From dadf29f2c85ec023e60b7eb49767a9cdc9aa2535 Mon Sep 17 00:00:00 2001 From: Rui Tome Date: Fri, 20 Oct 2023 15:17:39 +0100 Subject: [PATCH] [AC-1139] Modified CollectionsController.Get to check access before getting collections --- src/Api/Controllers/CollectionsController.cs | 9 ++++++--- .../Collections/CollectionOperations.cs | 19 ++++++++++++++++--- 2 files changed, 22 insertions(+), 6 deletions(-) diff --git a/src/Api/Controllers/CollectionsController.cs b/src/Api/Controllers/CollectionsController.cs index 631c08a0cd..d5f4d22d44 100644 --- a/src/Api/Controllers/CollectionsController.cs +++ b/src/Api/Controllers/CollectionsController.cs @@ -136,9 +136,12 @@ public class CollectionsController : Controller if (FlexibleCollectionsIsEnabled) { - orgCollections = await _collectionRepository.GetManyByOrganizationIdAsync(orgId); - var readAllAuthorized = (await _authorizationService.AuthorizeAsync(User, orgCollections, CollectionOperations.ReadAll)).Succeeded; - if (!readAllAuthorized) + var readAll = (await _authorizationService.AuthorizeAsync(User, null, CollectionOperations.ReadAll(orgId))).Succeeded; + if (readAll) + { + orgCollections = await _collectionRepository.GetManyByOrganizationIdAsync(orgId); + } + else { var collections = await _collectionRepository.GetManyByUserIdAsync(_currentContext.UserId.Value); orgCollections = collections.Where(c => c.OrganizationId == orgId); diff --git a/src/Api/Vault/AuthorizationHandlers/Collections/CollectionOperations.cs b/src/Api/Vault/AuthorizationHandlers/Collections/CollectionOperations.cs index bb9c4fd9a8..c73ed0c1bd 100644 --- a/src/Api/Vault/AuthorizationHandlers/Collections/CollectionOperations.cs +++ b/src/Api/Vault/AuthorizationHandlers/Collections/CollectionOperations.cs @@ -2,13 +2,26 @@ namespace Bit.Api.Vault.AuthorizationHandlers.Collections; -public class CollectionOperationRequirement : OperationAuthorizationRequirement { } +public class CollectionOperationRequirement : OperationAuthorizationRequirement +{ + public Guid OrganizationId { get; set; } + + public CollectionOperationRequirement() { } + + public CollectionOperationRequirement(string name, Guid organizationId) + { + Name = name; + OrganizationId = organizationId; + } +} public static class CollectionOperations { public static readonly CollectionOperationRequirement Create = new() { Name = nameof(Create) }; - public static readonly CollectionOperationRequirement ReadAll = new() { Name = nameof(ReadAll) }; - public static readonly CollectionOperationRequirement Update = new() { Name = nameof(Update) }; + public static CollectionOperationRequirement ReadAll(Guid organizationId) + { + return new CollectionOperationRequirement(nameof(ReadAll), organizationId); + } public static readonly CollectionOperationRequirement Delete = new() { Name = nameof(Delete) }; /// /// The operation that represents creating, updating, or removing collection access.