[AC-1139] Modified CollectionsController.Get to check access before getting collections

src/Api/Controllers/CollectionsController.cs

@@ -136,9 +136,12 @@ public class CollectionsController : Controller
 
         if (FlexibleCollectionsIsEnabled)
         {
-            orgCollections = await _collectionRepository.GetManyByOrganizationIdAsync(orgId);
+            var readAll = (await _authorizationService.AuthorizeAsync(User, null, CollectionOperations.ReadAll(orgId))).Succeeded;
-            var readAllAuthorized = (await _authorizationService.AuthorizeAsync(User, orgCollections, CollectionOperations.ReadAll)).Succeeded;
+            if (readAll)
-            if (!readAllAuthorized)
+            {
+                orgCollections = await _collectionRepository.GetManyByOrganizationIdAsync(orgId);
+            }
+            else
             {
                 var collections = await _collectionRepository.GetManyByUserIdAsync(_currentContext.UserId.Value);
                 orgCollections = collections.Where(c => c.OrganizationId == orgId);

src/Api/Vault/AuthorizationHandlers/Collections/CollectionOperations.cs

@@ -2,13 +2,26 @@
 
 namespace Bit.Api.Vault.AuthorizationHandlers.Collections;
 
-public class CollectionOperationRequirement : OperationAuthorizationRequirement { }
+public class CollectionOperationRequirement : OperationAuthorizationRequirement
+{
+    public Guid OrganizationId { get; set; }
+
+    public CollectionOperationRequirement() { }
+
+    public CollectionOperationRequirement(string name, Guid organizationId)
+    {
+        Name = name;
+        OrganizationId = organizationId;
+    }
+}
 
 public static class CollectionOperations
 {
     public static readonly CollectionOperationRequirement Create = new() { Name = nameof(Create) };
-    public static readonly CollectionOperationRequirement ReadAll = new() { Name = nameof(ReadAll) };
+    public static CollectionOperationRequirement ReadAll(Guid organizationId)
-    public static readonly CollectionOperationRequirement Update = new() { Name = nameof(Update) };
+    {
+        return new CollectionOperationRequirement(nameof(ReadAll), organizationId);
+    }
     public static readonly CollectionOperationRequirement Delete = new() { Name = nameof(Delete) };
     /// <summary>
     /// The operation that represents creating, updating, or removing collection access.