From ec9dd8e16bbcc0d05560d06280f395be3bed4230 Mon Sep 17 00:00:00 2001
From: Thomas Rittson <31796059+eliykat@users.noreply.github.com>
Date: Wed, 20 Apr 2022 17:59:00 +1000
Subject: [PATCH] [EC-160] Give Provider Users access to all org ciphers and
 collections (#1959)

---
 src/Api/Controllers/CiphersController.cs     | 15 +++++++++++++--
 src/Api/Controllers/CollectionsController.cs | 15 +++++++++++++--
 2 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/src/Api/Controllers/CiphersController.cs b/src/Api/Controllers/CiphersController.cs
index 74eda1c324..1a6b012c37 100644
--- a/src/Api/Controllers/CiphersController.cs
+++ b/src/Api/Controllers/CiphersController.cs
@@ -224,8 +224,19 @@ namespace Bit.Api.Controllers
                 throw new NotFoundException();
             }
 
-            var ciphers = await _cipherRepository.GetManyByUserIdAsync(userId, true);
-            var orgCiphers = ciphers.Where(c => c.OrganizationId == orgIdGuid);
+            IEnumerable<Cipher> orgCiphers;
+            if (await _currentContext.OrganizationOwner(orgIdGuid))
+            {
+                // User may be a Provider for the organization, in which case GetManyByUserIdAsync won't return any results
+                // But they have access to all organization ciphers, so we can safely get by orgId instead
+                orgCiphers = await _cipherRepository.GetManyByOrganizationIdAsync(orgIdGuid);
+            }
+            else
+            {
+                var ciphers = await _cipherRepository.GetManyByUserIdAsync(userId, true);
+                orgCiphers = ciphers.Where(c => c.OrganizationId == orgIdGuid);
+            }
+
             var orgCipherIds = orgCiphers.Select(c => c.Id);
 
             var collectionCiphers = await _collectionCipherRepository.GetManyByOrganizationIdAsync(orgIdGuid);
diff --git a/src/Api/Controllers/CollectionsController.cs b/src/Api/Controllers/CollectionsController.cs
index 3322e42262..6b65fc549b 100644
--- a/src/Api/Controllers/CollectionsController.cs
+++ b/src/Api/Controllers/CollectionsController.cs
@@ -87,8 +87,19 @@ namespace Bit.Api.Controllers
                 throw new NotFoundException();
             }
 
-            var collections = await _collectionRepository.GetManyByUserIdAsync(_currentContext.UserId.Value);
-            var orgCollections = collections.Where(c => c.OrganizationId == orgIdGuid);
+            IEnumerable<Collection> orgCollections;
+            if (await _currentContext.OrganizationOwner(orgIdGuid))
+            {
+                // User may be a Provider for the organization, in which case GetManyByUserIdAsync won't return any results
+                // But they have access to all organization collections, so we can safely get by orgId instead
+                orgCollections = await _collectionRepository.GetManyByOrganizationIdAsync(orgIdGuid);
+            }
+            else
+            {
+                var collections = await _collectionRepository.GetManyByUserIdAsync(_currentContext.UserId.Value);
+                orgCollections = collections.Where(c => c.OrganizationId == orgIdGuid);
+            }
+
             var responses = orgCollections.Select(c => new CollectionResponseModel(c));
             return new ListResponseModel<CollectionResponseModel>(responses);
         }