s.ToSubvaultUser()));
         }
 
@@ -66,8 +82,14 @@ namespace Bit.Api.Controllers
         [HttpPost("{id}/reinvite")]
         public async Task Reinvite(string orgId, string id)
         {
+            var orgGuidId = new Guid(orgId);
+            if(!_currentContext.OrganizationAdmin(orgGuidId))
+            {
+                throw new NotFoundException();
+            }
+
             var userId = _userService.GetProperUserId(User);
-            await _organizationService.ResendInviteAsync(new Guid(orgId), userId.Value, new Guid(id));
+            await _organizationService.ResendInviteAsync(orgGuidId, userId.Value, new Guid(id));
         }
 
         [HttpPut("{id}/accept")]
@@ -82,16 +104,28 @@ namespace Bit.Api.Controllers
         [HttpPost("{id}/confirm")]
         public async Task Confirm(string orgId, string id, [FromBody]OrganizationUserConfirmRequestModel model)
         {
+            var orgGuidId = new Guid(orgId);
+            if(!_currentContext.OrganizationAdmin(orgGuidId))
+            {
+                throw new NotFoundException();
+            }
+
             var userId = _userService.GetProperUserId(User);
-            var result = await _organizationService.ConfirmUserAsync(new Guid(orgId), new Guid(id), model.Key, userId.Value);
+            var result = await _organizationService.ConfirmUserAsync(orgGuidId, new Guid(id), model.Key, userId.Value);
         }
 
         [HttpPut("{id}")]
         [HttpPost("{id}")]
         public async Task Put(string orgId, string id, [FromBody]OrganizationUserUpdateRequestModel model)
         {
+            var orgGuidId = new Guid(orgId);
+            if(!_currentContext.OrganizationAdmin(orgGuidId))
+            {
+                throw new NotFoundException();
+            }
+
             var organizationUser = await _organizationUserRepository.GetByIdAsync(new Guid(id));
-            if(organizationUser == null)
+            if(organizationUser == null || organizationUser.OrganizationId != orgGuidId)
             {
                 throw new NotFoundException();
             }
@@ -105,8 +139,14 @@ namespace Bit.Api.Controllers
         [HttpPost("{id}/delete")]
         public async Task Delete(string orgId, string id)
         {
+            var orgGuidId = new Guid(orgId);
+            if(!_currentContext.OrganizationAdmin(orgGuidId))
+            {
+                throw new NotFoundException();
+            }
+
             var userId = _userService.GetProperUserId(User);
-            await _organizationService.DeleteUserAsync(new Guid(orgId), new Guid(id), userId.Value);
+            await _organizationService.DeleteUserAsync(orgGuidId, new Guid(id), userId.Value);
         }
     }
 }