[AC-1880] Public API - Deprecated properties (#3706)

* feat: remove required for AccessAll and add xmldoc for usage restrictions, refs AC-1880 * feat: add validation for create group workflow wrt manage property, refs AC-1880 * feat: add validation for update group workflow wrt manage property, refs AC-1880 * feat: add validation for create and update member workflow wrt manage property, refs AC-1880 * feat: add validation for update collection workflow wrt manage property, refs AC-1880 * fix: flaky Public/GroupsControllerTests + more test coverage, refs AC-1880
2025-07-01 08:02:49 -05:00 · 2024-02-08 07:44:36 -06:00
parent 7747744ff9
commit d29755de5a
18 changed files with 221 additions and 68 deletions
--- a/src/Core/AdminConsole/OrganizationFeatures/Groups/CreateGroupCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Groups/CreateGroupCommand.cs
@ -36,10 +36,10 @@ public class CreateGroupCommand : ICreateGroupCommand
    }

    public async Task CreateGroupAsync(Group group, Organization organization,
-        IEnumerable<CollectionAccessSelection> collections = null,
+        ICollection<CollectionAccessSelection> collections = null,
        IEnumerable<Guid> users = null)
    {
-        Validate(organization, group);
+        Validate(organization, group, collections);
        await GroupRepositoryCreateGroupAsync(group, organization, collections);

        if (users != null)
@ -51,10 +51,10 @@ public class CreateGroupCommand : ICreateGroupCommand
    }

    public async Task CreateGroupAsync(Group group, Organization organization, EventSystemUser systemUser,
-        IEnumerable<CollectionAccessSelection> collections = null,
+        ICollection<CollectionAccessSelection> collections = null,
        IEnumerable<Guid> users = null)
    {
-        Validate(organization, group);
+        Validate(organization, group, collections);
        await GroupRepositoryCreateGroupAsync(group, organization, collections);

        if (users != null)
@ -103,7 +103,7 @@ public class CreateGroupCommand : ICreateGroupCommand
        }
    }

-    private static void Validate(Organization organization, Group group)
+    private static void Validate(Organization organization, Group group, IEnumerable<CollectionAccessSelection> collections)
    {
        if (organization == null)
        {
@ -115,9 +115,18 @@ public class CreateGroupCommand : ICreateGroupCommand
            throw new BadRequestException("This organization cannot use groups.");
        }

-        if (organization.FlexibleCollections && group.AccessAll)
+        if (organization.FlexibleCollections)
        {
-            throw new BadRequestException("The AccessAll property has been deprecated by collection enhancements. Assign the group to collections instead.");
+            if (group.AccessAll)
+            {
+                throw new BadRequestException("The AccessAll property has been deprecated by collection enhancements. Assign the group to collections instead.");
+            }
+
+            var invalidAssociations = collections?.Where(cas => cas.Manage && (cas.ReadOnly || cas.HidePasswords));
+            if (invalidAssociations?.Any() ?? false)
+            {
+                throw new BadRequestException("The Manage property is mutually exclusive and cannot be true while the ReadOnly or HidePasswords properties are also true.");
+            }
        }
    }
 }
--- a/src/Core/AdminConsole/OrganizationFeatures/Groups/Interfaces/ICreateGroupCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Groups/Interfaces/ICreateGroupCommand.cs
@ -7,10 +7,10 @@ namespace Bit.Core.AdminConsole.OrganizationFeatures.Groups.Interfaces;
 public interface ICreateGroupCommand
 {
    Task CreateGroupAsync(Group group, Organization organization,
-        IEnumerable<CollectionAccessSelection> collections = null,
+        ICollection<CollectionAccessSelection> collections = null,
        IEnumerable<Guid> users = null);

    Task CreateGroupAsync(Group group, Organization organization, EventSystemUser systemUser,
-        IEnumerable<CollectionAccessSelection> collections = null,
+        ICollection<CollectionAccessSelection> collections = null,
        IEnumerable<Guid> users = null);
 }
--- a/src/Core/AdminConsole/OrganizationFeatures/Groups/Interfaces/IUpdateGroupCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Groups/Interfaces/IUpdateGroupCommand.cs
@ -7,10 +7,10 @@ namespace Bit.Core.AdminConsole.OrganizationFeatures.Groups.Interfaces;
 public interface IUpdateGroupCommand
 {
    Task UpdateGroupAsync(Group group, Organization organization,
-        IEnumerable<CollectionAccessSelection> collections = null,
+        ICollection<CollectionAccessSelection> collections = null,
        IEnumerable<Guid> users = null);

    Task UpdateGroupAsync(Group group, Organization organization, EventSystemUser systemUser,
-        IEnumerable<CollectionAccessSelection> collections = null,
+        ICollection<CollectionAccessSelection> collections = null,
        IEnumerable<Guid> users = null);
 }
--- a/src/Core/AdminConsole/OrganizationFeatures/Groups/UpdateGroupCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Groups/UpdateGroupCommand.cs
@ -26,10 +26,10 @@ public class UpdateGroupCommand : IUpdateGroupCommand
    }

    public async Task UpdateGroupAsync(Group group, Organization organization,
-        IEnumerable<CollectionAccessSelection> collections = null,
+        ICollection<CollectionAccessSelection> collections = null,
        IEnumerable<Guid> userIds = null)
    {
-        Validate(organization, group);
+        Validate(organization, group, collections);
        await GroupRepositoryUpdateGroupAsync(group, collections);

        if (userIds != null)
@ -41,10 +41,10 @@ public class UpdateGroupCommand : IUpdateGroupCommand
    }

    public async Task UpdateGroupAsync(Group group, Organization organization, EventSystemUser systemUser,
-        IEnumerable<CollectionAccessSelection> collections = null,
+        ICollection<CollectionAccessSelection> collections = null,
        IEnumerable<Guid> userIds = null)
    {
-        Validate(organization, group);
+        Validate(organization, group, collections);
        await GroupRepositoryUpdateGroupAsync(group, collections);

        if (userIds != null)
@ -97,7 +97,7 @@ public class UpdateGroupCommand : IUpdateGroupCommand
        }
    }

-    private static void Validate(Organization organization, Group group)
+    private static void Validate(Organization organization, Group group, IEnumerable<CollectionAccessSelection> collections)
    {
        if (organization == null)
        {
@ -109,9 +109,18 @@ public class UpdateGroupCommand : IUpdateGroupCommand
            throw new BadRequestException("This organization cannot use groups.");
        }

-        if (organization.FlexibleCollections && group.AccessAll)
+        if (organization.FlexibleCollections)
        {
-            throw new BadRequestException("The AccessAll property has been deprecated by collection enhancements. Assign the group to collections instead.");
+            if (group.AccessAll)
+            {
+                throw new BadRequestException("The AccessAll property has been deprecated by collection enhancements. Assign the group to collections instead.");
+            }
+
+            var invalidAssociations = collections?.Where(cas => cas.Manage && (cas.ReadOnly || cas.HidePasswords));
+            if (invalidAssociations?.Any() ?? false)
+            {
+                throw new BadRequestException("The Manage property is mutually exclusive and cannot be true while the ReadOnly or HidePasswords properties are also true.");
+            }
        }
    }
 }