bitwarden/server
1
0
Fork 0
mirror of https://github.com/bitwarden/server synced 2025-12-11 05:43:35 +00:00
Code Issues Releases Wiki Activity

[AC-2538] Limit admin access - fix ManageUsers custom permission (#4032)

Browse Source 
* Fix issue where ManageUsers custom permission could not
  grant access to collections
* Split ModifyAccess operation to ModifyUserAccess and
  ModifyGroupAccess to reflect more granular operations
This commit is contained in:
Thomas Rittson
2024-05-01 10:06:24 +10:00
committed by GitHub
parent 3749fa6113
commit 5012d56e5a
7 changed files with 193 additions and 89 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
test/Api.Test/Controllers/CollectionsControllerTests.cs
View File

@@ -345,7 +345,9 @@ public class CollectionsControllerTests
sutProvider.GetDependency<IAuthorizationService>().AuthorizeAsync(
Arg.Any<ClaimsPrincipal>(), ExpectedCollectionAccess(),
Arg.Is<IEnumerable<IAuthorizationRequirement>>(
r => r.Contains(BulkCollectionOperations.ModifyAccess)
reqs => reqs.All(r =>
r == BulkCollectionOperations.ModifyUserAccess ||
r == BulkCollectionOperations.ModifyGroupAccess)
))
.Returns(AuthorizationResult.Success());
@@ -359,8 +361,9 @@ public class CollectionsControllerTests
Arg.Any<ClaimsPrincipal>(),
ExpectedCollectionAccess(),
Arg.Is<IEnumerable<IAuthorizationRequirement>>(
r => r.Contains(BulkCollectionOperations.ModifyAccess))
);
reqs => reqs.All(r =>
r == BulkCollectionOperations.ModifyUserAccess ||
r == BulkCollectionOperations.ModifyGroupAccess)));
await sutProvider.GetDependency<IBulkAddCollectionAccessCommand>().Received()
.AddAccessAsync(
Arg.Is<ICollection<Collection>>(g => g.SequenceEqual(collections)),
@@ -500,7 +503,9 @@ public class CollectionsControllerTests
sutProvider.GetDependency<IAuthorizationService>().AuthorizeAsync(
Arg.Any<ClaimsPrincipal>(), ExpectedCollectionAccess(),
Arg.Is<IEnumerable<IAuthorizationRequirement>>(
r => r.Contains(BulkCollectionOperations.ModifyAccess)
reqs => reqs.All(r =>
r == BulkCollectionOperations.ModifyUserAccess ||
r == BulkCollectionOperations.ModifyGroupAccess)
))
.Returns(AuthorizationResult.Failed());
@@ -511,7 +516,9 @@ public class CollectionsControllerTests
Arg.Any<ClaimsPrincipal>(),
ExpectedCollectionAccess(),
Arg.Is<IEnumerable<IAuthorizationRequirement>>(
r => r.Contains(BulkCollectionOperations.ModifyAccess))
reqs => reqs.All(r =>
r == BulkCollectionOperations.ModifyUserAccess ||
r == BulkCollectionOperations.ModifyGroupAccess))
);
await sutProvider.GetDependency<IBulkAddCollectionAccessCommand>().DidNotReceiveWithAnyArgs()
.AddAccessAsync(default, default, default);