nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-07-03 00:52:49 -05:00
Code Activity

[AC-1748] Fixed logic to set manage = true for collections if user has EditAssignedCollection permission

Browse Source
This commit is contained in:
Rui Tome
2023-10-23 20:37:41 +01:00
parent e64a7d5210
commit cb6c411b40
2 changed files with 27 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/Core/Services/Implementations/CollectionService.cs
View File

@ -69,20 +69,16 @@ public class CollectionService : ICollectionService
else else
{ {
// If not using Flexible Collections // If not using Flexible Collections
// all users with EditAnyCollection permission should have Can Manage permission for the collection // all users with EditAssignedCollections permission should have Manage permission for the collection
var organizationUsers = await _organizationUserRepository var organizationUsers = await _organizationUserRepository
.GetManyByOrganizationAsync(collection.OrganizationId, null); .GetManyByOrganizationAsync(collection.OrganizationId, null);
foreach (var orgUser in organizationUsers.Where(ou => ou.GetPermissions()?.EditAnyCollection ?? false)) foreach (var orgUser in organizationUsers.Where(ou => ou.GetPermissions()?.EditAssignedCollections ?? false))
{ {
var user = usersList.FirstOrDefault(u => u.Id == orgUser.Id); var user = usersList.FirstOrDefault(u => u.Id == orgUser.Id);
if (user != null) if (user != null)
{ {
user.Manage = true; user.Manage = true;
} }
else
{
usersList.Add(new CollectionAccessSelection { Id = orgUser.Id, Manage = true });
}
} }
} }

63
src/Core/Services/Implementations/OrganizationService.cs
View File

@ -919,22 +919,11 @@ public class OrganizationService : IOrganizationService
orgUser.Permissions = JsonSerializer.Serialize(invite.Permissions, JsonHelpers.CamelCase); orgUser.Permissions = JsonSerializer.Serialize(invite.Permissions, JsonHelpers.CamelCase);
} }
var collections = invite.Collections; // If Flexible Collections is disabled and the user has EditAssignedCollections permission
if (!FlexibleCollectionsIsEnabled) // grant Manage permission for all assigned collections
{ invite.Collections = ApplyManageCollectionPermissions(orgUser, invite.Collections);
// If not using Flexible Collections - add access to all collections if user has EditAnyCollection or AccessAll permissions
if (orgUser.GetPermissions()?.EditAnyCollection ?? false) limitedCollectionOrgUsers.Add((orgUser, invite.Collections));
{
var orgCollections = await _collectionRepository.GetManyByOrganizationIdAsync(orgUser.OrganizationId);
collections = orgCollections.Select(c => new CollectionAccessSelection { Id = c.Id, Manage = true });
}
else if (orgUser.AccessAll)
{
var orgCollections = await _collectionRepository.GetManyByOrganizationIdAsync(orgUser.OrganizationId);
collections = orgCollections.Select(c => new CollectionAccessSelection { Id = c.Id, ReadOnly = true });
}
}
limitedCollectionOrgUsers.Add((orgUser, collections));
if (invite.Groups != null && invite.Groups.Any()) if (invite.Groups != null && invite.Groups.Any())
{ {
@ -1021,7 +1010,7 @@ public class OrganizationService : IOrganizationService
throw new AggregateException("One or more errors occurred while inviting users.", exceptions); throw new AggregateException("One or more errors occurred while inviting users.", exceptions);
} }
return (limitedCollectionOrgUsers.Select(orgUser => orgUser.Item1).ToList(), events); return (limitedCollectionOrgUsers.Select(o => o.Item1).ToList(), events);
} }
public async Task<IEnumerable<Tuple<OrganizationUser, string>>> ResendInvitesAsync(Guid organizationId, Guid? invitingUserId, public async Task<IEnumerable<Tuple<OrganizationUser, string>>> ResendInvitesAsync(Guid organizationId, Guid? invitingUserId,
@ -1447,25 +1436,9 @@ public class OrganizationService : IOrganizationService
} }
} }
// If not using Flexible Collections - add access to all collections if user has EditAnyCollection or AccessAll permissions // If Flexible Collections is disabled and the user has EditAssignedCollections permission
if (!FlexibleCollectionsIsEnabled) // grant Manage permission for all assigned collections
{ collections = ApplyManageCollectionPermissions(user, collections);
if (user.GetPermissions()?.EditAnyCollection ?? false)
{
var orgCollections = await _collectionRepository.GetManyByOrganizationIdAsync(user.OrganizationId);
collections = orgCollections.Select(c => new CollectionAccessSelection { Id = c.Id, Manage = true });
}
else if (user.AccessAll)
{
var orgCollections = await _collectionRepository.GetManyByOrganizationIdAsync(user.OrganizationId);
collections = orgCollections.Select(c => new CollectionAccessSelection { Id = c.Id, ReadOnly = true });
}
else
{
collections = collections.Where(c => !c.Manage);
}
}
await _organizationUserRepository.ReplaceAsync(user, collections); await _organizationUserRepository.ReplaceAsync(user, collections);
if (groups != null) if (groups != null)
@ -2090,7 +2063,7 @@ public class OrganizationService : IOrganizationService
throw new BadRequestException("Custom users can not manage Admins or Owners."); throw new BadRequestException("Custom users can not manage Admins or Owners.");
} }
if (newType == OrganizationUserType.Custom && !await ValidateCustomPermissionsGrantAsync(organizationId, permissions)) if (newType == OrganizationUserType.Custom && !await ValidateCustomPermissionsGrant(organizationId, permissions))
{ {
throw new BadRequestException("Custom users can only grant the same custom permissions that they have."); throw new BadRequestException("Custom users can only grant the same custom permissions that they have.");
} }
@ -2115,7 +2088,7 @@ public class OrganizationService : IOrganizationService
} }
} }
private async Task<bool> ValidateCustomPermissionsGrantAsync(Guid organizationId, Permissions permissions) private async Task<bool> ValidateCustomPermissionsGrant(Guid organizationId, Permissions permissions)
{ {
if (permissions == null || await _currentContext.OrganizationAdmin(organizationId)) if (permissions == null || await _currentContext.OrganizationAdmin(organizationId))
{ {
@ -2570,4 +2543,18 @@ public class OrganizationService : IOrganizationService
await _collectionRepository.CreateAsync(defaultCollection); await _collectionRepository.CreateAsync(defaultCollection);
} }
} }
private IEnumerable<CollectionAccessSelection> ApplyManageCollectionPermissions(OrganizationUser orgUser, IEnumerable<CollectionAccessSelection> collections)
{
if (!FlexibleCollectionsIsEnabled && (orgUser.GetPermissions()?.EditAssignedCollections ?? false))
{
return collections.Select(c =>
{
c.Manage = true;
return c;
}).ToList();
}
return collections;
}
} }