nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-06-27 14:16:19 -05:00
Code

Add validation in UpdateGroupCommand to prevent modification of DefaultUserCollection type

Browse Source 
* Implemented a check to throw a BadRequestException if an attempt is made to modify group access for collections of type DefaultUserCollection.
* Added a unit test to ensure the exception is thrown with the correct message when this condition is met.
This commit is contained in:
Rui Tome 2025-06-13 14:51:15 +01:00
parent 947ba9ec8f
commit e76763fcb2
No known key found for this signature in database
GPG Key ID: 526239D96A8EC066
2 changed files with 23 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/Core/AdminConsole/OrganizationFeatures/Groups/UpdateGroupCommand.cs
View File

@ -163,6 +163,11 @@ public class UpdateGroupCommand : IUpdateGroupCommand
// Use generic error message to avoid enumeration
throw new NotFoundException();
}
if (collections.Any(c => c.Type == CollectionType.DefaultUserCollection))
{
throw new BadRequestException("You cannot modify group access for collections with the type as DefaultUserCollection.");
}
}
private async Task ValidateMemberAccessAsync(Group originalGroup,

18
test/Core.Test/AdminConsole/OrganizationFeatures/Groups/UpdateGroupCommandTests.cs
View File

@ -156,6 +156,24 @@ public class UpdateGroupCommandTests
() => sutProvider.Sut.UpdateGroupAsync(group, organization, collectionAccess));
}
[Theory, OrganizationCustomize(UseGroups = true), BitAutoData]
public async Task UpdateGroup_WithDefaultUserCollectionType_Throws(SutProvider<UpdateGroupCommand> sutProvider,
Group group, Group oldGroup, Organization organization, List<CollectionAccessSelection> collectionAccess)
{
ArrangeGroup(sutProvider, group, oldGroup);
ArrangeUsers(sutProvider, group);
// Return collections with DefaultUserCollection type
sutProvider.GetDependency<ICollectionRepository>()
.GetManyByManyIdsAsync(Arg.Any<IEnumerable<Guid>>())
.Returns(callInfo => callInfo.Arg<IEnumerable<Guid>>()
.Select(guid => new Collection { Id = guid, OrganizationId = group.OrganizationId, Type = CollectionType.DefaultUserCollection }).ToList());
var exception = await Assert.ThrowsAsync<BadRequestException>(
() => sutProvider.Sut.UpdateGroupAsync(group, organization, collectionAccess));
Assert.Contains("You cannot modify group access for collections with the type as DefaultUserCollection.", exception.Message);
}
[Theory, OrganizationCustomize(UseGroups = true), BitAutoData]
public async Task UpdateGroup_MemberBelongsToDifferentOrganization_Throws(SutProvider<UpdateGroupCommand> sutProvider,
Group group, Group oldGroup, Organization organization, IEnumerable<Guid> userAccess)