[AC-1139] Rewrote GroupAuthorizationHandler to be similar to other AuthHandlers; Revisited unit tests

2025-12-25 12:43:14 +00:00 · 2023-11-24 11:17:47 +00:00
parent 21887c3fd3
commit 0b24fe1a9b
2 changed files with 33 additions and 28 deletions
--- a/src/Api/Vault/AuthorizationHandlers/Groups/GroupAuthorizationHandler.cs
+++ b/src/Api/Vault/AuthorizationHandlers/Groups/GroupAuthorizationHandler.cs
@@ -1,4 +1,5 @@
-using Bit.Core;
+#nullable enable
+using Bit.Core;
 using Bit.Core.Context;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
@@ -58,29 +59,27 @@ public class GroupAuthorizationHandler : AuthorizationHandler<GroupOperationRequ
    }

    private async Task CanReadAllAsync(AuthorizationHandlerContext context, GroupOperationRequirement requirement,
-        CurrentContextOrganization org)
+        CurrentContextOrganization? org)
    {
-        if (org != null)
+        // If the limit collection management setting is disabled, allow any user to read all groups
+        // Otherwise, Owners, Admins, and users with any of ManageGroups, ManageUsers, EditAnyCollection, DeleteAnyCollection, CreateNewCollections permissions can always read all groups
+        if (org is
+        { LimitCollectionCreationDeletion: false } or
+        { Type: OrganizationUserType.Owner or OrganizationUserType.Admin } or
+        { Permissions.ManageGroups: true } or
+        { Permissions.ManageUsers: true } or
+        { Permissions.EditAnyCollection: true } or
+        { Permissions.DeleteAnyCollection: true } or
+        { Permissions.CreateNewCollections: true })
        {
-            // Acting user is a member of the target organization, check permissions
-            if (org.Type is OrganizationUserType.Owner or OrganizationUserType.Admin ||
-                org.Permissions.ManageGroups ||
-                org.Permissions.ManageUsers ||
-                org.Permissions.EditAnyCollection ||
-                org.Permissions.DeleteAnyCollection ||
-                org.Permissions.CreateNewCollections ||
-                !org.LimitCollectionCreationDeletion)
-            {
-                context.Succeed(requirement);
-            }
+            context.Succeed(requirement);
+            return;
        }
-        else
+
+        // Allow provider users to read all groups if they are a provider for the target organization
+        if (await _currentContext.ProviderUserForOrgAsync(requirement.OrganizationId))
        {
-            // Check if acting user is a provider user for the target organization
-            if (await _currentContext.ProviderUserForOrgAsync(requirement.OrganizationId))
-            {
-                context.Succeed(requirement);
-            }
+            context.Succeed(requirement);
        }
    }
 }