[AC-1748] Removed GroupAuthorizationHandler

src/Api/Controllers/GroupsController.cs

@@ -1,6 +1,5 @@
 using Bit.Api.Models.Request;
 using Bit.Api.Models.Response;
-using Bit.Api.Vault.AuthorizationHandlers.Groups;
 using Bit.Core;
 using Bit.Core.Context;
 using Bit.Core.Entities;
@@ -26,7 +25,6 @@ public class GroupsController : Controller
     private readonly ICreateGroupCommand _createGroupCommand;
     private readonly IUpdateGroupCommand _updateGroupCommand;
     private readonly IFeatureService _featureService;
-    private readonly IAuthorizationService _authorizationService;
 
     private bool FlexibleCollectionsIsEnabled => _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollections, _currentContext);
 
@@ -49,7 +47,6 @@ public class GroupsController : Controller
         _updateGroupCommand = updateGroupCommand;
         _deleteGroupCommand = deleteGroupCommand;
         _featureService = featureService;
-        _authorizationService = authorizationService;
     }
 
     [HttpGet("{id}")]
@@ -84,11 +81,6 @@ public class GroupsController : Controller
         if (FlexibleCollectionsIsEnabled)
         {
             groups = await _groupRepository.GetManyWithCollectionsByOrganizationIdAsync(orgId);
-            var authorized = (await _authorizationService.AuthorizeAsync(User, groups.Select(g => g.Item1), GroupOperations.Read)).Succeeded;
-            if (!authorized)
-            {
-                throw new NotFoundException();
-            }
         }
         else
         {

src/Api/Utilities/ServiceCollectionExtensions.cs

@@ -1,5 +1,4 @@
 using Bit.Api.Vault.AuthorizationHandlers.Collections;
-using Bit.Api.Vault.AuthorizationHandlers.Groups;
 using Bit.Api.Vault.AuthorizationHandlers.OrganizationUsers;
 using Bit.Core.IdentityServer;
 using Bit.Core.Settings;
@@ -123,7 +122,6 @@ public static class ServiceCollectionExtensions
     public static void AddAuthorizationHandlers(this IServiceCollection services)
     {
         services.AddScoped<IAuthorizationHandler, CollectionAuthorizationHandler>();
-        services.AddScoped<IAuthorizationHandler, GroupAuthorizationHandler>();
         services.AddScoped<IAuthorizationHandler, OrganizationUserAuthorizationHandler>();
     }
 }

src/Api/Vault/AuthorizationHandlers/Groups/GroupAuthorizationHandler.cs

@@ -1,97 +0,0 @@
-using Bit.Core;
-using Bit.Core.Context;
-using Bit.Core.Entities;
-using Bit.Core.Enums;
-using Bit.Core.Exceptions;
-using Bit.Core.Services;
-using Bit.Core.Utilities;
-using Microsoft.AspNetCore.Authorization;
-
-namespace Bit.Api.Vault.AuthorizationHandlers.Groups;
-
-/// <summary>
-/// Handles authorization logic for Group objects.
-/// This uses new logic implemented in the Flexible Collections initiative.
-/// </summary>
-public class GroupAuthorizationHandler : BulkAuthorizationHandler<GroupOperationRequirement, Group>
-{
-    private readonly ICurrentContext _currentContext;
-    private readonly IFeatureService _featureService;
-
-    public GroupAuthorizationHandler(
-        ICurrentContext currentContext,
-        IFeatureService featureService)
-    {
-        _currentContext = currentContext;
-        _featureService = featureService;
-    }
-
-    protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
-        GroupOperationRequirement requirement, ICollection<Group> resources)
-    {
-        if (!_featureService.IsEnabled(FeatureFlagKeys.FlexibleCollections, _currentContext))
-        {
-            // Flexible collections is OFF, should not be using this handler
-            throw new FeatureUnavailableException("Flexible collections is OFF when it should be ON.");
-        }
-
-        // Establish pattern of authorization handler null checking passed resources
-        if (resources == null)
-        {
-            context.Fail();
-            return;
-        }
-
-        if (!resources.Any())
-        {
-            context.Succeed(requirement);
-            return;
-        }
-
-        if (!_currentContext.UserId.HasValue)
-        {
-            context.Fail();
-            return;
-        }
-
-        var targetOrganizationId = resources.First().OrganizationId;
-
-        // Ensure all target collections belong to the same organization
-        if (resources.Any(tc => tc.OrganizationId != targetOrganizationId))
-        {
-            throw new BadRequestException("Requested groups must belong to the same organization.");
-        }
-
-        // Acting user is not a member of the target organization, fail
-        var org = _currentContext.GetOrganization(targetOrganizationId);
-        if (org == null)
-        {
-            context.Fail();
-            return;
-        }
-
-        switch (requirement)
-        {
-            case not null when requirement == GroupOperations.Read:
-                await CanReadAsync(context, requirement, org);
-                break;
-        }
-    }
-
-    private async Task CanReadAsync(AuthorizationHandlerContext context, GroupOperationRequirement requirement,
-        CurrentContextOrganization org)
-    {
-        if (org.Type is OrganizationUserType.Owner or OrganizationUserType.Admin ||
-            org.Permissions.ManageGroups ||
-            org.Permissions.ManageUsers ||
-            org.Permissions.EditAnyCollection ||
-            org.Permissions.DeleteAnyCollection ||
-            await _currentContext.ProviderUserForOrgAsync(org.Id))
-        {
-            context.Succeed(requirement);
-            return;
-        }
-
-        context.Fail();
-    }
-}

src/Api/Vault/AuthorizationHandlers/Groups/GroupOperations.cs

@@ -1,10 +0,0 @@
-using Microsoft.AspNetCore.Authorization.Infrastructure;
-
-namespace Bit.Api.Vault.AuthorizationHandlers.Groups;
-
-public class GroupOperationRequirement : OperationAuthorizationRequirement { }
-
-public static class GroupOperations
-{
-    public static readonly GroupOperationRequirement Read = new() { Name = nameof(Read) };
-}