[AC-2068] Allows Users to read all users/groups when Flexible Collections is enabled (#3720)

* [AC-2068] Allow any member of an org to read all users for that organization with flexible collections * [AC-2068] Allow any member of an org to read all groups for that organization with flexible collections * [AC-2068] Formatting
2025-06-30 23:52:50 -05:00 · 2024-01-30 09:53:56 -08:00
parent 7180a6618e
commit ca2915494d
4 changed files with 12 additions and 270 deletions
--- a/src/Api/Vault/AuthorizationHandlers/Groups/GroupAuthorizationHandler.cs
+++ b/src/Api/Vault/AuthorizationHandlers/Groups/GroupAuthorizationHandler.cs
@ -1,8 +1,5 @@
 #nullable enable
 using Bit.Core.Context;
-using Bit.Core.Enums;
-using Bit.Core.Models.Data.Organizations;
-using Bit.Core.Services;
 using Microsoft.AspNetCore.Authorization;

 namespace Bit.Api.Vault.AuthorizationHandlers.Groups;
@ -14,17 +11,10 @@ namespace Bit.Api.Vault.AuthorizationHandlers.Groups;
 public class GroupAuthorizationHandler : AuthorizationHandler<GroupOperationRequirement>
 {
    private readonly ICurrentContext _currentContext;
-    private readonly IFeatureService _featureService;
-    private readonly IApplicationCacheService _applicationCacheService;

-    public GroupAuthorizationHandler(
-        ICurrentContext currentContext,
-        IFeatureService featureService,
-        IApplicationCacheService applicationCacheService)
+    public GroupAuthorizationHandler(ICurrentContext currentContext)
    {
        _currentContext = currentContext;
-        _featureService = featureService;
-        _applicationCacheService = applicationCacheService;
    }

    protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
@ -56,22 +46,8 @@ public class GroupAuthorizationHandler : AuthorizationHandler<GroupOperationRequ
    private async Task CanReadAllAsync(AuthorizationHandlerContext context, GroupOperationRequirement requirement,
        CurrentContextOrganization? org)
    {
-        // Owners, Admins, and users with any of ManageGroups, ManageUsers, EditAnyCollection, DeleteAnyCollection, CreateNewCollections permissions can always read all groups
-        if (org is
-        { Type: OrganizationUserType.Owner or OrganizationUserType.Admin } or
-        { Permissions.ManageGroups: true } or
-        { Permissions.ManageUsers: true } or
-        { Permissions.EditAnyCollection: true } or
-        { Permissions.DeleteAnyCollection: true } or
-        { Permissions.CreateNewCollections: true })
-        {
-            context.Succeed(requirement);
-            return;
-        }
-
-        // Check for non-null org here: the user must be apart of the organization for this setting to take affect
-        // If the limit collection management setting is disabled, allow any user to read all groups
-        if (await GetOrganizationAbilityAsync(org) is { LimitCollectionCreationDeletion: false })
+        // All users of an organization can read all groups belonging to the organization for collection access management
+        if (org is not null)
        {
            context.Succeed(requirement);
            return;
@ -83,16 +59,4 @@ public class GroupAuthorizationHandler : AuthorizationHandler<GroupOperationRequ
            context.Succeed(requirement);
        }
    }
-
-    private async Task<OrganizationAbility?> GetOrganizationAbilityAsync(CurrentContextOrganization? organization)
-    {
-        // If the CurrentContextOrganization is null, then the user isn't a member of the org so the setting is
-        // irrelevant
-        if (organization == null)
-        {
-            return null;
-        }
-
-        return await _applicationCacheService.GetOrganizationAbilityAsync(organization.Id);
-    }
 }
--- a/src/Api/Vault/AuthorizationHandlers/OrganizationUsers/OrganizationUserAuthorizationHandler.cs
+++ b/src/Api/Vault/AuthorizationHandlers/OrganizationUsers/OrganizationUserAuthorizationHandler.cs
@ -1,8 +1,5 @@
 #nullable enable
 using Bit.Core.Context;
-using Bit.Core.Enums;
-using Bit.Core.Models.Data.Organizations;
-using Bit.Core.Services;
 using Microsoft.AspNetCore.Authorization;

 namespace Bit.Api.Vault.AuthorizationHandlers.OrganizationUsers;
@ -14,17 +11,10 @@ namespace Bit.Api.Vault.AuthorizationHandlers.OrganizationUsers;
 public class OrganizationUserAuthorizationHandler : AuthorizationHandler<OrganizationUserOperationRequirement>
 {
    private readonly ICurrentContext _currentContext;
-    private readonly IFeatureService _featureService;
-    private readonly IApplicationCacheService _applicationCacheService;

-    public OrganizationUserAuthorizationHandler(
-        ICurrentContext currentContext,
-        IFeatureService featureService,
-        IApplicationCacheService applicationCacheService)
+    public OrganizationUserAuthorizationHandler(ICurrentContext currentContext)
    {
        _currentContext = currentContext;
-        _featureService = featureService;
-        _applicationCacheService = applicationCacheService;
    }

    protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
@ -55,26 +45,10 @@ public class OrganizationUserAuthorizationHandler : AuthorizationHandler<Organiz
    private async Task CanReadAllAsync(AuthorizationHandlerContext context, OrganizationUserOperationRequirement requirement,
        CurrentContextOrganization? org)
    {
-        // If the limit collection management setting is disabled, allow any user to read all organization users
-        // Otherwise, Owners, Admins, and users with any of ManageGroups, ManageUsers, EditAnyCollection, DeleteAnyCollection, CreateNewCollections permissions can always read all organization users
-        if (org is
-        { Type: OrganizationUserType.Owner or OrganizationUserType.Admin } or
-        { Permissions.ManageGroups: true } or
-        { Permissions.ManageUsers: true } or
-        { Permissions.EditAnyCollection: true } or
-        { Permissions.DeleteAnyCollection: true } or
-        { Permissions.CreateNewCollections: true })
+        // All users of an organization can read all other users of that organization for collection access management
+        if (org is not null)
        {
            context.Succeed(requirement);
-            return;
-        }
-
-        // Check for non-null org here: the user must be apart of the organization for this setting to take affect
-        // If the limit collection management setting is disabled, allow any user to read all organization users
-        if (await GetOrganizationAbilityAsync(org) is { LimitCollectionCreationDeletion: false })
-        {
-            context.Succeed(requirement);
-            return;
        }

        // Allow provider users to read all organization users if they are a provider for the target organization
@ -83,16 +57,4 @@ public class OrganizationUserAuthorizationHandler : AuthorizationHandler<Organiz
            context.Succeed(requirement);
        }
    }
-
-    private async Task<OrganizationAbility?> GetOrganizationAbilityAsync(CurrentContextOrganization? organization)
-    {
-        // If the CurrentContextOrganization is null, then the user isn't a member of the org so the setting is
-        // irrelevant
-        if (organization == null)
-        {
-            return null;
-        }
-
-        return await _applicationCacheService.GetOrganizationAbilityAsync(organization.Id);
-    }
 }