mirror of
https://github.com/bitwarden/server.git
synced 2025-06-30 15:42:48 -05:00
[AC-2170] Group modal - limit admin access - collections tab (#3998)
* Update GroupsController POST and PUT to respect collection management settings
This commit is contained in:
Thomas Rittson
@ -2,6 +2,7 @@
|
||||
using Bit.Api.AdminConsole.Models.Response;
|
||||
using Bit.Api.Models.Response;
|
||||
using Bit.Api.Utilities;
|
||||
using Bit.Api.Vault.AuthorizationHandlers.Collections;
|
||||
using Bit.Api.Vault.AuthorizationHandlers.Groups;
|
||||
using Bit.Core;
|
||||
using Bit.Core.AdminConsole.OrganizationFeatures.Groups.Interfaces;
|
||||
@ -32,6 +33,7 @@ public class GroupsController : Controller
|
||||
private readonly IUserService _userService;
|
||||
private readonly IFeatureService _featureService;
|
||||
private readonly IOrganizationUserRepository _organizationUserRepository;
|
||||
private readonly ICollectionRepository _collectionRepository;
|
||||
|
||||
public GroupsController(
|
||||
IGroupRepository groupRepository,
|
||||
@ -45,7 +47,8 @@ public class GroupsController : Controller
|
||||
IApplicationCacheService applicationCacheService,
|
||||
IUserService userService,
|
||||
IFeatureService featureService,
|
||||
IOrganizationUserRepository organizationUserRepository)
|
||||
IOrganizationUserRepository organizationUserRepository,
|
||||
ICollectionRepository collectionRepository)
|
||||
{
|
||||
_groupRepository = groupRepository;
|
||||
_groupService = groupService;
|
||||
@ -59,6 +62,7 @@ public class GroupsController : Controller
|
||||
_userService = userService;
|
||||
_featureService = featureService;
|
||||
_organizationUserRepository = organizationUserRepository;
|
||||
_collectionRepository = collectionRepository;
|
||||
}
|
||||
|
||||
[HttpGet("{id}")]
|
||||
@ -125,16 +129,28 @@ public class GroupsController : Controller
|
||||
}
|
||||
|
||||
[HttpPost("")]
|
||||
public async Task<GroupResponseModel> Post(string orgId, [FromBody] GroupRequestModel model)
|
||||
public async Task<GroupResponseModel> Post(Guid orgId, [FromBody] GroupRequestModel model)
|
||||
{
|
||||
var orgIdGuid = new Guid(orgId);
|
||||
if (!await _currentContext.ManageGroups(orgIdGuid))
|
||||
if (!await _currentContext.ManageGroups(orgId))
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
var organization = await _organizationRepository.GetByIdAsync(orgIdGuid);
|
||||
var group = model.ToGroup(orgIdGuid);
|
||||
// Flexible Collections - check the user has permission to grant access to the collections for the new group
|
||||
if (await FlexibleCollectionsIsEnabledAsync(orgId) && _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1))
|
||||
{
|
||||
var collections = await _collectionRepository.GetManyByManyIdsAsync(model.Collections.Select(a => a.Id));
|
||||
var authorized =
|
||||
(await _authorizationService.AuthorizeAsync(User, collections, BulkCollectionOperations.ModifyGroupAccess))
|
||||
.Succeeded;
|
||||
if (!authorized)
|
||||
{
|
||||
throw new NotFoundException("You are not authorized to grant access to these collections.");
|
||||
}
|
||||
}
|
||||
|
||||
var organization = await _organizationRepository.GetByIdAsync(orgId);
|
||||
var group = model.ToGroup(orgId);
|
||||
await _createGroupCommand.CreateGroupAsync(group, organization, model.Collections?.Select(c => c.ToSelectionReadOnly()).ToList(), model.Users);
|
||||
|
||||
return new GroupResponseModel(group);
|
||||
@ -144,16 +160,40 @@ public class GroupsController : Controller
|
||||
[HttpPost("{id}")]
|
||||
public async Task<GroupResponseModel> Put(Guid orgId, Guid id, [FromBody] GroupRequestModel model)
|
||||
{
|
||||
if (await FlexibleCollectionsIsEnabledAsync(orgId) && _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1))
|
||||
{
|
||||
// Use new Flexible Collections v1 logic
|
||||
return await Put_vNext(orgId, id, model);
|
||||
}
|
||||
|
||||
// Pre-Flexible Collections v1 logic follows
|
||||
var group = await _groupRepository.GetByIdAsync(id);
|
||||
if (group == null || !await _currentContext.ManageGroups(group.OrganizationId))
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
// Flexible Collections v1 - a user may not be able to add themselves to a group
|
||||
var organization = await _organizationRepository.GetByIdAsync(orgId);
|
||||
|
||||
await _updateGroupCommand.UpdateGroupAsync(model.ToGroup(group), organization,
|
||||
model.Collections.Select(c => c.ToSelectionReadOnly()).ToList(), model.Users);
|
||||
return new GroupResponseModel(group);
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Put logic for Flexible Collections v1
|
||||
/// </summary>
|
||||
private async Task<GroupResponseModel> Put_vNext(Guid orgId, Guid id, [FromBody] GroupRequestModel model)
|
||||
{
|
||||
var (group, currentAccess) = await _groupRepository.GetByIdWithCollectionsAsync(id);
|
||||
if (group == null || !await _currentContext.ManageGroups(group.OrganizationId))
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
// Check whether the user is permitted to add themselves to the group
|
||||
var orgAbility = await _applicationCacheService.GetOrganizationAbilityAsync(orgId);
|
||||
var flexibleCollectionsV1Enabled = _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1);
|
||||
if (flexibleCollectionsV1Enabled && orgAbility.FlexibleCollections && !orgAbility.AllowAdminAccessToAllCollectionItems)
|
||||
if (!orgAbility.AllowAdminAccessToAllCollectionItems)
|
||||
{
|
||||
var userId = _userService.GetProperUserId(User).Value;
|
||||
var organizationUser = await _organizationUserRepository.GetByOrganizationAsync(orgId, userId);
|
||||
@ -164,9 +204,38 @@ public class GroupsController : Controller
|
||||
}
|
||||
}
|
||||
|
||||
// The client only sends collections that the saving user has permissions to edit.
|
||||
// On the server side, we need to (1) confirm this and (2) concat these with the collections that the user
|
||||
// can't edit before saving to the database.
|
||||
var currentCollections = await _collectionRepository
|
||||
.GetManyByManyIdsAsync(currentAccess.Select(cas => cas.Id));
|
||||
|
||||
var readonlyCollectionIds = new HashSet<Guid>();
|
||||
foreach (var collection in currentCollections)
|
||||
{
|
||||
if (!(await _authorizationService.AuthorizeAsync(User, collection, BulkCollectionOperations.ModifyGroupAccess))
|
||||
.Succeeded)
|
||||
{
|
||||
readonlyCollectionIds.Add(collection.Id);
|
||||
}
|
||||
}
|
||||
|
||||
if (model.Collections.Any(c => readonlyCollectionIds.Contains(c.Id)))
|
||||
{
|
||||
throw new BadRequestException("You must have Can Manage permissions to edit a collection's membership");
|
||||
}
|
||||
|
||||
var editedCollectionAccess = model.Collections
|
||||
.Select(c => c.ToSelectionReadOnly());
|
||||
var readonlyCollectionAccess = currentAccess
|
||||
.Where(ca => readonlyCollectionIds.Contains(ca.Id));
|
||||
var collectionsToSave = editedCollectionAccess
|
||||
.Concat(readonlyCollectionAccess)
|
||||
.ToList();
|
||||
|
||||
var organization = await _organizationRepository.GetByIdAsync(orgId);
|
||||
|
||||
await _updateGroupCommand.UpdateGroupAsync(model.ToGroup(group), organization, model.Collections?.Select(c => c.ToSelectionReadOnly()).ToList(), model.Users);
|
||||
await _updateGroupCommand.UpdateGroupAsync(model.ToGroup(group), organization, collectionsToSave, model.Users);
|
||||
return new GroupResponseModel(group);
|
||||
}
|
||||
|
||||
|
||||
@ -85,7 +85,8 @@ public class CollectionAuthorizationHandler : AuthorizationHandler<CollectionOpe
|
||||
{ Type: OrganizationUserType.Owner or OrganizationUserType.Admin } or
|
||||
{ Permissions.EditAnyCollection: true } or
|
||||
{ Permissions.DeleteAnyCollection: true } or
|
||||
{ Permissions.ManageUsers: true })
|
||||
{ Permissions.ManageUsers: true } or
|
||||
{ Permissions.ManageGroups: true })
|
||||
{
|
||||
context.Succeed(requirement);
|
||||
return;
|
||||
|
||||
Reference in New Issue
Block a user