[AC-2847] Simplify OrganizationUser and Group PUT methods and tests (#4479)

* refactor controller logic * add additional validation checks to update commands * refactor and improve tests
2025-12-21 10:43:44 +00:00 · 2024-07-16 10:47:28 +10:00
parent 7fee588812
commit 5df0e2180d
11 changed files with 1113 additions and 659 deletions
--- a/src/Core/AdminConsole/OrganizationFeatures/Groups/UpdateGroupCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Groups/UpdateGroupCommand.cs
@@ -1,4 +1,6 @@
-using Bit.Core.AdminConsole.Entities;
+#nullable enable
+
+using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.OrganizationFeatures.Groups.Interfaces;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Enums;
@@ -14,48 +16,53 @@ public class UpdateGroupCommand : IUpdateGroupCommand
    private readonly IEventService _eventService;
    private readonly IGroupRepository _groupRepository;
    private readonly IOrganizationUserRepository _organizationUserRepository;
+    private readonly ICollectionRepository _collectionRepository;

    public UpdateGroupCommand(
        IEventService eventService,
        IGroupRepository groupRepository,
-        IOrganizationUserRepository organizationUserRepository)
+        IOrganizationUserRepository organizationUserRepository,
+        ICollectionRepository collectionRepository)
    {
        _eventService = eventService;
        _groupRepository = groupRepository;
        _organizationUserRepository = organizationUserRepository;
+        _collectionRepository = collectionRepository;
    }

    public async Task UpdateGroupAsync(Group group, Organization organization,
-        ICollection<CollectionAccessSelection> collections = null,
-        IEnumerable<Guid> userIds = null)
+        ICollection<CollectionAccessSelection>? collections = null,
+        IEnumerable<Guid>? userIds = null)
    {
-        Validate(organization, group, collections);
-        await GroupRepositoryUpdateGroupAsync(group, collections);
+        await ValidateAsync(organization, group, collections, userIds);
+
+        await SaveGroupWithCollectionsAsync(group, collections);

        if (userIds != null)
        {
-            await GroupRepositoryUpdateUsersAsync(group, userIds);
+            await SaveGroupUsersAsync(group, userIds);
        }

        await _eventService.LogGroupEventAsync(group, Core.Enums.EventType.Group_Updated);
    }

    public async Task UpdateGroupAsync(Group group, Organization organization, EventSystemUser systemUser,
-        ICollection<CollectionAccessSelection> collections = null,
-        IEnumerable<Guid> userIds = null)
+        ICollection<CollectionAccessSelection>? collections = null,
+        IEnumerable<Guid>? userIds = null)
    {
-        Validate(organization, group, collections);
-        await GroupRepositoryUpdateGroupAsync(group, collections);
+        await ValidateAsync(organization, group, collections, userIds);
+
+        await SaveGroupWithCollectionsAsync(group, collections);

        if (userIds != null)
        {
-            await GroupRepositoryUpdateUsersAsync(group, userIds, systemUser);
+            await SaveGroupUsersAsync(group, userIds, systemUser);
        }

        await _eventService.LogGroupEventAsync(group, Core.Enums.EventType.Group_Updated, systemUser);
    }

-    private async Task GroupRepositoryUpdateGroupAsync(Group group, IEnumerable<CollectionAccessSelection> collections = null)
+    private async Task SaveGroupWithCollectionsAsync(Group group, IEnumerable<CollectionAccessSelection>? collections = null)
    {
        group.RevisionDate = DateTime.UtcNow;

@@ -69,7 +76,7 @@ public class UpdateGroupCommand : IUpdateGroupCommand
        }
    }

-    private async Task GroupRepositoryUpdateUsersAsync(Group group, IEnumerable<Guid> userIds, EventSystemUser? systemUser = null)
+    private async Task SaveGroupUsersAsync(Group group, IEnumerable<Guid> userIds, EventSystemUser? systemUser = null)
    {
        var newUserIds = userIds as Guid[] ?? userIds.ToArray();
        var originalUserIds = await _groupRepository.GetManyUserIdsByIdAsync(group.Id);
@@ -97,11 +104,15 @@ public class UpdateGroupCommand : IUpdateGroupCommand
        }
    }

-    private static void Validate(Organization organization, Group group, IEnumerable<CollectionAccessSelection> collections)
+    private async Task ValidateAsync(Organization organization, Group group, ICollection<CollectionAccessSelection>? collectionAccess,
+        IEnumerable<Guid>? memberAccess)
    {
-        if (organization == null)
+        // Avoid multiple enumeration
+        memberAccess = memberAccess?.ToList();
+
+        if (organization == null || organization.Id != group.OrganizationId)
        {
-            throw new BadRequestException("Organization not found");
+            throw new NotFoundException();
        }

        if (!organization.UseGroups)
@@ -109,15 +120,73 @@ public class UpdateGroupCommand : IUpdateGroupCommand
            throw new BadRequestException("This organization cannot use groups.");
        }

+        var originalGroup = await _groupRepository.GetByIdAsync(group.Id);
+        if (originalGroup == null || originalGroup.OrganizationId != group.OrganizationId)
+        {
+            throw new NotFoundException();
+        }
+
+        if (collectionAccess?.Any() == true)
+        {
+            await ValidateCollectionAccessAsync(originalGroup, collectionAccess);
+        }
+
+        if (memberAccess?.Any() == true)
+        {
+            await ValidateMemberAccessAsync(originalGroup, memberAccess.ToList());
+        }
+
        if (group.AccessAll)
        {
            throw new BadRequestException("The AccessAll property has been deprecated by collection enhancements. Assign the group to collections instead.");
        }

-        var invalidAssociations = collections?.Where(cas => cas.Manage && (cas.ReadOnly || cas.HidePasswords));
+        var invalidAssociations = collectionAccess?.Where(cas => cas.Manage && (cas.ReadOnly || cas.HidePasswords));
        if (invalidAssociations?.Any() ?? false)
        {
            throw new BadRequestException("The Manage property is mutually exclusive and cannot be true while the ReadOnly or HidePasswords properties are also true.");
        }
    }
+
+    private async Task ValidateCollectionAccessAsync(Group originalGroup,
+        ICollection<CollectionAccessSelection> collectionAccess)
+    {
+        var collections = await _collectionRepository
+            .GetManyByManyIdsAsync(collectionAccess.Select(c => c.Id));
+        var collectionIds = collections.Select(c => c.Id);
+
+        var missingCollection = collectionAccess
+            .FirstOrDefault(cas => !collectionIds.Contains(cas.Id));
+        if (missingCollection != default)
+        {
+            throw new NotFoundException();
+        }
+
+        var invalidCollection = collections.FirstOrDefault(c => c.OrganizationId != originalGroup.OrganizationId);
+        if (invalidCollection != default)
+        {
+            // Use generic error message to avoid enumeration
+            throw new NotFoundException();
+        }
+    }
+
+    private async Task ValidateMemberAccessAsync(Group originalGroup,
+        ICollection<Guid> memberAccess)
+    {
+        var members = await _organizationUserRepository.GetManyAsync(memberAccess);
+        var memberIds = members.Select(g => g.Id);
+
+        var missingMemberId = memberAccess.FirstOrDefault(mId => !memberIds.Contains(mId));
+        if (missingMemberId != default)
+        {
+            throw new NotFoundException();
+        }
+
+        var invalidMember = members.FirstOrDefault(m => m.OrganizationId != originalGroup.OrganizationId);
+        if (invalidMember != default)
+        {
+            // Use generic error message to avoid enumeration
+            throw new NotFoundException();
+        }
+    }
 }