[AC-1880] Public API - Deprecated properties (#3706)

* feat: remove required for AccessAll and add xmldoc for usage restrictions, refs AC-1880 * feat: add validation for create group workflow wrt manage property, refs AC-1880 * feat: add validation for update group workflow wrt manage property, refs AC-1880 * feat: add validation for create and update member workflow wrt manage property, refs AC-1880 * feat: add validation for update collection workflow wrt manage property, refs AC-1880 * fix: flaky Public/GroupsControllerTests + more test coverage, refs AC-1880
2025-07-02 16:42:50 -05:00 · 2024-02-08 07:44:36 -06:00
parent 7747744ff9
commit d29755de5a
18 changed files with 221 additions and 68 deletions
--- a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
+++ b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
@ -1370,7 +1370,7 @@ public class OrganizationService : IOrganizationService
    }

    public async Task SaveUserAsync(OrganizationUser user, Guid? savingUserId,
-        IEnumerable<CollectionAccessSelection> collections,
+        ICollection<CollectionAccessSelection> collections,
        IEnumerable<Guid> groups)
    {
        if (user.Id.Equals(default(Guid)))
@ -1408,6 +1408,15 @@ public class OrganizationService : IOrganizationService
        {
            throw new BadRequestException("The AccessAll property has been deprecated by collection enhancements. Assign the user to collections instead.");
        }
+
+        if (organizationAbility?.FlexibleCollections == true && collections?.Any() == true)
+        {
+            var invalidAssociations = collections.Where(cas => cas.Manage && (cas.ReadOnly || cas.HidePasswords));
+            if (invalidAssociations.Any())
+            {
+                throw new BadRequestException("The Manage property is mutually exclusive and cannot be true while the ReadOnly or HidePasswords properties are also true.");
+            }
+        }
        // End Flexible Collections

        // Only autoscale (if required) after all validation has passed so that we know it's a valid request before
@ -1625,9 +1634,20 @@ public class OrganizationService : IOrganizationService
    }

    public async Task<OrganizationUser> InviteUserAsync(Guid organizationId, Guid? invitingUserId, string email,
-        OrganizationUserType type, bool accessAll, string externalId, IEnumerable<CollectionAccessSelection> collections,
+        OrganizationUserType type, bool accessAll, string externalId, ICollection<CollectionAccessSelection> collections,
        IEnumerable<Guid> groups)
    {
+        // Validate Collection associations if org is using latest collection enhancements
+        var organizationAbility = await _applicationCacheService.GetOrganizationAbilityAsync(organizationId);
+        if (organizationAbility?.FlexibleCollections ?? false)
+        {
+            var invalidAssociations = collections?.Where(cas => cas.Manage && (cas.ReadOnly || cas.HidePasswords));
+            if (invalidAssociations?.Any() ?? false)
+            {
+                throw new BadRequestException("The Manage property is mutually exclusive and cannot be true while the ReadOnly or HidePasswords properties are also true.");
+            }
+        }
+
        return await SaveUserSendInviteAsync(organizationId, invitingUserId, systemUser: null, email, type, accessAll, externalId, collections, groups);
    }

@ -1635,6 +1655,7 @@ public class OrganizationService : IOrganizationService
        OrganizationUserType type, bool accessAll, string externalId, IEnumerable<CollectionAccessSelection> collections,
        IEnumerable<Guid> groups)
    {
+        // Collection associations validation not required as they are always an empty list - created via system user (scim)
        return await SaveUserSendInviteAsync(organizationId, invitingUserId: null, systemUser, email, type, accessAll, externalId, collections, groups);
    }