[EC-850] ProviderUser permissions should prevail over member permissions (#5162)

* Apply provider permissions even if also member

* Add org.isMember

* Refactor: extract syncProfileOrganizations method

* Change isNotProvider logic to isMember

* Fix cascading org permissions

* Add memberOrganizations$ observable

libs/common/src/admin-console/models/data/organization.data.ts

@@ -38,6 +38,7 @@ export class OrganizationData {
   providerName: string;
   providerType?: ProviderType;
   isProviderUser: boolean;
+  isMember: boolean;
   familySponsorshipFriendlyName: string;
   familySponsorshipAvailable: boolean;
   planProductType: ProductType;
@@ -48,7 +49,13 @@ export class OrganizationData {
   familySponsorshipToDelete?: boolean;
   accessSecretsManager: boolean;
 
-  constructor(response: ProfileOrganizationResponse) {
+  constructor(
+    response: ProfileOrganizationResponse,
+    options: {
+      isMember: boolean;
+      isProviderUser: boolean;
+    }
+  ) {
     this.id = response.id;
     this.name = response.name;
     this.status = response.status;
@@ -91,5 +98,8 @@ export class OrganizationData {
     this.familySponsorshipValidUntil = response.familySponsorshipValidUntil;
     this.familySponsorshipToDelete = response.familySponsorshipToDelete;
     this.accessSecretsManager = response.accessSecretsManager;
+
+    this.isMember = options.isMember;
+    this.isProviderUser = options.isProviderUser;
   }
 }

libs/common/src/admin-console/models/domain/organization.ts

@@ -9,7 +9,14 @@ export class Organization {
   id: string;
   name: string;
   status: OrganizationUserStatusType;
+
+  /**
+   * The member's role in the organization.
+   * Avoid using this for permission checks - use the getters instead (e.g. isOwner, isAdmin, canManageX), because they
+   * properly handle permission inheritance and relationships.
+   */
   type: OrganizationUserType;
+
   enabled: boolean;
   usePolicies: boolean;
   useGroups: boolean;
@@ -39,7 +46,14 @@ export class Organization {
   providerId: string;
   providerName: string;
   providerType?: ProviderType;
+  /**
+   * Indicates that a user is a ProviderUser for the organization
+   */
   isProviderUser: boolean;
+  /**
+   * Indicates that a user is a member for the organization (may be `false` if they have access via a Provider only)
+   */
+  isMember: boolean;
   familySponsorshipFriendlyName: string;
   familySponsorshipAvailable: boolean;
   planProductType: ProductType;
@@ -89,6 +103,7 @@ export class Organization {
     this.providerName = obj.providerName;
     this.providerType = obj.providerType;
     this.isProviderUser = obj.isProviderUser;
+    this.isMember = obj.isMember;
     this.familySponsorshipFriendlyName = obj.familySponsorshipFriendlyName;
     this.familySponsorshipAvailable = obj.familySponsorshipAvailable;
     this.planProductType = obj.planProductType;
@@ -101,24 +116,29 @@ export class Organization {
   }
 
   get canAccess() {
-    if (this.type === OrganizationUserType.Owner) {
+    if (this.isOwner) {
       return true;
     }
     return this.enabled && this.status === OrganizationUserStatusType.Confirmed;
   }
 
+  /**
+   * Whether a user has Manager permissions or greater
+   */
   get isManager() {
-    return (
-      this.type === OrganizationUserType.Manager ||
-      this.type === OrganizationUserType.Owner ||
-      this.type === OrganizationUserType.Admin
-    );
+    return this.type === OrganizationUserType.Manager || this.isAdmin;
   }
 
+  /**
+   * Whether a user has Admin permissions or greater
+   */
   get isAdmin() {
-    return this.type === OrganizationUserType.Owner || this.type === OrganizationUserType.Admin;
+    return this.type === OrganizationUserType.Admin || this.isOwner;
   }
 
+  /**
+   * Whether a user has Owner permissions (including ProviderUsers)
+   */
   get isOwner() {
     return this.type === OrganizationUserType.Owner || this.isProviderUser;
   }