[PM-3478] Refactor OrganizationUser api (#4752)

* Add OrganizationUserMiniDetails endpoint, models and authorization * Restrict access to current OrganizationUserUserDetails endpoint Both are behind feature flags
2026-01-08 03:23:20 +00:00 · 2024-10-01 07:14:16 +10:00
parent 7368e57b7b
commit c94a084c86
16 changed files with 514 additions and 211 deletions
--- a/src/Api/Vault/AuthorizationHandlers/OrganizationUsers/OrganizationUserAuthorizationHandler.cs
+++ b/src/Api/Vault/AuthorizationHandlers/OrganizationUsers/OrganizationUserAuthorizationHandler.cs
@@ -1,60 +0,0 @@
-#nullable enable
-using Bit.Core.Context;
-using Microsoft.AspNetCore.Authorization;
-
-namespace Bit.Api.Vault.AuthorizationHandlers.OrganizationUsers;
-
-/// <summary>
-/// Handles authorization logic for OrganizationUser objects.
-/// This uses new logic implemented in the Flexible Collections initiative.
-/// </summary>
-public class OrganizationUserAuthorizationHandler : AuthorizationHandler<OrganizationUserOperationRequirement>
-{
-    private readonly ICurrentContext _currentContext;
-
-    public OrganizationUserAuthorizationHandler(ICurrentContext currentContext)
-    {
-        _currentContext = currentContext;
-    }
-
-    protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
-        OrganizationUserOperationRequirement requirement)
-    {
-        if (!_currentContext.UserId.HasValue)
-        {
-            context.Fail();
-            return;
-        }
-
-        if (requirement.OrganizationId == default)
-        {
-            context.Fail();
-            return;
-        }
-
-        var org = _currentContext.GetOrganization(requirement.OrganizationId);
-
-        switch (requirement)
-        {
-            case not null when requirement.Name == nameof(OrganizationUserOperations.ReadAll):
-                await CanReadAllAsync(context, requirement, org);
-                break;
-        }
-    }
-
-    private async Task CanReadAllAsync(AuthorizationHandlerContext context, OrganizationUserOperationRequirement requirement,
-        CurrentContextOrganization? org)
-    {
-        // All users of an organization can read all other users of that organization for collection access management
-        if (org is not null)
-        {
-            context.Succeed(requirement);
-        }
-
-        // Allow provider users to read all organization users if they are a provider for the target organization
-        if (await _currentContext.ProviderUserForOrgAsync(requirement.OrganizationId))
-        {
-            context.Succeed(requirement);
-        }
-    }
-}
--- a/src/Api/Vault/AuthorizationHandlers/OrganizationUsers/OrganizationUserOperations.cs
+++ b/src/Api/Vault/AuthorizationHandlers/OrganizationUsers/OrganizationUserOperations.cs
@@ -1,22 +0,0 @@
-using Microsoft.AspNetCore.Authorization.Infrastructure;
-
-namespace Bit.Api.Vault.AuthorizationHandlers.OrganizationUsers;
-
-public class OrganizationUserOperationRequirement : OperationAuthorizationRequirement
-{
-    public Guid OrganizationId { get; }
-
-    public OrganizationUserOperationRequirement(string name, Guid organizationId)
-    {
-        Name = name;
-        OrganizationId = organizationId;
-    }
-}
-
-public static class OrganizationUserOperations
-{
-    public static OrganizationUserOperationRequirement ReadAll(Guid organizationId)
-    {
-        return new OrganizationUserOperationRequirement(nameof(ReadAll), organizationId);
-    }
-}