All attributes all the time

2025-04-04 20:50:21 -05:00 · 2025-03-21 13:21:52 +10:00 · 2025-03-21 13:21:52 +10:00 · dad05fca77
commit dad05fca77
parent dd67c41ed7
3 changed files with 40 additions and 30 deletions
--- a/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
+++ b/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
@ -146,16 +146,9 @@ public class OrganizationUsersController : Controller
    }

    [HttpGet("")]
-    [RoleRequirement(OrganizationUserType.Owner)]
+    [ManageUsersRequirement]
    public async Task<ListResponseModel<OrganizationUserUserDetailsResponseModel>> Get(Guid orgId, bool includeGroups = false, bool includeCollections = false)
    {
-        // var authorized = (await _authorizationService.AuthorizeAsync(
-        //     User, new OrganizationScope(orgId), OrganizationUserUserDetailsOperations.ReadAll)).Succeeded;
-        // if (!authorized)
-        // {
-        //     throw new NotFoundException();
-        // }
-
        var organizationUsers = await _organizationUserUserDetailsQuery.GetOrganizationUserUserDetails(
            new OrganizationUserUserDetailsQueryRequest
            {
--- a/src/Api/Utilities/ServiceCollectionExtensions.cs
+++ b/src/Api/Utilities/ServiceCollectionExtensions.cs
@ -107,6 +107,6 @@ public static class ServiceCollectionExtensions
        services.AddScoped<IAuthorizationHandler, SecurityTaskAuthorizationHandler>();
        services.AddScoped<IAuthorizationHandler, SecurityTaskOrganizationAuthorizationHandler>();

-        services.AddScoped<IAuthorizationHandler, RoleAuthorizationHandler>();
+        services.AddScoped<IAuthorizationHandler, AdminConsoleRequirementsHandler>();
    }
 }
--- a/src/Core/AdminConsole/OrganizationFeatures/RoleAuthorizationHandler.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/RoleAuthorizationHandler.cs
@ -1,4 +1,6 @@
-using Bit.Core.Context;
+#nullable enable
+
+using Bit.Core.Context;
 using Bit.Core.Enums;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http;
@ -6,43 +8,58 @@ using Microsoft.AspNetCore.Routing;

 namespace Bit.Core.AdminConsole.OrganizationFeatures;

-public class RoleRequirementAttribute
+public abstract class OrganizationRequirementAttribute
    : AuthorizeAttribute, IAuthorizationRequirement, IAuthorizationRequirementData
 {
-    public OrganizationUserType Role { get; set; }
-
-    public RoleRequirementAttribute(OrganizationUserType type)
-    {
-        Role = type;
-    }
-
-    public IEnumerable<IAuthorizationRequirement> GetRequirements()
-    {
-        yield return this;
-    }
+    public IEnumerable<IAuthorizationRequirement> GetRequirements() => [this];
 }

-public class RoleAuthorizationHandler(ICurrentContext currentContext, IHttpContextAccessor httpContextAccessor) : AuthorizationHandler<RoleRequirementAttribute>
+public abstract class OrganizationRequirementHandler : AuthorizationHandler<OrganizationRequirementAttribute>
 {
-    protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, RoleRequirementAttribute requirementAttribute)
+    protected Guid? OrganizationId { get; set; }
+    protected CurrentContextOrganization? Organization { get; set; }
+
+    protected OrganizationRequirementHandler(ICurrentContext currentContext, IHttpContextAccessor httpContextAccessor)
    {
        if (httpContextAccessor.HttpContext is null)
        {
-            return Task.CompletedTask;
+            return;
        }

        httpContextAccessor.HttpContext.GetRouteData().Values.TryGetValue("orgId", out var orgIdParam);
        if (!Guid.TryParse(orgIdParam?.ToString(), out var orgId))
        {
            // No orgId supplied, unable to authorize
-            return Task.CompletedTask;
+            return;
        }

-        // This could be an extension method on ClaimsPrincipal
-        var orgClaims = currentContext.GetOrganization(orgId);
-        if (orgClaims?.Type == requirementAttribute.Role)
+        OrganizationId = orgId;
+        if (OrganizationId.HasValue)
        {
-            context.Succeed(requirementAttribute);
+            Organization = currentContext.GetOrganization(OrganizationId.Value);
+        }
+    }
+}
+
+public class ManageUsersRequirementAttribute : OrganizationRequirementAttribute;
+
+public class AdminConsoleRequirementsHandler(ICurrentContext currentContext, IHttpContextAccessor httpContextAccessor)
+    : OrganizationRequirementHandler(currentContext, httpContextAccessor)
+{
+    protected override Task HandleRequirementAsync(AuthorizationHandlerContext context,
+        OrganizationRequirementAttribute requirement)
+    {
+        var authorized = requirement switch
+        {
+            ManageUsersRequirementAttribute => Organization is
+            { Type: OrganizationUserType.Owner or OrganizationUserType.Admin } or
+            { Permissions.ManageUsers: true },
+            _ => false
+        };
+
+        if (authorized)
+        {
+            context.Succeed(requirement);
        }

        return Task.CompletedTask;