only owners can manage owners

2024-11-22 12:15:36 +01:00 · 2017-09-27 22:37:13 -04:00 · 2017-09-27 22:37:13 -04:00 · 2444346ea9
commit 2444346ea9
parent c135a2a166
2 changed files with 32 additions and 1 deletions
--- a/src/Api/Controllers/OrganizationUsersController.cs
+++ b/src/Api/Controllers/OrganizationUsersController.cs
@ -174,6 +174,11 @@ namespace Bit.Api.Controllers
                throw new NotFoundException();
            }

+            if(organizationUser.Type == Core.Enums.OrganizationUserType.Owner && !_currentContext.OrganizationOwner(orgGuidId))
+            {
+                throw new BadRequestException("Only owners can update other owners.");
+            }
+
            await _organizationUserRepository.UpdateGroupsAsync(organizationUser.Id, model.GroupIds.Select(g => new Guid(g)));
        }

--- a/src/Core/Services/Implementations/OrganizationService.cs
+++ b/src/Core/Services/Implementations/OrganizationService.cs
@ -809,6 +809,15 @@ namespace Bit.Core.Services
                throw new NotFoundException();
            }

+            if(type == OrganizationUserType.Owner)
+            {
+                var invitingUserOrgs = await _organizationUserRepository.GetManyByUserAsync(invitingUserId);
+                if(!invitingUserOrgs.Any(u => u.OrganizationId == organizationId && u.Type == OrganizationUserType.Owner))
+                {
+                    throw new BadRequestException("Only owners can invite new owners.");
+                }
+            }
+
            if(organization.Seats.HasValue)
            {
                var userCount = await _organizationUserRepository.GetCountByOrganizationIdAsync(organizationId);
@ -995,13 +1004,21 @@ namespace Bit.Core.Services
                throw new BadRequestException("Invite the user first.");
            }

+            if(user.Type == OrganizationUserType.Owner)
+            {
+                var savingUserOrgs = await _organizationUserRepository.GetManyByUserAsync(savingUserId);
+                if(!savingUserOrgs.Any(u => u.OrganizationId == user.OrganizationId && u.Type == OrganizationUserType.Owner))
+                {
+                    throw new BadRequestException("Only owners can update other owners.");
+                }
+            }
+
            var confirmedOwners = (await GetConfirmedOwnersAsync(user.OrganizationId)).ToList();
            if(user.Type != OrganizationUserType.Owner && confirmedOwners.Count == 1 && confirmedOwners[0].Id == user.Id)
            {
                throw new BadRequestException("Organization must have at least one confirmed owner.");
            }

-
            if(user.AccessAll)
            {
                // We don't need any collections if we're flagged to have all access.
@ -1023,6 +1040,15 @@ namespace Bit.Core.Services
                throw new BadRequestException("You cannot remove yourself.");
            }

+            if(orgUser.Type == OrganizationUserType.Owner)
+            {
+                var deletingUserOrgs = await _organizationUserRepository.GetManyByUserAsync(deletingUserId);
+                if(!deletingUserOrgs.Any(u => u.OrganizationId == organizationId && u.Type == OrganizationUserType.Owner))
+                {
+                    throw new BadRequestException("Only owners can delete other owners.");
+                }
+            }
+
            var confirmedOwners = (await GetConfirmedOwnersAsync(organizationId)).ToList();
            if(confirmedOwners.Count == 1 && confirmedOwners[0].Id == organizationUserId)
            {