Merge branch 'master' into feature/sm-billing

2026-01-10 04:23:31 +00:00 · 2023-07-12 10:22:08 +10:00
parent 0ec3020ecc b629c31de9
commit 38ff56917b
12 changed files with 270 additions and 214 deletions
--- a/src/Api/SecretsManager/Controllers/ProjectsController.cs
+++ b/src/Api/SecretsManager/Controllers/ProjectsController.cs
@@ -6,6 +6,7 @@ using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.SecretsManager.AuthorizationRequirements;
 using Bit.Core.SecretsManager.Commands.Projects.Interfaces;
+using Bit.Core.SecretsManager.Entities;
 using Bit.Core.SecretsManager.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Utilities;
@@ -127,11 +128,44 @@ public class ProjectsController : Controller
    }

    [HttpPost("projects/delete")]
-    public async Task<ListResponseModel<BulkDeleteResponseModel>> BulkDeleteAsync([FromBody] List<Guid> ids)
+    public async Task<ListResponseModel<BulkDeleteResponseModel>> BulkDeleteAsync(
+        [FromBody] List<Guid> ids)
    {
-        var userId = _userService.GetProperUserId(User).Value;
-        var results = await _deleteProjectCommand.DeleteProjects(ids, userId);
-        var responses = results.Select(r => new BulkDeleteResponseModel(r.Item1.Id, r.Item2));
+        var projects = (await _projectRepository.GetManyWithSecretsByIds(ids)).ToList();
+        if (!projects.Any() || projects.Count != ids.Count)
+        {
+            throw new NotFoundException();
+        }
+
+        // Ensure all projects belongs to the same organization
+        var organizationId = projects.First().OrganizationId;
+        if (projects.Any(p => p.OrganizationId != organizationId) ||
+            !_currentContext.AccessSecretsManager(organizationId))
+        {
+            throw new NotFoundException();
+        }
+
+        var projectsToDelete = new List<Project>();
+        var results = new List<(Project Project, string Error)>();
+
+        foreach (var project in projects)
+        {
+            var authorizationResult =
+                await _authorizationService.AuthorizeAsync(User, project, ProjectOperations.Delete);
+            if (authorizationResult.Succeeded)
+            {
+                projectsToDelete.Add(project);
+                results.Add((project, ""));
+            }
+            else
+            {
+                results.Add((project, "access denied"));
+            }
+        }
+
+        await _deleteProjectCommand.DeleteProjects(projectsToDelete);
+
+        var responses = results.Select(r => new BulkDeleteResponseModel(r.Project.Id, r.Error));
        return new ListResponseModel<BulkDeleteResponseModel>(responses);
    }
 }
--- a/src/Core/SecretsManager/AuthorizationRequirements/ProjectOperationRequirement.cs
+++ b/src/Core/SecretsManager/AuthorizationRequirements/ProjectOperationRequirement.cs
@@ -10,4 +10,5 @@ public static class ProjectOperations
 {
    public static readonly ProjectOperationRequirement Create = new() { Name = nameof(Create) };
    public static readonly ProjectOperationRequirement Update = new() { Name = nameof(Update) };
+    public static readonly ProjectOperationRequirement Delete = new() { Name = nameof(Delete) };
 }
--- a/src/Core/SecretsManager/Commands/Projects/Interfaces/IDeleteProjectCommand.cs
+++ b/src/Core/SecretsManager/Commands/Projects/Interfaces/IDeleteProjectCommand.cs
@@ -4,6 +4,6 @@ namespace Bit.Core.SecretsManager.Commands.Projects.Interfaces;

 public interface IDeleteProjectCommand
 {
-    Task<List<Tuple<Project, string>>> DeleteProjects(List<Guid> ids, Guid userId);
+    Task DeleteProjects(IEnumerable<Project> projects);
 }