[AC-1784] Lining up new Manage collection permissions for users with deprecated EditAssignedCollections permission (#3406)

* [AC-1784] Setting up collections with permission 'Manage = true' if flexible collections feature flag is off and user has EditAssignedCollections

* [AC-1784] Added unit tests

* [AC-1784] Deleted duplicated variable

src/Core/Services/Implementations/CollectionService.cs

@@ -53,21 +53,36 @@ public class CollectionService : ICollectionService
         }
 
         var groupsList = groups?.ToList();
-        var usersList = users?.ToList();
+        var usersList = users?.ToList() ?? new List<CollectionAccessSelection>();
 
         // If using Flexible Collections - a collection should always have someone with Can Manage permissions
         if (_featureService.IsEnabled(FeatureFlagKeys.FlexibleCollections, _currentContext))
         {
             var groupHasManageAccess = groupsList?.Any(g => g.Manage) ?? false;
-            var userHasManageAccess = usersList?.Any(u => u.Manage) ?? false;
+            var userHasManageAccess = usersList.Any(u => u.Manage);
             if (!groupHasManageAccess && !userHasManageAccess)
             {
                 throw new BadRequestException(
                     "At least one member or group must have can manage permission.");
             }
         }
+        else
+        {
+            // If not using Flexible Collections
+            // all Organization users with EditAssignedCollections permission should have Manage permission for the collection
+            var organizationUsers = await _organizationUserRepository
+                .GetManyByOrganizationAsync(collection.OrganizationId, null);
+            foreach (var orgUser in organizationUsers.Where(ou => ou.GetPermissions()?.EditAssignedCollections ?? false))
+            {
+                var user = usersList.FirstOrDefault(u => u.Id == orgUser.Id);
+                if (user != null)
+                {
+                    user.Manage = true;
+                }
+            }
+        }
 
-        if (collection.Id == default(Guid))
+        if (collection.Id == default)
         {
             if (org.MaxCollections.HasValue)
             {

src/Core/Services/Implementations/OrganizationService.cs

@@ -64,6 +64,9 @@ public class OrganizationService : IOrganizationService
     private readonly IDataProtectorTokenFactory<OrgUserInviteTokenable> _orgUserInviteTokenDataFactory;
     private readonly IFeatureService _featureService;
 
+    private bool FlexibleCollectionsIsEnabled => _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollections, _currentContext);
+    private bool FlexibleCollectionsV1IsEnabled => _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1, _currentContext);
+
     public OrganizationService(
         IOrganizationRepository organizationRepository,
         IOrganizationUserRepository organizationUserRepository,
@@ -437,11 +440,6 @@ public class OrganizationService : IOrganizationService
             await ValidateSignUpPoliciesAsync(signup.Owner.Id);
         }
 
-        var flexibleCollectionsIsEnabled =
-            _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollections, _currentContext);
-        var flexibleCollectionsV1IsEnabled =
-            _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1, _currentContext);
-
         var organization = new Organization
         {
             // Pre-generate the org id so that we can save it with the Stripe subscription..
@@ -479,8 +477,8 @@ public class OrganizationService : IOrganizationService
             Status = OrganizationStatusType.Created,
             UsePasswordManager = true,
             UseSecretsManager = signup.UseSecretsManager,
-            LimitCollectionCreationDeletion = !flexibleCollectionsIsEnabled,
-            AllowAdminAccessToAllCollectionItems = !flexibleCollectionsV1IsEnabled
+            LimitCollectionCreationDeletion = !FlexibleCollectionsIsEnabled,
+            AllowAdminAccessToAllCollectionItems = !FlexibleCollectionsV1IsEnabled
         };
 
         if (signup.UseSecretsManager)
@@ -937,6 +935,10 @@ public class OrganizationService : IOrganizationService
                         orgUser.Permissions = JsonSerializer.Serialize(invite.Permissions, JsonHelpers.CamelCase);
                     }
 
+                    // If Flexible Collections is disabled and the user has EditAssignedCollections permission
+                    // grant Manage permission for all assigned collections
+                    invite.Collections = ApplyManageCollectionPermissions(orgUser, invite.Collections);
+
                     if (!orgUser.AccessAll && invite.Collections.Any())
                     {
                         limitedCollectionOrgUsers.Add((orgUser, invite.Collections));
@@ -1323,11 +1325,9 @@ public class OrganizationService : IOrganizationService
             }
         }
 
-        if (user.AccessAll)
-        {
-            // We don't need any collections if we're flagged to have all access.
-            collections = new List<CollectionAccessSelection>();
-        }
+        // If Flexible Collections is disabled and the user has EditAssignedCollections permission
+        // grant Manage permission for all assigned collections
+        collections = ApplyManageCollectionPermissions(user, collections);
         await _organizationUserRepository.ReplaceAsync(user, collections);
 
         if (groups != null)
@@ -2440,4 +2440,18 @@ public class OrganizationService : IOrganizationService
             await _collectionRepository.CreateAsync(defaultCollection);
         }
     }
+
+    private IEnumerable<CollectionAccessSelection> ApplyManageCollectionPermissions(OrganizationUser orgUser, IEnumerable<CollectionAccessSelection> collections)
+    {
+        if (!FlexibleCollectionsIsEnabled && (orgUser.GetPermissions()?.EditAssignedCollections ?? false))
+        {
+            return collections.Select(c =>
+            {
+                c.Manage = true;
+                return c;
+            }).ToList();
+        }
+
+        return collections;
+    }
 }