[AC-1139] Renamed existing CollectionAuthorizationHandler to BulkCollectionAuthorizationHandler for collections and created CollectionAuthorizationHandler for single item access. Fixed unit tests and created more

2025-12-28 14:13:48 +00:00 · 2023-10-25 16:19:25 +01:00
parent 20fe2bcc5b
commit e57469859c
6 changed files with 562 additions and 436 deletions
--- a/test/Api.Test/Controllers/CollectionsControllerTests.cs
+++ b/test/Api.Test/Controllers/CollectionsControllerTests.cs
@@ -47,101 +47,90 @@ public class CollectionsControllerTests
    }

    [Theory, BitAutoData]
-    public async Task Put_Success(Guid orgId, Guid collectionId, Guid userId, CollectionRequestModel collectionRequest,
+    public async Task Put_Success(Collection collection, CollectionRequestModel collectionRequest,
        SutProvider<CollectionsController> sutProvider)
    {
-        sutProvider.GetDependency<ICurrentContext>()
-            .ViewAssignedCollections(orgId)
-            .Returns(true);
-
-        sutProvider.GetDependency<ICurrentContext>()
-            .EditAssignedCollections(orgId)
-            .Returns(true);
-
-        sutProvider.GetDependency<ICurrentContext>()
-            .UserId
-            .Returns(userId);
+        Collection ExpectedCollection() => Arg.Is<Collection>(c => c.Id == collection.Id &&
+            c.Name == collectionRequest.Name && c.ExternalId == collectionRequest.ExternalId &&
+            c.OrganizationId == collection.OrganizationId);

        sutProvider.GetDependency<ICollectionRepository>()
-            .GetByIdAsync(collectionId, userId)
-            .Returns(new CollectionDetails
-            {
-                OrganizationId = orgId,
-            });
+            .GetByIdAsync(collection.Id)
+            .Returns(collection);

-        _ = await sutProvider.Sut.Put(orgId, collectionId, collectionRequest);
+        sutProvider.GetDependency<IAuthorizationService>()
+            .AuthorizeAsync(Arg.Any<ClaimsPrincipal>(),
+                collection,
+                Arg.Is<IEnumerable<IAuthorizationRequirement>>(r => r.Contains(CollectionOperations.Update)))
+            .Returns(AuthorizationResult.Success());
+
+        _ = await sutProvider.Sut.Put(collection.OrganizationId, collection.Id, collectionRequest);
+
+        await sutProvider.GetDependency<ICollectionService>()
+            .Received(1)
+            .SaveAsync(ExpectedCollection(), Arg.Any<IEnumerable<CollectionAccessSelection>>(),
+                Arg.Any<IEnumerable<CollectionAccessSelection>>());
    }

    [Theory, BitAutoData]
-    public async Task Put_CanNotEditAssignedCollection_ThrowsNotFound(Guid orgId, Guid collectionId, Guid userId, CollectionRequestModel collectionRequest,
+    public async Task Put_WithNoCollectionPermission_ThrowsNotFound(Collection collection, CollectionRequestModel collectionRequest,
        SutProvider<CollectionsController> sutProvider)
    {
-        sutProvider.GetDependency<ICurrentContext>()
-            .EditAssignedCollections(orgId)
-            .Returns(true);
-
-        sutProvider.GetDependency<ICurrentContext>()
-            .UserId
-            .Returns(userId);
+        sutProvider.GetDependency<IAuthorizationService>()
+            .AuthorizeAsync(Arg.Any<ClaimsPrincipal>(),
+                collection,
+                Arg.Is<IEnumerable<IAuthorizationRequirement>>(r => r.Contains(CollectionOperations.Update)))
+            .Returns(AuthorizationResult.Failed());

        sutProvider.GetDependency<ICollectionRepository>()
-            .GetByIdAsync(collectionId, userId)
-            .Returns(Task.FromResult<CollectionDetails>(null));
+            .GetByIdAsync(collection.Id)
+            .Returns(collection);

-        _ = await Assert.ThrowsAsync<NotFoundException>(async () => await sutProvider.Sut.Put(orgId, collectionId, collectionRequest));
+        _ = await Assert.ThrowsAsync<NotFoundException>(async () => await sutProvider.Sut.Put(collection.OrganizationId, collection.Id, collectionRequest));
    }

    [Theory, BitAutoData]
-    public async Task GetOrganizationCollectionsWithGroups_NoManagerPermissions_ThrowsNotFound(Organization organization, SutProvider<CollectionsController> sutProvider)
+    public async Task GetOrganizationCollectionsWithGroups_WithReadAllPermissions_GetsAllCollections(Organization organization, Guid userId, SutProvider<CollectionsController> sutProvider)
    {
-        sutProvider.GetDependency<ICurrentContext>().ViewAssignedCollections(organization.Id).Returns(false);
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);

-        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.GetManyWithDetails(organization.Id));
-        await sutProvider.GetDependency<ICollectionRepository>().DidNotReceiveWithAnyArgs().GetManyByOrganizationIdWithAccessAsync(default);
-        await sutProvider.GetDependency<ICollectionRepository>().DidNotReceiveWithAnyArgs().GetManyByUserIdWithAccessAsync(default, default);
-    }
-
-    [Theory, BitAutoData]
-    public async Task GetOrganizationCollectionsWithGroups_AdminPermissions_GetsAllCollections(Organization organization, User user, SutProvider<CollectionsController> sutProvider)
-    {
-        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(user.Id);
-        sutProvider.GetDependency<ICurrentContext>().ViewAllCollections(organization.Id).Returns(true);
-        sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(organization.Id).Returns(true);
+        sutProvider.GetDependency<IAuthorizationService>()
+            .AuthorizeAsync(
+                Arg.Any<ClaimsPrincipal>(),
+                Arg.Any<object>(),
+                Arg.Is<IEnumerable<IAuthorizationRequirement>>(requirements =>
+                    requirements.Cast<CollectionOperationRequirement>().All(operation =>
+                        operation.Name == nameof(CollectionOperations.ReadAll)
+                        && operation.OrganizationId == organization.Id)))
+            .Returns(AuthorizationResult.Success());

        await sutProvider.Sut.GetManyWithDetails(organization.Id);

-        await sutProvider.GetDependency<ICollectionRepository>().Received().GetManyByOrganizationIdWithAccessAsync(organization.Id);
-        await sutProvider.GetDependency<ICollectionRepository>().Received().GetManyByUserIdWithAccessAsync(user.Id, organization.Id);
+        await sutProvider.GetDependency<ICollectionRepository>().Received(1).GetManyByUserIdWithAccessAsync(userId, organization.Id);
+        await sutProvider.GetDependency<ICollectionRepository>().Received(1).GetManyByOrganizationIdWithAccessAsync(organization.Id);
    }

    [Theory, BitAutoData]
-    public async Task GetOrganizationCollectionsWithGroups_MissingViewAllPermissions_GetsAssignedCollections(Organization organization, User user, SutProvider<CollectionsController> sutProvider)
+    public async Task GetOrganizationCollectionsWithGroups_MissingReadAllPermissions_GetsAssignedCollections(Organization organization, Guid userId, SutProvider<CollectionsController> sutProvider)
    {
-        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(user.Id);
-        sutProvider.GetDependency<ICurrentContext>().ViewAssignedCollections(organization.Id).Returns(true);
-        sutProvider.GetDependency<ICurrentContext>().OrganizationManager(organization.Id).Returns(true);
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+
+        sutProvider.GetDependency<IAuthorizationService>()
+            .AuthorizeAsync(
+                Arg.Any<ClaimsPrincipal>(),
+                Arg.Any<object>(),
+                Arg.Is<IEnumerable<IAuthorizationRequirement>>(requirements =>
+                    requirements.Cast<CollectionOperationRequirement>().All(operation =>
+                        operation.Name == nameof(CollectionOperations.ReadAll)
+                        && operation.OrganizationId == organization.Id)))
+            .Returns(AuthorizationResult.Failed());

        await sutProvider.Sut.GetManyWithDetails(organization.Id);

-        await sutProvider.GetDependency<ICollectionRepository>().DidNotReceiveWithAnyArgs().GetManyByOrganizationIdWithAccessAsync(default);
-        await sutProvider.GetDependency<ICollectionRepository>().Received().GetManyByUserIdWithAccessAsync(user.Id, organization.Id);
+        await sutProvider.GetDependency<ICollectionRepository>().Received(1).GetManyByUserIdWithAccessAsync(userId, organization.Id);
+        await sutProvider.GetDependency<ICollectionRepository>().DidNotReceive().GetManyByOrganizationIdWithAccessAsync(organization.Id);
    }

-    [Theory, BitAutoData]
-    public async Task GetOrganizationCollectionsWithGroups_CustomUserWithManagerPermissions_GetsAssignedCollections(Organization organization, User user, SutProvider<CollectionsController> sutProvider)
-    {
-        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(user.Id);
-        sutProvider.GetDependency<ICurrentContext>().ViewAssignedCollections(organization.Id).Returns(true);
-        sutProvider.GetDependency<ICurrentContext>().EditAssignedCollections(organization.Id).Returns(true);
-
-
-        await sutProvider.Sut.GetManyWithDetails(organization.Id);
-
-        await sutProvider.GetDependency<ICollectionRepository>().DidNotReceiveWithAnyArgs().GetManyByOrganizationIdWithAccessAsync(default);
-        await sutProvider.GetDependency<ICollectionRepository>().Received().GetManyByUserIdWithAccessAsync(user.Id, organization.Id);
-    }
-
-
    [Theory, BitAutoData]
    public async Task DeleteMany_Success(Guid orgId, Collection collection1, Collection collection2, SutProvider<CollectionsController> sutProvider)
    {
--- a/test/Api.Test/Vault/AuthorizationHandlers/BulkCollectionAuthorizationHandlerTests.cs
+++ b/test/Api.Test/Vault/AuthorizationHandlers/BulkCollectionAuthorizationHandlerTests.cs
@@ -0,0 +1,224 @@
+using System.Security.Claims;
+using Bit.Api.Vault.AuthorizationHandlers.Collections;
+using Bit.Core;
+using Bit.Core.Context;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.Models.Data;
+using Bit.Core.Repositories;
+using Bit.Core.Test.AutoFixture;
+using Bit.Core.Test.Vault.AutoFixture;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Microsoft.AspNetCore.Authorization;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Api.Test.Vault.AuthorizationHandlers;
+
+[SutProviderCustomize]
+[FeatureServiceCustomize(FeatureFlagKeys.FlexibleCollections)]
+public class BulkCollectionAuthorizationHandlerTests
+{
+    [Theory, CollectionCustomization]
+    [BitAutoData(OrganizationUserType.User, false, true)]
+    [BitAutoData(OrganizationUserType.Admin, false, false)]
+    [BitAutoData(OrganizationUserType.Owner, false, false)]
+    [BitAutoData(OrganizationUserType.Custom, true, false)]
+    [BitAutoData(OrganizationUserType.Owner, true, true)]
+    public async Task CanManageCollectionAccessAsync_Success(
+        OrganizationUserType userType, bool editAnyCollection, bool manageCollections,
+        SutProvider<BulkCollectionAuthorizationHandler> sutProvider,
+        ICollection<Collection> collections,
+        ICollection<CollectionDetails> collectionDetails,
+        CurrentContextOrganization organization)
+    {
+        var actingUserId = Guid.NewGuid();
+        foreach (var collectionDetail in collectionDetails)
+        {
+            collectionDetail.Manage = manageCollections;
+        }
+
+        organization.Type = userType;
+        organization.Permissions.EditAnyCollection = editAnyCollection;
+
+        var context = new AuthorizationHandlerContext(
+            new[] { CollectionOperations.ModifyAccess },
+            new ClaimsPrincipal(),
+            collections);
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<ICollectionRepository>().GetManyByUserIdAsync(actingUserId).Returns(collectionDetails);
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.True(context.HasSucceeded);
+    }
+
+    [Theory, CollectionCustomization]
+    [BitAutoData(OrganizationUserType.User, false, false)]
+    [BitAutoData(OrganizationUserType.Admin, false, true)]
+    [BitAutoData(OrganizationUserType.Owner, false, true)]
+    [BitAutoData(OrganizationUserType.Custom, true, true)]
+    public async Task CanCreateAsync_Success(
+        OrganizationUserType userType, bool createNewCollection, bool limitCollectionCreateDelete,
+        SutProvider<BulkCollectionAuthorizationHandler> sutProvider,
+        ICollection<Collection> collections,
+        CurrentContextOrganization organization)
+    {
+        var actingUserId = Guid.NewGuid();
+
+        organization.Type = userType;
+        organization.Permissions.CreateNewCollections = createNewCollection;
+        organization.LimitCollectionCreationDeletion = limitCollectionCreateDelete;
+
+        var context = new AuthorizationHandlerContext(
+            new[] { CollectionOperations.Create },
+            new ClaimsPrincipal(),
+            collections);
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.True(context.HasSucceeded);
+    }
+
+    [Theory, CollectionCustomization]
+    [BitAutoData(OrganizationUserType.User, false, false, true)]
+    [BitAutoData(OrganizationUserType.Admin, false, true, false)]
+    [BitAutoData(OrganizationUserType.Owner, false, true, false)]
+    [BitAutoData(OrganizationUserType.Custom, true, true, false)]
+    public async Task CanDeleteAsync_Success(
+        OrganizationUserType userType, bool deleteAnyCollection, bool limitCollectionCreateDelete, bool manageCollections,
+        SutProvider<BulkCollectionAuthorizationHandler> sutProvider,
+        ICollection<Collection> collections,
+        ICollection<CollectionDetails> collectionDetails,
+        CurrentContextOrganization organization)
+    {
+        var actingUserId = Guid.NewGuid();
+        foreach (var collectionDetail in collectionDetails)
+        {
+            collectionDetail.Manage = manageCollections;
+        }
+
+        organization.Type = userType;
+        organization.Permissions.DeleteAnyCollection = deleteAnyCollection;
+        organization.LimitCollectionCreationDeletion = limitCollectionCreateDelete;
+
+        var context = new AuthorizationHandlerContext(
+            new[] { CollectionOperations.Delete },
+            new ClaimsPrincipal(),
+            collections);
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<ICollectionRepository>().GetManyByUserIdAsync(actingUserId).Returns(collectionDetails);
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.True(context.HasSucceeded);
+    }
+
+    [Theory, BitAutoData, CollectionCustomization]
+    public async Task HandleRequirementAsync_MissingUserId_Failure(
+        SutProvider<BulkCollectionAuthorizationHandler> sutProvider,
+        ICollection<Collection> collections)
+    {
+        var context = new AuthorizationHandlerContext(
+            new[] { CollectionOperations.Create },
+            new ClaimsPrincipal(),
+            collections
+        );
+
+        // Simulate missing user id
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns((Guid?)null);
+
+        await sutProvider.Sut.HandleAsync(context);
+        Assert.True(context.HasFailed);
+        sutProvider.GetDependency<ICollectionRepository>().DidNotReceiveWithAnyArgs();
+    }
+
+    [Theory, BitAutoData, CollectionCustomization]
+    public async Task HandleRequirementAsync_TargetCollectionsMultipleOrgs_Failure(
+        SutProvider<BulkCollectionAuthorizationHandler> sutProvider,
+        IList<Collection> collections)
+    {
+        var actingUserId = Guid.NewGuid();
+
+        // Simulate a collection in a different organization
+        collections.First().OrganizationId = Guid.NewGuid();
+
+        var context = new AuthorizationHandlerContext(
+            new[] { CollectionOperations.Create },
+            new ClaimsPrincipal(),
+            collections
+        );
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.HandleAsync(context));
+        Assert.Equal("Requested collections must belong to the same organization.", exception.Message);
+        sutProvider.GetDependency<ICurrentContext>().DidNotReceiveWithAnyArgs().GetOrganization(default);
+    }
+
+    [Theory, BitAutoData, CollectionCustomization]
+    public async Task HandleRequirementAsync_MissingOrg_Failure(
+        SutProvider<BulkCollectionAuthorizationHandler> sutProvider,
+        ICollection<Collection> collections)
+    {
+        var actingUserId = Guid.NewGuid();
+
+        var context = new AuthorizationHandlerContext(
+            new[] { CollectionOperations.Create },
+            new ClaimsPrincipal(),
+            collections
+        );
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(Arg.Any<Guid>()).Returns((CurrentContextOrganization)null);
+
+        await sutProvider.Sut.HandleAsync(context);
+        Assert.True(context.HasFailed);
+    }
+
+    [Theory, BitAutoData, CollectionCustomization]
+    public async Task CanManageCollectionAccessAsync_MissingManageCollectionPermission_Failure(
+        SutProvider<BulkCollectionAuthorizationHandler> sutProvider,
+        ICollection<Collection> collections,
+        ICollection<CollectionDetails> collectionDetails,
+        CurrentContextOrganization organization)
+    {
+        var actingUserId = Guid.NewGuid();
+
+        foreach (var collectionDetail in collectionDetails)
+        {
+            collectionDetail.Manage = true;
+        }
+        // Simulate one collection missing the manage permission
+        collectionDetails.First().Manage = false;
+
+        // Ensure the user is not an owner/admin and does not have edit any collection permission
+        organization.Type = OrganizationUserType.User;
+        organization.Permissions.EditAnyCollection = false;
+
+        var context = new AuthorizationHandlerContext(
+            new[] { CollectionOperations.ModifyAccess },
+            new ClaimsPrincipal(),
+            collections
+        );
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(Arg.Any<Guid>()).Returns(organization);
+        sutProvider.GetDependency<ICollectionRepository>().GetManyByUserIdAsync(actingUserId).Returns(collectionDetails);
+
+        await sutProvider.Sut.HandleAsync(context);
+        Assert.True(context.HasFailed);
+        sutProvider.GetDependency<ICurrentContext>().ReceivedWithAnyArgs().GetOrganization(default);
+        await sutProvider.GetDependency<ICollectionRepository>().ReceivedWithAnyArgs()
+            .GetManyByUserIdAsync(default);
+    }
+}
--- a/test/Api.Test/Vault/AuthorizationHandlers/CollectionAuthorizationHandlerTests.cs
+++ b/test/Api.Test/Vault/AuthorizationHandlers/CollectionAuthorizationHandlerTests.cs
@@ -2,13 +2,8 @@
 using Bit.Api.Vault.AuthorizationHandlers.Collections;
 using Bit.Core;
 using Bit.Core.Context;
-using Bit.Core.Entities;
 using Bit.Core.Enums;
-using Bit.Core.Exceptions;
-using Bit.Core.Models.Data;
-using Bit.Core.Repositories;
 using Bit.Core.Test.AutoFixture;
-using Bit.Core.Test.Vault.AutoFixture;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
 using Microsoft.AspNetCore.Authorization;
@@ -21,117 +16,75 @@ namespace Bit.Api.Test.Vault.AuthorizationHandlers;
 [FeatureServiceCustomize(FeatureFlagKeys.FlexibleCollections)]
 public class CollectionAuthorizationHandlerTests
 {
-    [Theory, CollectionCustomization]
+    [Theory]
    [BitAutoData(OrganizationUserType.User, false, true)]
    [BitAutoData(OrganizationUserType.Admin, false, false)]
    [BitAutoData(OrganizationUserType.Owner, false, false)]
    [BitAutoData(OrganizationUserType.Custom, true, false)]
    [BitAutoData(OrganizationUserType.Owner, true, true)]
-    public async Task CanManageCollectionAccessAsync_Success(
-        OrganizationUserType userType, bool editAnyCollection, bool manageCollections,
-        SutProvider<CollectionAuthorizationHandler> sutProvider,
-        ICollection<Collection> collections,
-        ICollection<CollectionDetails> collectionDetails,
+    public async Task CanReadAllAccessAsync_Success(
+        OrganizationUserType userType, bool editAnyCollection, bool deleteAnyCollection,
+        Guid userId, SutProvider<CollectionAuthorizationHandler> sutProvider,
        CurrentContextOrganization organization)
    {
-        var actingUserId = Guid.NewGuid();
-        foreach (var collectionDetail in collectionDetails)
-        {
-            collectionDetail.Manage = manageCollections;
-        }
+        // if (org.Type is OrganizationUserType.Owner or OrganizationUserType.Admin ||
+        //     org.Permissions.ManageGroups ||
+        //     org.Permissions.ManageUsers ||
+        //     org.Permissions.EditAnyCollection ||
+        //     org.Permissions.DeleteAnyCollection ||
+        //     org.Permissions.AccessImportExport ||
+        //     await _currentContext.ProviderUserForOrgAsync(org.Id))
+        // {
+        //     context.Succeed(requirement);
+        // }

        organization.Type = userType;
        organization.Permissions.EditAnyCollection = editAnyCollection;
-
-        var context = new AuthorizationHandlerContext(
-            new[] { CollectionOperations.ModifyAccess },
-            new ClaimsPrincipal(),
-            collections);
-
-        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
-        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
-        sutProvider.GetDependency<ICollectionRepository>().GetManyByUserIdAsync(actingUserId).Returns(collectionDetails);
-
-        await sutProvider.Sut.HandleAsync(context);
-
-        Assert.True(context.HasSucceeded);
-    }
-
-    [Theory, CollectionCustomization]
-    [BitAutoData(OrganizationUserType.User, false, false)]
-    [BitAutoData(OrganizationUserType.Admin, false, true)]
-    [BitAutoData(OrganizationUserType.Owner, false, true)]
-    [BitAutoData(OrganizationUserType.Custom, true, true)]
-    public async Task CanCreateAsync_Success(
-        OrganizationUserType userType, bool createNewCollection, bool limitCollectionCreateDelete,
-        SutProvider<CollectionAuthorizationHandler> sutProvider,
-        ICollection<Collection> collections,
-        CurrentContextOrganization organization)
-    {
-        var actingUserId = Guid.NewGuid();
-
-        organization.Type = userType;
-        organization.Permissions.CreateNewCollections = createNewCollection;
-        organization.LimitCollectionCreationDeletion = limitCollectionCreateDelete;
-
-        var context = new AuthorizationHandlerContext(
-            new[] { CollectionOperations.Create },
-            new ClaimsPrincipal(),
-            collections);
-
-        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
-        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
-
-        await sutProvider.Sut.HandleAsync(context);
-
-        Assert.True(context.HasSucceeded);
-    }
-
-    [Theory, CollectionCustomization]
-    [BitAutoData(OrganizationUserType.User, false, false, true)]
-    [BitAutoData(OrganizationUserType.Admin, false, true, false)]
-    [BitAutoData(OrganizationUserType.Owner, false, true, false)]
-    [BitAutoData(OrganizationUserType.Custom, true, true, false)]
-    public async Task CanDeleteAsync_Success(
-        OrganizationUserType userType, bool deleteAnyCollection, bool limitCollectionCreateDelete, bool manageCollections,
-        SutProvider<CollectionAuthorizationHandler> sutProvider,
-        ICollection<Collection> collections,
-        ICollection<CollectionDetails> collectionDetails,
-        CurrentContextOrganization organization)
-    {
-        var actingUserId = Guid.NewGuid();
-        foreach (var collectionDetail in collectionDetails)
-        {
-            collectionDetail.Manage = manageCollections;
-        }
-
-        organization.Type = userType;
        organization.Permissions.DeleteAnyCollection = deleteAnyCollection;
-        organization.LimitCollectionCreationDeletion = limitCollectionCreateDelete;

        var context = new AuthorizationHandlerContext(
-            new[] { CollectionOperations.Delete },
+            new[] { CollectionOperations.ReadAll(organization.Id) },
            new ClaimsPrincipal(),
-            collections);
+            null);

-        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
-        sutProvider.GetDependency<ICollectionRepository>().GetManyByUserIdAsync(actingUserId).Returns(collectionDetails);

        await sutProvider.Sut.HandleAsync(context);

        Assert.True(context.HasSucceeded);
    }

-    [Theory, BitAutoData, CollectionCustomization]
+    [Theory, BitAutoData]
+    public async Task CanReadAllAccessAsync_WithProviderUser_Success(
+        Guid userId,
+        SutProvider<CollectionAuthorizationHandler> sutProvider, CurrentContextOrganization organization)
+    {
+        var context = new AuthorizationHandlerContext(
+            new[] { CollectionOperations.ReadAll(organization.Id) },
+            new ClaimsPrincipal(),
+            null);
+
+        sutProvider.GetDependency<ICurrentContext>()
+            .UserId
+            .Returns(userId);
+        sutProvider.GetDependency<ICurrentContext>()
+            .ProviderUserForOrgAsync(organization.Id)
+            .Returns(true);
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.True(context.HasSucceeded);
+    }
+
+    [Theory, BitAutoData]
    public async Task HandleRequirementAsync_MissingUserId_Failure(
-        SutProvider<CollectionAuthorizationHandler> sutProvider,
-        ICollection<Collection> collections)
+        SutProvider<CollectionAuthorizationHandler> sutProvider)
    {
        var context = new AuthorizationHandlerContext(
            new[] { CollectionOperations.Create },
            new ClaimsPrincipal(),
-            collections
+            null
        );

        // Simulate missing user id
@@ -139,86 +92,24 @@ public class CollectionAuthorizationHandlerTests

        await sutProvider.Sut.HandleAsync(context);
        Assert.True(context.HasFailed);
-        sutProvider.GetDependency<ICollectionRepository>().DidNotReceiveWithAnyArgs();
    }

-    [Theory, BitAutoData, CollectionCustomization]
-    public async Task HandleRequirementAsync_TargetCollectionsMultipleOrgs_Failure(
-        SutProvider<CollectionAuthorizationHandler> sutProvider,
-        IList<Collection> collections)
-    {
-        var actingUserId = Guid.NewGuid();
-
-        // Simulate a collection in a different organization
-        collections.First().OrganizationId = Guid.NewGuid();
-
-        var context = new AuthorizationHandlerContext(
-            new[] { CollectionOperations.Create },
-            new ClaimsPrincipal(),
-            collections
-        );
-
-        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
-
-        var exception = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.HandleAsync(context));
-        Assert.Equal("Requested collections must belong to the same organization.", exception.Message);
-        sutProvider.GetDependency<ICurrentContext>().DidNotReceiveWithAnyArgs().GetOrganization(default);
-    }
-
-    [Theory, BitAutoData, CollectionCustomization]
+    [Theory, BitAutoData]
    public async Task HandleRequirementAsync_MissingOrg_Failure(
-        SutProvider<CollectionAuthorizationHandler> sutProvider,
-        ICollection<Collection> collections)
+        Guid userId,
+        Guid organizationId,
+        SutProvider<CollectionAuthorizationHandler> sutProvider)
    {
-        var actingUserId = Guid.NewGuid();
-
        var context = new AuthorizationHandlerContext(
-            new[] { CollectionOperations.Create },
+            new[] { CollectionOperations.ReadAll(organizationId) },
            new ClaimsPrincipal(),
-            collections
+            null
        );

-        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
        sutProvider.GetDependency<ICurrentContext>().GetOrganization(Arg.Any<Guid>()).Returns((CurrentContextOrganization)null);

        await sutProvider.Sut.HandleAsync(context);
        Assert.True(context.HasFailed);
    }
-
-    [Theory, BitAutoData, CollectionCustomization]
-    public async Task CanManageCollectionAccessAsync_MissingManageCollectionPermission_Failure(
-        SutProvider<CollectionAuthorizationHandler> sutProvider,
-        ICollection<Collection> collections,
-        ICollection<CollectionDetails> collectionDetails,
-        CurrentContextOrganization organization)
-    {
-        var actingUserId = Guid.NewGuid();
-
-        foreach (var collectionDetail in collectionDetails)
-        {
-            collectionDetail.Manage = true;
-        }
-        // Simulate one collection missing the manage permission
-        collectionDetails.First().Manage = false;
-
-        // Ensure the user is not an owner/admin and does not have edit any collection permission
-        organization.Type = OrganizationUserType.User;
-        organization.Permissions.EditAnyCollection = false;
-
-        var context = new AuthorizationHandlerContext(
-            new[] { CollectionOperations.ModifyAccess },
-            new ClaimsPrincipal(),
-            collections
-        );
-
-        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
-        sutProvider.GetDependency<ICurrentContext>().GetOrganization(Arg.Any<Guid>()).Returns(organization);
-        sutProvider.GetDependency<ICollectionRepository>().GetManyByUserIdAsync(actingUserId).Returns(collectionDetails);
-
-        await sutProvider.Sut.HandleAsync(context);
-        Assert.True(context.HasFailed);
-        sutProvider.GetDependency<ICurrentContext>().ReceivedWithAnyArgs().GetOrganization(default);
-        await sutProvider.GetDependency<ICollectionRepository>().ReceivedWithAnyArgs()
-            .GetManyByUserIdAsync(default);
-    }
 }
--- a/test/Core.Test/Services/OrganizationServiceTests.cs
+++ b/test/Core.Test/Services/OrganizationServiceTests.cs
@@ -75,8 +75,11 @@ public class OrganizationServiceTests
            .CreateAsync(default);

        // Create new users
-        await sutProvider.GetDependency<IOrganizationUserRepository>().Received(1)
-            .CreateManyAsync(Arg.Is<IEnumerable<OrganizationUser>>(users => users.Count() == expectedNewUsersCount));
+        await sutProvider.GetDependency<IOrganizationUserRepository>().Received(expectedNewUsersCount)
+            .CreateAsync(
+                Arg.Is<OrganizationUser>(user => user.Status == OrganizationUserStatusType.Invited
+                                                 && newUsers.Any(u => string.Equals(u.Email, user.Email, StringComparison.InvariantCultureIgnoreCase))),
+                Arg.Any<IEnumerable<CollectionAccessSelection>>());
        await sutProvider.GetDependency<IMailService>().Received(1)
            .BulkSendOrganizationInviteEmailAsync(org.Name,
            Arg.Is<IEnumerable<(OrganizationUser, ExpiringToken)>>(messages => messages.Count() == expectedNewUsersCount), org.PlanType == PlanType.Free);
@@ -125,16 +128,17 @@ public class OrganizationServiceTests
            .UpsertAsync(default);
        await sutProvider.GetDependency<IOrganizationUserRepository>().DidNotReceiveWithAnyArgs()
            .CreateAsync(default);
-        await sutProvider.GetDependency<IOrganizationUserRepository>().DidNotReceiveWithAnyArgs()
-            .CreateAsync(default, default);

        // Upserted existing user
        await sutProvider.GetDependency<IOrganizationUserRepository>().Received(1)
            .UpsertManyAsync(Arg.Is<IEnumerable<OrganizationUser>>(users => users.Count() == 1));

        // Created and invited new users
-        await sutProvider.GetDependency<IOrganizationUserRepository>().Received(1)
-            .CreateManyAsync(Arg.Is<IEnumerable<OrganizationUser>>(users => users.Count() == expectedNewUsersCount));
+        await sutProvider.GetDependency<IOrganizationUserRepository>().Received(expectedNewUsersCount)
+            .CreateAsync(
+                Arg.Is<OrganizationUser>(user => user.Status == OrganizationUserStatusType.Invited
+                                                 && newUsers.Any(u => string.Equals(u.Email, user.Email, StringComparison.InvariantCultureIgnoreCase))),
+                Arg.Any<IEnumerable<CollectionAccessSelection>>());
        await sutProvider.GetDependency<IMailService>().Received(1)
            .BulkSendOrganizationInviteEmailAsync(org.Name,
            Arg.Is<IEnumerable<(OrganizationUser, ExpiringToken)>>(messages => messages.Count() == expectedNewUsersCount), org.PlanType == PlanType.Free);