Upstream/bitwarden-server
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2024-11-21 12:05:42 +01:00
Code Issues Projects Releases Wiki Activity

[EC-152] Hide Subscription/Billing information for Provider-managed organizations (#1970)

Browse Source 
* Block billing endpoints if org is managed by Provider
This commit is contained in:
Thomas Rittson 2022-05-10 12:19:22 +10:00 committed by GitHub
parent 06c9b123f9
commit 227b725514
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 38 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
src/Api/Controllers/OrganizationsController.cs
View File

@ -83,7 +83,7 @@ namespace Bit.Api.Controllers
public async Task<BillingResponseModel> GetBilling(string id) public async Task<BillingResponseModel> GetBilling(string id)
{ {
var orgIdGuid = new Guid(id); var orgIdGuid = new Guid(id);
if (!await _currentContext.OrganizationOwner(orgIdGuid)) if (!await _currentContext.ManageBilling(orgIdGuid))
{ {
throw new NotFoundException(); throw new NotFoundException();
} }
@ -102,7 +102,7 @@ namespace Bit.Api.Controllers
public async Task<OrganizationSubscriptionResponseModel> GetSubscription(string id) public async Task<OrganizationSubscriptionResponseModel> GetSubscription(string id)
{ {
var orgIdGuid = new Guid(id); var orgIdGuid = new Guid(id);
if (!await _currentContext.OrganizationOwner(orgIdGuid)) if (!await _currentContext.ManageBilling(orgIdGuid))
{ {
throw new NotFoundException(); throw new NotFoundException();
} }
@ -230,10 +230,6 @@ namespace Bit.Api.Controllers
public async Task<OrganizationResponseModel> Put(string id, [FromBody] OrganizationUpdateRequestModel model) public async Task<OrganizationResponseModel> Put(string id, [FromBody] OrganizationUpdateRequestModel model)
{ {
var orgIdGuid = new Guid(id); var orgIdGuid = new Guid(id);
if (!await _currentContext.OrganizationOwner(orgIdGuid))
{
throw new NotFoundException();
}
var organization = await _organizationRepository.GetByIdAsync(orgIdGuid); var organization = await _organizationRepository.GetByIdAsync(orgIdGuid);
if (organization == null) if (organization == null)
@ -241,10 +237,19 @@ namespace Bit.Api.Controllers
throw new NotFoundException(); throw new NotFoundException();
} }
var updatebilling = !_globalSettings.SelfHosted && (model.BusinessName != organization.BusinessName || var updateBilling = !_globalSettings.SelfHosted && (model.BusinessName != organization.BusinessName ||
model.BillingEmail != organization.BillingEmail); model.BillingEmail != organization.BillingEmail);
await _organizationService.UpdateAsync(model.ToOrganization(organization, _globalSettings), updatebilling); var hasRequiredPermissions = updateBilling
? await _currentContext.ManageBilling(orgIdGuid)
: await _currentContext.OrganizationOwner(orgIdGuid);
if (!hasRequiredPermissions)
{
throw new NotFoundException();
}
await _organizationService.UpdateAsync(model.ToOrganization(organization, _globalSettings), updateBilling);
return new OrganizationResponseModel(organization); return new OrganizationResponseModel(organization);
} }
@ -253,7 +258,7 @@ namespace Bit.Api.Controllers
public async Task PostPayment(string id, [FromBody] PaymentRequestModel model) public async Task PostPayment(string id, [FromBody] PaymentRequestModel model)
{ {
var orgIdGuid = new Guid(id); var orgIdGuid = new Guid(id);
if (!await _currentContext.OrganizationOwner(orgIdGuid)) if (!await _currentContext.ManageBilling(orgIdGuid))
{ {
throw new NotFoundException(); throw new NotFoundException();
} }
@ -276,7 +281,7 @@ namespace Bit.Api.Controllers
public async Task<PaymentResponseModel> PostUpgrade(string id, [FromBody] OrganizationUpgradeRequestModel model) public async Task<PaymentResponseModel> PostUpgrade(string id, [FromBody] OrganizationUpgradeRequestModel model)
{ {
var orgIdGuid = new Guid(id); var orgIdGuid = new Guid(id);
if (!await _currentContext.OrganizationOwner(orgIdGuid)) if (!await _currentContext.ManageBilling(orgIdGuid))
{ {
throw new NotFoundException(); throw new NotFoundException();
} }
@ -294,7 +299,7 @@ namespace Bit.Api.Controllers
public async Task PostSubscription(string id, [FromBody] OrganizationSubscriptionUpdateRequestModel model) public async Task PostSubscription(string id, [FromBody] OrganizationSubscriptionUpdateRequestModel model)
{ {
var orgIdGuid = new Guid(id); var orgIdGuid = new Guid(id);
if (!await _currentContext.OrganizationOwner(orgIdGuid)) if (!await _currentContext.ManageBilling(orgIdGuid))
{ {
throw new NotFoundException(); throw new NotFoundException();
} }
@ -307,7 +312,7 @@ namespace Bit.Api.Controllers
public async Task<PaymentResponseModel> PostSeat(string id, [FromBody] OrganizationSeatRequestModel model) public async Task<PaymentResponseModel> PostSeat(string id, [FromBody] OrganizationSeatRequestModel model)
{ {
var orgIdGuid = new Guid(id); var orgIdGuid = new Guid(id);
if (!await _currentContext.OrganizationOwner(orgIdGuid)) if (!await _currentContext.ManageBilling(orgIdGuid))
{ {
throw new NotFoundException(); throw new NotFoundException();
} }
@ -325,7 +330,7 @@ namespace Bit.Api.Controllers
public async Task<PaymentResponseModel> PostStorage(string id, [FromBody] StorageRequestModel model) public async Task<PaymentResponseModel> PostStorage(string id, [FromBody] StorageRequestModel model)
{ {
var orgIdGuid = new Guid(id); var orgIdGuid = new Guid(id);
if (!await _currentContext.OrganizationOwner(orgIdGuid)) if (!await _currentContext.ManageBilling(orgIdGuid))
{ {
throw new NotFoundException(); throw new NotFoundException();
} }
@ -343,7 +348,7 @@ namespace Bit.Api.Controllers
public async Task PostVerifyBank(string id, [FromBody] OrganizationVerifyBankRequestModel model) public async Task PostVerifyBank(string id, [FromBody] OrganizationVerifyBankRequestModel model)
{ {
var orgIdGuid = new Guid(id); var orgIdGuid = new Guid(id);
if (!await _currentContext.OrganizationOwner(orgIdGuid)) if (!await _currentContext.ManageBilling(orgIdGuid))
{ {
throw new NotFoundException(); throw new NotFoundException();
} }
@ -356,7 +361,7 @@ namespace Bit.Api.Controllers
public async Task PostCancel(string id) public async Task PostCancel(string id)
{ {
var orgIdGuid = new Guid(id); var orgIdGuid = new Guid(id);
if (!await _currentContext.OrganizationOwner(orgIdGuid)) if (!await _currentContext.ManageBilling(orgIdGuid))
{ {
throw new NotFoundException(); throw new NotFoundException();
} }
@ -369,7 +374,7 @@ namespace Bit.Api.Controllers
public async Task PostReinstate(string id) public async Task PostReinstate(string id)
{ {
var orgIdGuid = new Guid(id); var orgIdGuid = new Guid(id);
if (!await _currentContext.OrganizationOwner(orgIdGuid)) if (!await _currentContext.ManageBilling(orgIdGuid))
{ {
throw new NotFoundException(); throw new NotFoundException();
} }

16
src/Core/Context/CurrentContext.cs
View File

@ -261,7 +261,7 @@ namespace Bit.Core.Context
if (Providers.Any()) if (Providers.Any())
{ {
return (await GetProviderOrganizations()).Any(po => po.OrganizationId == orgId); return await ProviderUserForOrgAsync(orgId);
} }
return false; return false;
@ -360,6 +360,15 @@ namespace Bit.Core.Context
&& (o.Permissions?.ManageResetPassword ?? false)) ?? false); && (o.Permissions?.ManageResetPassword ?? false)) ?? false);
} }
public async Task<bool> ManageBilling(Guid orgId)
{
var orgManagedByProvider = ProviderIdForOrg(orgId) != null;
return orgManagedByProvider
? await ProviderUserForOrgAsync(orgId)
: await OrganizationOwner(orgId);
}
public bool ProviderProviderAdmin(Guid providerId) public bool ProviderProviderAdmin(Guid providerId)
{ {
return Providers?.Any(o => o.Id == providerId && o.Type == ProviderUserType.ProviderAdmin) ?? false; return Providers?.Any(o => o.Id == providerId && o.Type == ProviderUserType.ProviderAdmin) ?? false;
@ -390,6 +399,11 @@ namespace Bit.Core.Context
return Providers?.Any(o => o.Id == providerId) ?? false; return Providers?.Any(o => o.Id == providerId) ?? false;
} }
public async Task<bool> ProviderUserForOrgAsync(Guid orgId)
{
return (await GetProviderOrganizations()).Any(po => po.OrganizationId == orgId);
}
public async Task<Guid?> ProviderIdForOrg(Guid orgId) public async Task<Guid?> ProviderIdForOrg(Guid orgId)
{ {
if (Organizations?.Any(org => org.Id == orgId) ?? false) if (Organizations?.Any(org => org.Id == orgId) ?? false)

2
src/Core/Context/ICurrentContext.cs
View File

@ -51,6 +51,8 @@ namespace Bit.Core.Context
Task<bool> ManageSso(Guid orgId); Task<bool> ManageSso(Guid orgId);
Task<bool> ManageUsers(Guid orgId); Task<bool> ManageUsers(Guid orgId);
Task<bool> ManageResetPassword(Guid orgId); Task<bool> ManageResetPassword(Guid orgId);
Task<bool> ManageBilling(Guid orgId);
Task<bool> ProviderUserForOrgAsync(Guid orgId);
bool ProviderProviderAdmin(Guid providerId); bool ProviderProviderAdmin(Guid providerId);
bool ProviderUser(Guid providerId); bool ProviderUser(Guid providerId);
bool ProviderManageUsers(Guid providerId); bool ProviderManageUsers(Guid providerId);