[PM-24055] - Collection Users and Groups null on Public response (#6713)

* Integration test around getting and saving collection with group/user permissions * This adds groups to the collections returned. * Added new stored procedures so we don't accidentally wipe out access due to null parameters. * wrapping all calls in transaction in the event that there is an error.
2025-12-31 07:33:43 +00:00 · 2025-12-17 11:34:17 -06:00
parent 886ba9ae6d
commit de504d800b
10 changed files with 609 additions and 17 deletions
--- a/src/Api/AdminConsole/Public/Models/Response/GroupResponseModel.cs
+++ b/src/Api/AdminConsole/Public/Models/Response/GroupResponseModel.cs
@@ -2,6 +2,7 @@
 #nullable disable

 using System.ComponentModel.DataAnnotations;
+using System.Text.Json.Serialization;
 using Bit.Api.Models.Public.Response;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Models.Data;
@@ -13,6 +14,12 @@ namespace Bit.Api.AdminConsole.Public.Models.Response;
 /// </summary>
 public class GroupResponseModel : GroupBaseModel, IResponseModel
 {
+    [JsonConstructor]
+    public GroupResponseModel()
+    {
+
+    }
+
    public GroupResponseModel(Group group, IEnumerable<CollectionAccessSelection> collections)
    {
        if (group == null)
--- a/src/Api/Models/Public/Response/CollectionResponseModel.cs
+++ b/src/Api/Models/Public/Response/CollectionResponseModel.cs
@@ -2,6 +2,7 @@
 #nullable disable

 using System.ComponentModel.DataAnnotations;
+using System.Text.Json.Serialization;
 using Bit.Api.AdminConsole.Public.Models.Response;
 using Bit.Core.Entities;
 using Bit.Core.Models.Data;
@@ -13,6 +14,12 @@ namespace Bit.Api.Models.Public.Response;
 /// </summary>
 public class CollectionResponseModel : CollectionBaseModel, IResponseModel
 {
+    [JsonConstructor]
+    public CollectionResponseModel()
+    {
+
+    }
+
    public CollectionResponseModel(Collection collection, IEnumerable<CollectionAccessSelection> groups)
    {
        if (collection == null)
--- a/src/Api/Public/Controllers/CollectionsController.cs
+++ b/src/Api/Public/Controllers/CollectionsController.cs
@@ -65,10 +65,11 @@ public class CollectionsController : Controller
    [ProducesResponseType(typeof(ListResponseModel<CollectionResponseModel>), (int)HttpStatusCode.OK)]
    public async Task<IActionResult> List()
    {
-        var collections = await _collectionRepository.GetManySharedCollectionsByOrganizationIdAsync(
-            _currentContext.OrganizationId.Value);
-        // TODO: Get all CollectionGroup associations for the organization and marry them up here for the response.
-        var collectionResponses = collections.Select(c => new CollectionResponseModel(c, null));
+        var collections = await _collectionRepository.GetManyByOrganizationIdWithAccessAsync(_currentContext.OrganizationId.Value);
+
+        var collectionResponses = collections.Select(c =>
+            new CollectionResponseModel(c.Item1, c.Item2.Groups));
+
        var response = new ListResponseModel<CollectionResponseModel>(collectionResponses);
        return new JsonResult(response);
    }
--- a/src/Infrastructure.Dapper/Repositories/CollectionRepository.cs
+++ b/src/Infrastructure.Dapper/Repositories/CollectionRepository.cs
@@ -226,7 +226,6 @@ public class CollectionRepository : Repository<Collection, Guid>, ICollectionRep
    {
        obj.SetNewId();

-
        var objWithGroupsAndUsers = JsonSerializer.Deserialize<CollectionWithGroupsAndUsers>(JsonSerializer.Serialize(obj))!;

        objWithGroupsAndUsers.Groups = groups != null ? groups.ToArrayTVP() : Enumerable.Empty<CollectionAccessSelection>().ToArrayTVP();
@@ -243,18 +242,52 @@ public class CollectionRepository : Repository<Collection, Guid>, ICollectionRep

    public async Task ReplaceAsync(Collection obj, IEnumerable<CollectionAccessSelection>? groups, IEnumerable<CollectionAccessSelection>? users)
    {
-        var objWithGroupsAndUsers = JsonSerializer.Deserialize<CollectionWithGroupsAndUsers>(JsonSerializer.Serialize(obj))!;
-
-        objWithGroupsAndUsers.Groups = groups != null ? groups.ToArrayTVP() : Enumerable.Empty<CollectionAccessSelection>().ToArrayTVP();
-        objWithGroupsAndUsers.Users = users != null ? users.ToArrayTVP() : Enumerable.Empty<CollectionAccessSelection>().ToArrayTVP();
-
-        using (var connection = new SqlConnection(ConnectionString))
+        await using var connection = new SqlConnection(ConnectionString);
+        await connection.OpenAsync();
+        await using var transaction = await connection.BeginTransactionAsync();
+        try
        {
-            var results = await connection.ExecuteAsync(
-                $"[{Schema}].[Collection_UpdateWithGroupsAndUsers]",
-                objWithGroupsAndUsers,
-                commandType: CommandType.StoredProcedure);
+            if (groups == null && users == null)
+            {
+                await connection.ExecuteAsync(
+                    $"[{Schema}].[Collection_Update]",
+                    obj,
+                    commandType: CommandType.StoredProcedure,
+                    transaction: transaction);
+            }
+            else if (groups != null && users == null)
+            {
+                await connection.ExecuteAsync(
+                    $"[{Schema}].[Collection_UpdateWithGroups]",
+                    new CollectionWithGroups(obj, groups),
+                    commandType: CommandType.StoredProcedure,
+                    transaction: transaction);
+            }
+            else if (groups == null && users != null)
+            {
+                await connection.ExecuteAsync(
+                    $"[{Schema}].[Collection_UpdateWithUsers]",
+                    new CollectionWithUsers(obj, users),
+                    commandType: CommandType.StoredProcedure,
+                    transaction: transaction);
+            }
+            else if (groups != null && users != null)
+            {
+                await connection.ExecuteAsync(
+                    $"[{Schema}].[Collection_UpdateWithGroupsAndUsers]",
+                    new CollectionWithGroupsAndUsers(obj, groups, users),
+                    commandType: CommandType.StoredProcedure,
+                    transaction: transaction);
+            }
+
+            await transaction.CommitAsync();
        }
+        catch
+        {
+            await transaction.RollbackAsync();
+            throw;
+        }
+
    }

    public async Task DeleteManyAsync(IEnumerable<Guid> collectionIds)
@@ -424,9 +457,70 @@ public class CollectionRepository : Repository<Collection, Guid>, ICollectionRep

    public class CollectionWithGroupsAndUsers : Collection
    {
+        public CollectionWithGroupsAndUsers() { }
+
+        public CollectionWithGroupsAndUsers(Collection collection,
+            IEnumerable<CollectionAccessSelection> groups,
+            IEnumerable<CollectionAccessSelection> users)
+        {
+            Id = collection.Id;
+            Name = collection.Name;
+            OrganizationId = collection.OrganizationId;
+            CreationDate = collection.CreationDate;
+            RevisionDate = collection.RevisionDate;
+            Type = collection.Type;
+            ExternalId = collection.ExternalId;
+            DefaultUserCollectionEmail = collection.DefaultUserCollectionEmail;
+            Groups = groups.ToArrayTVP();
+            Users = users.ToArrayTVP();
+        }
+
        [DisallowNull]
        public DataTable? Groups { get; set; }
        [DisallowNull]
        public DataTable? Users { get; set; }
    }
+
+    public class CollectionWithGroups : Collection
+    {
+        public CollectionWithGroups() { }
+
+        public CollectionWithGroups(Collection collection, IEnumerable<CollectionAccessSelection> groups)
+        {
+            Id = collection.Id;
+            Name = collection.Name;
+            OrganizationId = collection.OrganizationId;
+            CreationDate = collection.CreationDate;
+            RevisionDate = collection.RevisionDate;
+            Type = collection.Type;
+            ExternalId = collection.ExternalId;
+            DefaultUserCollectionEmail = collection.DefaultUserCollectionEmail;
+            Groups = groups.ToArrayTVP();
+        }
+
+        [DisallowNull]
+        public DataTable? Groups { get; set; }
+    }
+
+    public class CollectionWithUsers : Collection
+    {
+        public CollectionWithUsers() { }
+
+        public CollectionWithUsers(Collection collection, IEnumerable<CollectionAccessSelection> users)
+        {
+
+            Id = collection.Id;
+            Name = collection.Name;
+            OrganizationId = collection.OrganizationId;
+            CreationDate = collection.CreationDate;
+            RevisionDate = collection.RevisionDate;
+            Type = collection.Type;
+            ExternalId = collection.ExternalId;
+            DefaultUserCollectionEmail = collection.DefaultUserCollectionEmail;
+            Users = users.ToArrayTVP();
+        }
+
+        [DisallowNull]
+        public DataTable? Users { get; set; }
+    }
 }
--- a/Procedures/Collection_UpdateWithGroups.sql
+++ b/Procedures/Collection_UpdateWithGroups.sql
@@ -0,0 +1,74 @@
+CREATE PROCEDURE [dbo].[Collection_UpdateWithGroups]
+    @Id UNIQUEIDENTIFIER,
+    @OrganizationId UNIQUEIDENTIFIER,
+    @Name VARCHAR(MAX),
+    @ExternalId NVARCHAR(300),
+    @CreationDate DATETIME2(7),
+    @RevisionDate DATETIME2(7),
+    @Groups AS [dbo].[CollectionAccessSelectionType] READONLY,
+    @DefaultUserCollectionEmail NVARCHAR(256) = NULL,
+    @Type TINYINT = 0
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    EXEC [dbo].[Collection_Update] @Id, @OrganizationId, @Name, @ExternalId, @CreationDate, @RevisionDate, @DefaultUserCollectionEmail, @Type
+
+    -- Groups
+    -- Delete groups that are no longer in source
+    DELETE
+        cg
+    FROM
+        [dbo].[CollectionGroup] cg
+    LEFT JOIN
+        @Groups g ON cg.GroupId = g.Id
+    WHERE
+        cg.CollectionId = @Id
+        AND g.Id IS NULL;
+
+    -- Update existing groups
+    UPDATE
+        cg
+    SET
+        cg.ReadOnly = g.ReadOnly,
+        cg.HidePasswords = g.HidePasswords,
+        cg.Manage = g.Manage
+    FROM
+        [dbo].[CollectionGroup] cg
+    INNER JOIN
+        @Groups g ON cg.GroupId = g.Id
+    WHERE
+        cg.CollectionId = @Id
+        AND (
+            cg.ReadOnly != g.ReadOnly
+            OR cg.HidePasswords != g.HidePasswords
+            OR cg.Manage != g.Manage
+        );
+
+    -- Insert new groups
+    INSERT INTO [dbo].[CollectionGroup]
+    (
+        [CollectionId],
+        [GroupId],
+        [ReadOnly],
+        [HidePasswords],
+        [Manage]
+    )
+    SELECT
+        @Id,
+        g.Id,
+        g.ReadOnly,
+        g.HidePasswords,
+        g.Manage
+    FROM
+        @Groups g
+    INNER JOIN
+        [dbo].[Group] grp ON grp.Id = g.Id
+    LEFT JOIN
+        [dbo].[CollectionGroup] cg ON cg.CollectionId = @Id AND cg.GroupId = g.Id
+    WHERE
+        grp.OrganizationId = @OrganizationId
+        AND cg.CollectionId IS NULL;
+
+    EXEC [dbo].[User_BumpAccountRevisionDateByCollectionId] @Id, @OrganizationId
+END
--- a/Procedures/Collection_UpdateWithUsers.sql
+++ b/Procedures/Collection_UpdateWithUsers.sql
@@ -0,0 +1,74 @@
+CREATE PROCEDURE [dbo].[Collection_UpdateWithUsers]
+    @Id UNIQUEIDENTIFIER,
+    @OrganizationId UNIQUEIDENTIFIER,
+    @Name VARCHAR(MAX),
+    @ExternalId NVARCHAR(300),
+    @CreationDate DATETIME2(7),
+    @RevisionDate DATETIME2(7),
+    @Users AS [dbo].[CollectionAccessSelectionType] READONLY,
+    @DefaultUserCollectionEmail NVARCHAR(256) = NULL,
+    @Type TINYINT = 0
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    EXEC [dbo].[Collection_Update] @Id, @OrganizationId, @Name, @ExternalId, @CreationDate, @RevisionDate, @DefaultUserCollectionEmail, @Type
+
+    -- Users
+    -- Delete users that are no longer in source
+    DELETE
+        cu
+    FROM
+        [dbo].[CollectionUser] cu
+    LEFT JOIN
+        @Users u ON cu.OrganizationUserId = u.Id
+    WHERE
+        cu.CollectionId = @Id
+        AND u.Id IS NULL;
+
+    -- Update existing users
+    UPDATE
+        cu
+    SET
+        cu.ReadOnly = u.ReadOnly,
+        cu.HidePasswords = u.HidePasswords,
+        cu.Manage = u.Manage
+    FROM
+        [dbo].[CollectionUser] cu
+    INNER JOIN
+        @Users u ON cu.OrganizationUserId = u.Id
+    WHERE
+        cu.CollectionId = @Id
+        AND (
+            cu.ReadOnly != u.ReadOnly
+            OR cu.HidePasswords != u.HidePasswords
+            OR cu.Manage != u.Manage
+        );
+
+    -- Insert new users
+    INSERT INTO [dbo].[CollectionUser]
+    (
+        [CollectionId],
+        [OrganizationUserId],
+        [ReadOnly],
+        [HidePasswords],
+        [Manage]
+    )
+    SELECT
+        @Id,
+        u.Id,
+        u.ReadOnly,
+        u.HidePasswords,
+        u.Manage
+    FROM
+        @Users u
+    INNER JOIN
+        [dbo].[OrganizationUser] ou ON ou.Id = u.Id
+    LEFT JOIN
+        [dbo].[CollectionUser] cu ON cu.CollectionId = @Id AND cu.OrganizationUserId = u.Id
+    WHERE
+        ou.OrganizationId = @OrganizationId
+        AND cu.CollectionId IS NULL;
+
+    EXEC [dbo].[User_BumpAccountRevisionDateByCollectionId] @Id, @OrganizationId
+END