bitwarden/server
1
0
Fork 0
mirror of https://github.com/bitwarden/server synced 2026-01-08 03:23:20 +00:00
Code Issues Releases Wiki Activity
Files
edb74add5040c7b848e85170c75692653e2b0518
server/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/UpdateOrganizationUserCommand.cs
Rui Tomé edb74add50 [PM-14243] Free organization limit is not enforced when editing user (#5155) 
* Enforce free organization limit when updating user

* Add test for throwing error on accepting admin user joining multiple free organizations

* Add test for throwing BadRequest when free organization admin attempts to sign up for another free organization

* Fix user ID handling in UpdateOrganizationUserCommand for free organizations

* Rename parameter 'user' to 'organizationUser' in UpdateUserAsync method for clarity
2025-01-21 10:15:02 +00:00

189 lines
8.5 KiB
C#
Raw Blame History

#nullable enable
using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
using Bit.Core.AdminConsole.Repositories;
using Bit.Core.Billing.Enums;
using Bit.Core.Entities;
using Bit.Core.Enums;
using Bit.Core.Exceptions;
using Bit.Core.Models.Business;
using Bit.Core.Models.Data;
using Bit.Core.OrganizationFeatures.OrganizationSubscriptions.Interface;
using Bit.Core.Repositories;
using Bit.Core.Services;
namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers;
public class UpdateOrganizationUserCommand : IUpdateOrganizationUserCommand
{
private readonly IEventService _eventService;
private readonly IOrganizationService _organizationService;
private readonly IOrganizationRepository _organizationRepository;
private readonly IOrganizationUserRepository _organizationUserRepository;
private readonly ICountNewSmSeatsRequiredQuery _countNewSmSeatsRequiredQuery;
private readonly IUpdateSecretsManagerSubscriptionCommand _updateSecretsManagerSubscriptionCommand;
private readonly ICollectionRepository _collectionRepository;
private readonly IGroupRepository _groupRepository;
private readonly IHasConfirmedOwnersExceptQuery _hasConfirmedOwnersExceptQuery;
public UpdateOrganizationUserCommand(
IEventService eventService,
IOrganizationService organizationService,
IOrganizationRepository organizationRepository,
IOrganizationUserRepository organizationUserRepository,
ICountNewSmSeatsRequiredQuery countNewSmSeatsRequiredQuery,
IUpdateSecretsManagerSubscriptionCommand updateSecretsManagerSubscriptionCommand,
ICollectionRepository collectionRepository,
IGroupRepository groupRepository,
IHasConfirmedOwnersExceptQuery hasConfirmedOwnersExceptQuery)
{
_eventService = eventService;
_organizationService = organizationService;
_organizationRepository = organizationRepository;
_organizationUserRepository = organizationUserRepository;
_countNewSmSeatsRequiredQuery = countNewSmSeatsRequiredQuery;
_updateSecretsManagerSubscriptionCommand = updateSecretsManagerSubscriptionCommand;
_collectionRepository = collectionRepository;
_groupRepository = groupRepository;
_hasConfirmedOwnersExceptQuery = hasConfirmedOwnersExceptQuery;
}
/// <summary>
/// Update an organization user.
/// </summary>
/// <param name="organizationUser">The modified organization user to save.</param>
/// <param name="savingUserId">The userId of the currently logged in user who is making the change.</param>
/// <param name="collectionAccess">The user's updated collection access. If set to null, this removes all collection access.</param>
/// <param name="groupAccess">The user's updated group access. If set to null, groups are not updated.</param>
/// <exception cref="BadRequestException"></exception>
public async Task UpdateUserAsync(OrganizationUser organizationUser, Guid? savingUserId,
List<CollectionAccessSelection>? collectionAccess, IEnumerable<Guid>? groupAccess)
{
// Avoid multiple enumeration
collectionAccess = collectionAccess?.ToList();
groupAccess = groupAccess?.ToList();
if (organizationUser.Id.Equals(default(Guid)))
{
throw new BadRequestException("Invite the user first.");
}
var originalOrganizationUser = await _organizationUserRepository.GetByIdAsync(organizationUser.Id);
if (originalOrganizationUser == null || organizationUser.OrganizationId != originalOrganizationUser.OrganizationId)
{
throw new NotFoundException();
}
var organization = await _organizationRepository.GetByIdAsync(organizationUser.OrganizationId);
if (organization == null)
{
throw new NotFoundException();
}
if (organizationUser.UserId.HasValue && organization.PlanType == PlanType.Free && organizationUser.Type is OrganizationUserType.Admin or OrganizationUserType.Owner)
{
// Since free organizations only supports a few users there is not much point in avoiding N+1 queries for this.
var adminCount = await _organizationUserRepository.GetCountByFreeOrganizationAdminUserAsync(organizationUser.UserId.Value);
if (adminCount > 0)
{
throw new BadRequestException("User can only be an admin of one free organization.");
}
}
if (collectionAccess?.Any() == true)
{
await ValidateCollectionAccessAsync(originalOrganizationUser, collectionAccess.ToList());
}
if (groupAccess?.Any() == true)
{
await ValidateGroupAccessAsync(originalOrganizationUser, groupAccess.ToList());
}
if (savingUserId.HasValue)
{
await _organizationService.ValidateOrganizationUserUpdatePermissions(organizationUser.OrganizationId, organizationUser.Type, originalOrganizationUser.Type, organizationUser.GetPermissions());
}
await _organizationService.ValidateOrganizationCustomPermissionsEnabledAsync(organizationUser.OrganizationId, organizationUser.Type);
if (organizationUser.Type != OrganizationUserType.Owner &&
!await _hasConfirmedOwnersExceptQuery.HasConfirmedOwnersExceptAsync(organizationUser.OrganizationId, new[] { organizationUser.Id }))
{
throw new BadRequestException("Organization must have at least one confirmed owner.");
}
if (collectionAccess?.Count > 0)
{
var invalidAssociations = collectionAccess.Where(cas => cas.Manage && (cas.ReadOnly || cas.HidePasswords));
if (invalidAssociations.Any())
{
throw new BadRequestException("The Manage property is mutually exclusive and cannot be true while the ReadOnly or HidePasswords properties are also true.");
}
}
// Only autoscale (if required) after all validation has passed so that we know it's a valid request before
// updating Stripe
if (!originalOrganizationUser.AccessSecretsManager && organizationUser.AccessSecretsManager)
{
var additionalSmSeatsRequired = await _countNewSmSeatsRequiredQuery.CountNewSmSeatsRequiredAsync(organizationUser.OrganizationId, 1);
if (additionalSmSeatsRequired > 0)
{
var update = new SecretsManagerSubscriptionUpdate(organization, true)
.AdjustSeats(additionalSmSeatsRequired);
await _updateSecretsManagerSubscriptionCommand.UpdateSubscriptionAsync(update);
}
}
await _organizationUserRepository.ReplaceAsync(organizationUser, collectionAccess);
if (groupAccess != null)
{
await _organizationUserRepository.UpdateGroupsAsync(organizationUser.Id, groupAccess);
}
await _eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Updated);
}
private async Task ValidateCollectionAccessAsync(OrganizationUser originalUser,
ICollection<CollectionAccessSelection> collectionAccess)
{
var collections = await _collectionRepository
.GetManyByManyIdsAsync(collectionAccess.Select(c => c.Id));
var collectionIds = collections.Select(c => c.Id);
var missingCollection = collectionAccess
.FirstOrDefault(cas => !collectionIds.Contains(cas.Id));
if (missingCollection != default)
{
throw new NotFoundException();
}
var invalidCollection = collections.FirstOrDefault(c => c.OrganizationId != originalUser.OrganizationId);
if (invalidCollection != default)
{
// Use generic error message to avoid enumeration
throw new NotFoundException();
}
}
private async Task ValidateGroupAccessAsync(OrganizationUser originalUser,
ICollection<Guid> groupAccess)
{
var groups = await _groupRepository.GetManyByManyIds(groupAccess);
var groupIds = groups.Select(g => g.Id);
var missingGroupId = groupAccess.FirstOrDefault(gId => !groupIds.Contains(gId));
if (missingGroupId != default)
{
throw new NotFoundException();
}
var invalidGroup = groups.FirstOrDefault(g => g.OrganizationId != originalUser.OrganizationId);
if (invalidGroup != default)
{
// Use generic error message to avoid enumeration
throw new NotFoundException();
}
}
}
Reference in New Issue View Git Blame Copy Permalink