[AC-2847] Simplify OrganizationUser and Group PUT methods and tests (#4479)

* refactor controller logic * add additional validation checks to update commands * refactor and improve tests
2025-12-18 01:03:17 +00:00 · 2024-07-16 10:47:28 +10:00
parent 7fee588812
commit 5df0e2180d
11 changed files with 1113 additions and 659 deletions
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/UpdateOrganizationUserCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/UpdateOrganizationUserCommand.cs
@@ -1,5 +1,6 @@
 #nullable enable
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
@@ -19,6 +20,8 @@ public class UpdateOrganizationUserCommand : IUpdateOrganizationUserCommand
    private readonly IOrganizationUserRepository _organizationUserRepository;
    private readonly ICountNewSmSeatsRequiredQuery _countNewSmSeatsRequiredQuery;
    private readonly IUpdateSecretsManagerSubscriptionCommand _updateSecretsManagerSubscriptionCommand;
+    private readonly ICollectionRepository _collectionRepository;
+    private readonly IGroupRepository _groupRepository;

    public UpdateOrganizationUserCommand(
        IEventService eventService,
@@ -26,7 +29,9 @@ public class UpdateOrganizationUserCommand : IUpdateOrganizationUserCommand
        IOrganizationRepository organizationRepository,
        IOrganizationUserRepository organizationUserRepository,
        ICountNewSmSeatsRequiredQuery countNewSmSeatsRequiredQuery,
-        IUpdateSecretsManagerSubscriptionCommand updateSecretsManagerSubscriptionCommand)
+        IUpdateSecretsManagerSubscriptionCommand updateSecretsManagerSubscriptionCommand,
+        ICollectionRepository collectionRepository,
+        IGroupRepository groupRepository)
    {
        _eventService = eventService;
        _organizationService = organizationService;
@@ -34,17 +39,45 @@ public class UpdateOrganizationUserCommand : IUpdateOrganizationUserCommand
        _organizationUserRepository = organizationUserRepository;
        _countNewSmSeatsRequiredQuery = countNewSmSeatsRequiredQuery;
        _updateSecretsManagerSubscriptionCommand = updateSecretsManagerSubscriptionCommand;
+        _collectionRepository = collectionRepository;
+        _groupRepository = groupRepository;
    }

+    /// <summary>
+    /// Update an organization user.
+    /// </summary>
+    /// <param name="user">The modified user to save.</param>
+    /// <param name="savingUserId">The userId of the currently logged in user who is making the change.</param>
+    /// <param name="collectionAccess">The user's updated collection access. If set to null, this removes all collection access.</param>
+    /// <param name="groupAccess">The user's updated group access. If set to null, groups are not updated.</param>
+    /// <exception cref="BadRequestException"></exception>
    public async Task UpdateUserAsync(OrganizationUser user, Guid? savingUserId,
-        List<CollectionAccessSelection>? collections, IEnumerable<Guid>? groups)
+        List<CollectionAccessSelection>? collectionAccess, IEnumerable<Guid>? groupAccess)
    {
+        // Avoid multiple enumeration
+        collectionAccess = collectionAccess?.ToList();
+        groupAccess = groupAccess?.ToList();
+
        if (user.Id.Equals(default(Guid)))
        {
            throw new BadRequestException("Invite the user first.");
        }

        var originalUser = await _organizationUserRepository.GetByIdAsync(user.Id);
+        if (originalUser == null || user.OrganizationId != originalUser.OrganizationId)
+        {
+            throw new NotFoundException();
+        }
+
+        if (collectionAccess?.Any() == true)
+        {
+            await ValidateCollectionAccessAsync(originalUser, collectionAccess.ToList());
+        }
+
+        if (groupAccess?.Any() == true)
+        {
+            await ValidateGroupAccessAsync(originalUser, groupAccess.ToList());
+        }

        if (savingUserId.HasValue)
        {
@@ -64,9 +97,9 @@ public class UpdateOrganizationUserCommand : IUpdateOrganizationUserCommand
            throw new BadRequestException("The AccessAll property has been deprecated by collection enhancements. Assign the user to collections instead.");
        }

-        if (collections?.Count > 0)
+        if (collectionAccess?.Count > 0)
        {
-            var invalidAssociations = collections.Where(cas => cas.Manage && (cas.ReadOnly || cas.HidePasswords));
+            var invalidAssociations = collectionAccess.Where(cas => cas.Manage && (cas.ReadOnly || cas.HidePasswords));
            if (invalidAssociations.Any())
            {
                throw new BadRequestException("The Manage property is mutually exclusive and cannot be true while the ReadOnly or HidePasswords properties are also true.");
@@ -87,13 +120,55 @@ public class UpdateOrganizationUserCommand : IUpdateOrganizationUserCommand
            }
        }

-        await _organizationUserRepository.ReplaceAsync(user, collections);
+        await _organizationUserRepository.ReplaceAsync(user, collectionAccess);

-        if (groups != null)
+        if (groupAccess != null)
        {
-            await _organizationUserRepository.UpdateGroupsAsync(user.Id, groups);
+            await _organizationUserRepository.UpdateGroupsAsync(user.Id, groupAccess);
        }

        await _eventService.LogOrganizationUserEventAsync(user, EventType.OrganizationUser_Updated);
    }
+
+    private async Task ValidateCollectionAccessAsync(OrganizationUser originalUser,
+        ICollection<CollectionAccessSelection> collectionAccess)
+    {
+        var collections = await _collectionRepository
+            .GetManyByManyIdsAsync(collectionAccess.Select(c => c.Id));
+        var collectionIds = collections.Select(c => c.Id);
+
+        var missingCollection = collectionAccess
+            .FirstOrDefault(cas => !collectionIds.Contains(cas.Id));
+        if (missingCollection != default)
+        {
+            throw new NotFoundException();
+        }
+
+        var invalidCollection = collections.FirstOrDefault(c => c.OrganizationId != originalUser.OrganizationId);
+        if (invalidCollection != default)
+        {
+            // Use generic error message to avoid enumeration
+            throw new NotFoundException();
+        }
+    }
+
+    private async Task ValidateGroupAccessAsync(OrganizationUser originalUser,
+        ICollection<Guid> groupAccess)
+    {
+        var groups = await _groupRepository.GetManyByManyIds(groupAccess);
+        var groupIds = groups.Select(g => g.Id);
+
+        var missingGroupId = groupAccess.FirstOrDefault(gId => !groupIds.Contains(gId));
+        if (missingGroupId != default)
+        {
+            throw new NotFoundException();
+        }
+
+        var invalidGroup = groups.FirstOrDefault(g => g.OrganizationId != originalUser.OrganizationId);
+        if (invalidGroup != default)
+        {
+            // Use generic error message to avoid enumeration
+            throw new NotFoundException();
+        }
+    }
 }